@tqbf @bascule @matthew_d_green @dchest @marshray I don’t think getting CTR right is hard, but I don’t know what I don’t know.
@marshray yeah, bad idea, I need to update the description to note I'm deriving an AES-CTR nonce too
-
-
@bascule http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf … "for each message encrypted by a key...must ensure uniqueness of all the counter blocks across all messages" -
@marshray NaCl's aes128ctr uses a 128-bit nonce. Combined with a 128-bit key, isn't that sufficient? https://github.com/jedisct1/libsodium/blob/master/src/libsodium/include/sodium/crypto_stream_aes128ctr.h#L5 … -
@bascule Sufficient or no it's not CTR mode, which requires nonce and counter 2b separate bitfields and *no* wrapping or overlaps (ever)</b> -
@marshray do you think there's a non-negligible chance of that happening given a 128-bit key and 128-bit nonce? -
@bascule despite what crypto_stream_aes128ctr.h implies, AES can't take a 128-bit nonce and still have room for a meaningful counter value -
@marshray I am glad I am doing this as a thought exercise and not something anyone ever intends to use ;)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.