Naveen Nathan nav...@lastninja.net writes:
[Quoting someone else]
As I see it from that paper the advantages of a key-wrap scheme over using a
generic AEAD scheme is that
(a) it may be lighter weight in computation and size of ciphertext
(b) Defends against âIV misuseâ.
(c) RFC 3394 has
Following up on my own question:
On Dec 24, 2014, at 3:44 PM, Jeffrey Goldberg jeff...@goldmark.org wrote:
My big question whether use of Key Wrap (RFC 3394) is recommended or not.
If I want provable security, then I should use a generated AEAD construction,
but there
is nothing known to be
As I see it from that paper the advantages of a key-wrap scheme over using a
generic AEAD scheme is that
(a) it may be lighter weight in computation and size of ciphertext
(b) Defends against “IV misuse”.
(c) RFC 3394 has been around for a while and is widely available
The paper in
The NIST Key Wrap is unauthored, which in practice means it's an NSA
construction. That doesn't mean it's insecure. In fact if anything it's
over-engineered.
It's designed to achieve CCA2 security (or an equivalent deterministic
definition) for high-entropy messages. It probably does that,
yes, but if the NSA starts publishing things, people might realize the NSA
exists.
On Wed, Dec 24, 2014 at 4:48 PM, Matthew Green matthewdgr...@gmail.com
wrote:
The NIST Key Wrap is unauthored, which in practice means it's an NSA
construction. That doesn't mean it's insecure. In fact if
