[noise] Thoughts on semi-deterministic encryption

Jonathan Moore moore at eds.org
Wed Aug 27 17:13:59 PDT 2014

On Wed, Aug 27, 2014 at 4:30 PM, Brian Warner <warner at lothar.com> wrote:
> To get semantic security, you either need entropy (for the RNG) or
> storage (for a counter). Clocks are a special form of storage, and have
> other handy properties when they work, but I don't like to depend upon
> them because they'll lead you into temptation.

djb has mostly convinced me that it is just not a good idea to use clocks
as they really have no defined security properties; and drive makers have
convinced me not to trust storage ;)

 The two environments that I am most worried about are embedded
environments which have been shown to do such terrible things and
javascript environments which are known to be terrible but also the only
platform available in browsers. Thinking about these environments does make
me pessimistic for sure.

> But yeah, I think mixing in the entropy with the deterministically
> generated (H(plaintext)) key is fine. I'd use HKDF for the mixing, but
> it's basically the same as your HMAC scheme. The HKDF paper has some
> descriptions of how it's designed to tolerate an attacker controlling
> certain inputs (the salt, I think): so maybe you could treat the RNG as
> untrusted by passing it as the salt. I think the goal would be for a
> computationally-bounded attacker who gets to see everything else to
> remain unable to force the encryption key into a particular value.

Thanks I will check out HKDF.

 Have you looked at the construction of  HS1-SIV which uses the
authenticator as the IV? ( Someone on #tahoe-lafs pointed me to it ) It
allows two pass authenticated encryption with a SIV.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/060e0cbd/attachment.html>

More information about the Noise mailing list