This. I keep telling people that remote side channel attacks are grossly over estimated.https://twitter.com/matthew_d_green/status/1187745594917437440 …
-
-
are you referring to nonce reuse issues? if so, what do you think is a pragmatic choice for aead that avoids it?
-
nonce-reuse with poor RNGs, and because AES-GCM is exactly length-matching, it makes mass surveillance via content fingerprinting far cheaper for adversaries. Both of these actual problems are actually exploited in the actual real world.
- 3 more replies
New conversation -
-
-
CBC encryption isn’t parallelizable. I suspect that was more of a driver for CTR than concern over padding oracles. That said, it’s unfortunate that that none of the length hiding drafts for TLS went anywhere https://tools.ietf.org/id/draft-pironti-tls-length-hiding-00.html …
-
TLS 1.3 has padding specified
- 1 more reply
New conversation -
-
-
With that in mind, which of the readly available combinations in common implementations should be used? Keeping in mind it would be good if they were support by current hardware acceleration. I know CBC sucks, but didnt know GCM had worse problems.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.