On 5/24/16, 2:42 PM, "Martin Thomson" <[email protected]> wrote:
>On 24 May 2016 at 10:46, Dang, Quynh (Fed) <[email protected]> wrote: >>>We discussed this at quite some length. I originally took your >>>position, but the IVs add an extra layer of safety at very little >>>cost. >> >> I don¹t see any extra layer here. > > >The argument here is that there are only 2^128 keys and some protocols >have predictable plaintext. A predictable nonce would allow an >attacker to do some pre-calculation with a large number of keys to get >a chance of a collision (and a break). It's a long bow, but not >entirely implausible. Ciphers use nonces are designed/proved to be secure when nonces are predictable: nonces are not random values. > _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
