AES-GCM-SIV: Developer can reuse nonce, as a treat.
Which can also be catastrophic. Which is also why nonce-reuse resistant schemes still accept a nonce.
-
-
What's a scenario where distinguishability is catastrophic?
-
It's more likely that replay attacks is the problem. Guaranteed uniqueness of full blocks isn't always required, especially not for things like media streams. But for short recurring packets like "go now", "retreat", etc, it could also matter a whole lot.
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.