@matthew_d_green @marshray so my pal @namelessjon is curious what the specific rationale for MACing the nonce is
@matthew_d_green @marshray @namelessjon an incorrect MAC key would be generated by HKDF, and the MAC verification would therefore fail
-
-
@bascule@matthew_d_green@namelessjon if you don't MAC the nonce, hilarity ensues when the bad guy passes the wrong one -
@marshray@bascule@matthew_d_green MAC key derived from nonce. If adv can forge MAC for CT, but not CT+N w. nonce, not sure I like that MAC -
@namelessjon@marshray@matthew_d_green true, but with nonce + ciphertext, they'd have to break both HKDF+HMAC (which are, well, related :|) -
@bascule@namelessjon@matthew_d_green Re: MAC'ing-the-nonce, it depends, and I fear there's no way we'll keep our concepts straight in 140. -
@marshray@namelessjon@matthew_d_green yeah, I feel Twitter is a bit ill-equipped for this discussion ;) -
@bascule@marshray@namelessjon On the contrary, I think all technical discussions should be held on Twitter. Keeps people on target.
End of conversation
New conversation -
-
-
@bascule@marshray@namelessjon Did you have HKDF in the version I first looked at? -
@matthew_d_green@marshray@namelessjon no, I added it later re: concerns around nonces
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.