[noise] Thoughts on semi-deterministic encryption

Tony Arcieri bascule at gmail.com
Tue Aug 26 12:28:39 PDT 2014


If you want a deterministic nonce, why not use a counter instead of SIV?


On Tue, Aug 26, 2014 at 11:10 AM, Jonathan Moore <moore at eds.org> wrote:

> Hello all, coming out of lurk mode.
>
> I have been thinking about how to more safely use cyphers in environments
> where one does not know for sure that they have a good source of entropy.
>  A simple approach is to not use any; for instance, just use the hash of
> the clear text as the IV of a message when using a stream cipher. Ex:
>
>   nonce = hmac( key, message )
>   box( nonce, key, message )
>
>
> The has the obvious downside of losing semantic security. To improve on
> this we could mix a source of supposed entropy with a deterministic
> approach. To extend the above example:
>
>   nonce = hmac( key, hmac( possiblyRand(), message )  )
>   box( nonce, key, message )
>
> It would seem that if possibly rand turns out to be predictable the only
> thing we have lost is semantic security and not confidentiality. This seems
> like a nice property to have.
>
> Questions for those interested:
>   1. Am I missing anything important that means this is a bad idea?
>   2. Does this have the claimed properties?
>   3. Is there a better mixing function then hmac?
>
> -Jonathan
>
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise
>
>


-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140826/1e51b07f/attachment.html>


More information about the Noise mailing list