[noise] Thoughts on semi-deterministic encryption

Jonathan Moore moore at eds.org
Tue Aug 26 13:35:31 PDT 2014


On Tue, Aug 26, 2014 at 1:13 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Tuesday, August 26, 2014, Jonathan Moore <moore at eds.org> wrote:
>
>> I am but I still need to encrypt the documents.
>>
>
> In past capability-based systems I've made that work like this[1] (where I
> don't want them to be content addressable) I've used a random nonce.
>

This is what I currently do.


> If you're worried about nonce repetition due to a bad RNG, you can use
> something like the current time for part of the nonce in addition to RNG.
> That's cheaper than computing a content or ciphertext hash.
>

I considered this approach, and yes it is cheaper,  but does not have the
same properties. If I am correct, with my proposal, in the worst case,
loses only semantic security. Just mixing in the time still has failure
cases of nonce reuse.

My goal in the conversation is to discuss the solution space of removing
strong random requirements form cryptosystems. I do have a project, with
working code, where I might apply some of this; but right now I am just
thinking about general solutions practical issues of low entropy.

I don't think these just wanky considerations. We have seen that embedded
system and VMs often boot up in an initial state where there may not be a
reliable time source or much entropy.

I do agree that in many cases your suggestions will be more efficient but
think that the approach I have outlined is interesting line of thought.

-Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140826/7f476e43/attachment.html>


More information about the Noise mailing list