The counter should be able go to 2^64, which is big enough to encrypt extremely large volumes of data. The bug is that it cycles at 2^32, far far lower.https://twitter.com/FiloSottile/status/1108569374343000064 …
EtM is fine. If you’re worried about implementation bugs, you can combine (not cascade!) two stream ciphers. Ditto for the MAC. These can even run simultaneously on different cores. For very large messages, the synchronization overhead will be negligible anyway.
-
-
Combining also doubles (or more) any side-channel risks though. In GCM-SIV the GHASH or POLYVAL hash covers the plaintext, which works out to be more robust here. Never thought about it defending against implementation bugs before!
-
But even if the tag doesn’t verify, the plaintext will be (shortly or permanently depending on the implementation) present in memory. Which may enable other kind of attacks. Which is why I still tend to prefer EtM.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.