[noise] Thoughts on semi-deterministic encryption

Jonathan Moore moore at eds.org
Wed Aug 27 15:39:20 PDT 2014


On Wed, Aug 27, 2014 at 3:18 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Wed, Aug 27, 2014 at 3:12 PM, Jonathan Moore <moore at eds.org> wrote:
>>
>> Two things the errors in the bitcoin cases were do to nonce reuse. What
>> the research actually did is look for reused r, where r is derived from the
>> nonce and private key, values in the dsa signatures. I know that some of
>> the reuse was explicitly due to bad counter implementation. Others are
>> knows to be due to the bad android RNG.
>>
>
> This could be easily solved by doing deterministic ECDSA like EdDSA does.
>

Yes but it is an example of nonce generation failures.


>  Why would you refer to my scheme as counting?
>>
>
> I wasn't referring to your scheme. Using time or a counter as part of the
> nonce is much cheaper than your scheme, which requires a content hash.
> Deriving keys or IVs from a content hash is great if you're building a
> convergent / content addressable encryption scheme, but if you're not it's
> a waste.
>

I don't think your aproi claim that it is a waste is correct. It adds
desirable properties, that adding in time can not guarantee, and for some
situations the cost is totally reasonable. ( It is also worth noting that
the extra cost is only when for encryption and not decryption. ) If the
cost is really a issue one could also consider a construction like HS1-SIV
which uses the authenticator as the IV; but that only works for mac then
encrypt modes which some people don't like.

-Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/7ac18ffa/attachment.html>


More information about the Noise mailing list