Like I said, confusing! Anyway, let's talk about the bug! As part of its initial state, Salsa20 uses a counter. Not exactly like AES when in counter mode (That's AES-CTR and AES-GCM), more of a hybrid. And the bug is in this counter ...
-
-
But seriously; if you used this cipher for a large volume data store (we don't!) fixing this would be a *major* pain. You'd have to decrypt and re-encrypt everything. If it crossed control boundaries, you'd have to tell users to keep a copy of the broken cipher implementation.
Show this thread -
It's like the worst kind of applied crypto pain. Changing network crypto is easy in comparison! TLDR: version *everything* always, and include a plaintext checksums if you have to worry about long-term durability minutia like this. /out
Show this thread
End of conversation
New conversation -
-
-
EtM is fine. If you’re worried about implementation bugs, you can combine (not cascade!) two stream ciphers. Ditto for the MAC. These can even run simultaneously on different cores. For very large messages, the synchronization overhead will be negligible anyway.
-
Combining also doubles (or more) any side-channel risks though. In GCM-SIV the GHASH or POLYVAL hash covers the plaintext, which works out to be more robust here. Never thought about it defending against implementation bugs before!
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.