@BRIAN_____ @marshray doesn't follow: both AES and GCM are deterministic algorithms. Better to attack PRNG, keygen, MoE with random nonces
-
-
-
@damienmiller@marshray Ex: People choose hardware implementations of AES-GCM b/c they are supposed to be constant-time but who verifies it? -
@BRIAN_____@marshray symmetric cipher timing leaks seem too noisy and expensive for mass surveillance
End of conversation
New conversation -
-
-
@BRIAN_____ Confused; link's point is that fast-in-HW algs benefit an attacker with a big HW budget, as everyone else will only use SW impl.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@BRIAN_____ The part of GCM that is in hardware controls integrity and not confidentiality.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.