eated as a sequence of blocks, not bytes) is
> itself a valid CBC encryption.
Yes, obviously... which is why I wrote "I am particularly thinking of
CTR mode and its relatives".
It's a pity OCB mode is patented.
- Nemo
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
tions... unless you used PFS.
- Nemo
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
t is that if the IV can be kept confidential cheaply, why not? (I
am particularly thinking of CTR mode and its relatives.)
- Nemo
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
se NSA's math skills are scary. In my
opinion, it is virtually certain NSA knows something about integer
factoring and/or integer discrete log and/or elliptic curves that we do
not. So I would build in some margin. I would start with 3072 bits for
RSA/DH and 384 bits for ECC and only
o stir
extra entropy into the encryption. It does nothing for any security
proofs, since those assume perfectly secure block ciphers... But it
might make somebody's job just a little bit harder in practice. And
since it would cost nothing, why not?
- Nemo
seeds for the NIST curves, and how do they claim
those seeds were chosen, exactly?
- Nemo
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
