[noise] Thoughts on semi-deterministic encryption
moore at eds.org
Wed Aug 27 17:13:59 PDT 2014
On Wed, Aug 27, 2014 at 4:30 PM, Brian Warner <warner at lothar.com> wrote:
> To get semantic security, you either need entropy (for the RNG) or
> storage (for a counter). Clocks are a special form of storage, and have
> other handy properties when they work, but I don't like to depend upon
> them because they'll lead you into temptation.
djb has mostly convinced me that it is just not a good idea to use clocks
as they really have no defined security properties; and drive makers have
convinced me not to trust storage ;)
The two environments that I am most worried about are embedded
environments which have been shown to do such terrible things and
platform available in browsers. Thinking about these environments does make
me pessimistic for sure.
> But yeah, I think mixing in the entropy with the deterministically
> generated (H(plaintext)) key is fine. I'd use HKDF for the mixing, but
> it's basically the same as your HMAC scheme. The HKDF paper has some
> descriptions of how it's designed to tolerate an attacker controlling
> certain inputs (the salt, I think): so maybe you could treat the RNG as
> untrusted by passing it as the salt. I think the goal would be for a
> computationally-bounded attacker who gets to see everything else to
> remain unable to force the encryption key into a particular value.
Thanks I will check out HKDF.
Have you looked at the construction of HS1-SIV which uses the
authenticator as the IV? ( Someone on #tahoe-lafs pointed me to it ) It
allows two pass authenticated encryption with a SIV.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Noise