[noise] Thoughts on semi-deterministic encryption

Jonathan Moore moore at eds.org
Wed Aug 27 18:06:39 PDT 2014


On Wed, Aug 27, 2014 at 5:27 PM, Brian Warner <warner at lothar.com> wrote:

> On 8/27/14, 5:13 PM, Jonathan Moore wrote:
>
> > djb has mostly convinced me that it is just not a good idea to use
> > clocks as they really have no defined security properties; and drive
> > makers have convinced me not to trust storage ;)
>
> Heh, and everyone else has been busy convincing us to not trust RNGs :).


I think an interesting thought experiment is how far can we get if we take
as givens that storage is unreliable and RNGs only give us small amounts of
entropy. I think it might be possible that with we can still do useful
things using deterministic approaches and key stretching. ( useful things
under specific threat models at least )


> > Have you looked at the construction of HS1-SIV which uses the
> > authenticator as the IV? ( Someone on #tahoe-lafs pointed me to it )
> > It allows two pass authenticated encryption with a SIV.
>
> No, I haven't. Is there a paper or something I could look at?


http://competitions.cr.yp.to/round1/hs1siv-nh.pdf

-Jonathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/378313ee/attachment.html>


More information about the Noise mailing list