We recommend no more than 2^8 reuses. The failure property is similar to AES-GCM with 2^8 random nonces then.
-
-
Hm but doesn’t that defeat kinda the purpose of nonce-misuse resistance? Seems like an additional point a dev has to remember
1 reply 0 retweets 1 like -
Does NMR, to you, mean that you can fix the nonce and encrypt many plaintexts? Or that accidental, random reuse is safe?
3 replies 0 retweets 0 likes -
That a fixed nonce is fine is how I expect most people to actually interpret NMR.
2 replies 0 retweets 3 likes -
That's good to know, thanks. Perhaps we should find another term then.
3 replies 0 retweets 1 like -
"nonce-misuse tolerant"? NMR to me is: you can do what you want with nonces, doesn't break security of alg
1 reply 0 retweets 1 like -
I actually think “misuse” is a problematic term, not just “resistant”.
1 reply 0 retweets 0 likes -
yes. probably.
1 reply 0 retweets 0 likes -
Give people a fast, one-pass, strong-MR scheme and everybody will adopt it right away :)
2 replies 0 retweets 0 likes -
strong NMR schemes are always offline.
1 reply 0 retweets 0 likes
Had high hopes for HS1-SIV as well :(
-
-
Yes the dropping out of HS1-SIV was surprising to me as well.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.