top | item 40654633

(no title)

e____g | 1 year ago

It's worth mentioning AES-GCM-SIV[1], which is the fix for this issue.

[1] https://www.rfc-editor.org/rfc/rfc8452.html

discuss

tptacek|1 year ago

The alternative, which I prefer, is an XGCM-like construction that just gives you a large enough nonce to comfortably use random nonces.

dontdoxxme|1 year ago

+1, soatok has a write-up of how that works: https://soatok.blog/2022/12/21/extending-the-aes-gcm-nonce-w...

...a variant on that is DNDK-GCM in draft at https://datatracker.ietf.org/doc/draft-gueron-cfrg-dndkgcm/ and a recent presentation: https://youtu.be/GsFO4ZQlYS8 (this is Shay Gueron who worked on AES-GCM-SIV too).

vlovich123|1 year ago

AES-GCM has a 12 byte nonce if I recall correctly. Is 96 bits of entropy insufficient to guarantee uniqueness every time it’s generated?

bjoli|1 year ago

Could this be extended to give us XOCB? I am not sure it would make much sense with the OCB size recommendations.

notfed|1 year ago

The "fix" is to use a nonce misuse resistant cipher, of which AES-GCM-SIV is one.

But, AES-GCM-SIV requires two passes over the data, which isn't always ideal.

The goal of the CAESAR competition [1] was essentially to find alternatives. Whether that goal has been met is a bit unclear at the moment.

[1] https://competitions.cr.yp.to/caesar-submissions.html

throw0101d|1 year ago

> The goal of the CAESAR competition [1]

https://en.wikipedia.org/wiki/CAESAR_Competition

throw0101d|1 year ago

At this point OCB has an expired patent, and only needs one pass over the data:

* https://en.wikipedia.org/wiki/OCB_mode

upofadown|1 year ago

From the OCB FAQ[1]:

>What happens if you repeat the nonce? You’re going to mess up authenticity for all future messages, and you’re going to mess up privacy for the messages that use the repeated nonce.

The loss of privacy on OCB nonce reuse is not as severe. It would be more or less the same as with ECB mode.

[1] https://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm