H(m)⊕r
-
-
Replying to @jedisct1 @BRIAN_____
If you're doing something like that, I think it would be better to use a full-blown SIV construction
1 reply 0 retweets 0 likes -
something like AES-SIV but with ChaCha20 and Poly1305? http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf …
1 reply 0 retweets 0 likes -
Replying to @bascule @BRIAN_____
If we have a working PRG, we should take advantage of it to avoid disclosing repeated messages.
1 reply 0 retweets 0 likes -
Replying to @jedisct1 @BRIAN_____
sure, but you can mix randomness into a SIV mode's nonces
1 reply 0 retweets 0 likes
Replying to @bascule @BRIAN_____
We don’t need to force implementations to use this construction. We just need a nonce.
4:30 PM - 21 Feb 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.