On Thu, Nov 12, 2015 at 1:15 PM, Nick Badger <[email protected]> wrote:
> I'm merging message trees here to avoid multiple replies. > > Re: Joe -- > > >> Your proposed scheme might be secure there, but the straightforward way >> to do what you're trying to do is compute a MAC of the plaintext and use >> that as your IV. Key-reuse is a problem for provable security, as you point >> out. The simplest thing is to just have two keys, one for the MAC >> computation and one for the encryption. >> > > MACs are definitely simpler and feel more elegant, but if possible, I'd > prefer to stick with an encrypt-then-MAC/sign approach all around (the > containers themselves are signed, not MAC'd). > Note that what I was suggesting is exactly what AES-SIV does: CMAC is computed with one key over the entire plaintext (plus additional authenticated data), this MAC is used directly as the IV, CTR encryption is applied, and then the ciphertext is sent along with the MAC. If you had asked me this morning I might have said "I'm not sure using the same MAC as your IV and MAC has no security gotchas, would have to think to be sure there are no gotchas" and suggested maybe adding a second MAC over the whole ciphertext to be safe. Fortunately the security analysis has already been done to show that re-using the MAC in this was an IV is safe, leading to AES-SIV: https://www.iacr.org/archive/eurocrypt2006/40040377/40040377.pdf So I would suggest using that.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
