[noise] Thoughts on semi-deterministic encryption

Tony Arcieri bascule at gmail.com
Wed Aug 27 21:49:43 PDT 2014

On Wed, Aug 27, 2014 at 6:12 PM, Jonathan Moore <moore at eds.org> wrote:

> Sure, but counters and clocks are different things, and there are
> interesting environments with out storage at all. I understand that I am
> not discussing ideas that might not get used every day but they are not
> uninteresting which is what it feels like you are trying to argue for.

I'm just saying if nonce reuse due to poor RNGs is the only purpose, it
seems like overkill.

If your use case is a content addressable system like Tahoe-LAFS, it's much
more interesting. Adding in the convergence secret, as Brian mentioned,
mitigates a wide range of attacks on convergent encryption systems. Beyond
that, you can simply derive a unique key per message (via, as mentioned,
something like HKDF) from the content hash and the convergence secret, at
which point (also as Brian mentioned) you eliminate the problem of having
to choose a nonce entirely or worry about protocols like SIV, while still
providing a content addressable, deterministic encryption scheme.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20140827/9b0e09f0/attachment.html>

More information about the Noise mailing list