... that's a confusing piece of minutia; but basically even though AES assembles a block of 256-bits to start with and needs a bigger key, the block size for AES256 is 128-bits. That size is about the data size of the blocks that the cipher permutes as it goes.
-
-
So really you need MAC-then-encrypt-then-also-MAC! I call this scheme Combined Online Linear Message MAC And Corruption Check (it's ok to shorten that to COLMMACC).
Show this thread -
But seriously; if you used this cipher for a large volume data store (we don't!) fixing this would be a *major* pain. You'd have to decrypt and re-encrypt everything. If it crossed control boundaries, you'd have to tell users to keep a copy of the broken cipher implementation.
Show this thread -
It's like the worst kind of applied crypto pain. Changing network crypto is easy in comparison! TLDR: version *everything* always, and include a plaintext checksums if you have to worry about long-term durability minutia like this. /out
Show this thread
End of conversation
New conversation -
-
-
You could use SIV mode, which does indeed (safely) MAC the plaintext. But I guess if you are decrypting >256GB then you are almost certainly releasing unverified plaintext.
-
Good point! Two full passes of the plaintext on the encryption phase would be very expensive at that scale too.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.