Been looking at this today!
the fixed-size 272 byte frames, great choice for blinding some TA on interactive sessions. That's going to be very slow for downloads though, with the extra GCM tags. Are you open to making this part modal?
-
This Tweet is unavailable.
-
-
Replying to @colmmacc @JennaMagius
Are zero-relevant-data-bytes frames legit? If not, could use zero as a sentinel value to signal that it's a jumbo frame. Rounding jumbo frames to be 272 congruent would look the same to a MITM, but be much faster.
1 reply 0 retweets 0 likes -
Replying to @colmmacc @JennaMagius
Other q: why not the start the the IV with the shared PRF? just for some defense in depth against future weaknesses.
0 replies 0 retweets 0 likes -
This Tweet is unavailable.
-
Replying to @JennaMagius
I’ll formulate my thoughts on jumbo frames better, but on the PRF front: in general when ciphers are broken it’s usually still harder for the attacker if the IVs are unknown.
0 replies 0 retweets 0 likes -
This Tweet is unavailable.
-
Replying to @JennaMagius
Seed like you’re saying for the first and then IV += 1 after that. Just a random starting value.
1 reply 0 retweets 0 likes
Some protocols have tried Feistel IVs to avoid repetition, that’s crazy. Others have random IVs and live with low prob collisions. Most do random starting point and increment.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.