In NMR NORX, why doesn’t AEADEnc return (C, T, T’) so that AEADDec would require a single pass?
-
-
Replying to @jedisct1
T’ is the tag computed in AEADDec which is then compared to the received tag T which was computed in AEADEnc. Not 100% sure what you mean?
1 reply 0 retweets 0 likes -
Replying to @Daeinar
Add a second finalization step to Enc, return that new tag in addition to T so that Dec doesn’t have to recompute it (as in non MR)
1 reply 0 retweets 0 likes -
Replying to @jedisct1
Note that the decrypted message M goes into the recomputation of T’ thereby realising authentication in AEADDec.
1 reply 0 retweets 0 likes -
Replying to @Daeinar
If Enc adds (S,T’)←finalise(S,08) returns (C,T,T’) , the non-MR Dec algorithm can be used and still verify T’, right?
1 reply 0 retweets 0 likes -
Replying to @jedisct1
Okay so in AEADDec: S<-finalise(K,T,FF); S,C<-decrypt(S,C,02); S,T’’<-finalise(S,08); return T’==T’’; Seems to work but looks strange tbh.
1 reply 0 retweets 0 likes -
I have no idea if there are any security proofs for such a construction. Another question is what happens with the nonce N? …
1 reply 0 retweets 0 likes -
Omission of the nonce might be okay but I can’t really tell for sure what the consequences for security are. In any case, nice thinking. :)
1 reply 0 retweets 0 likes -
Replying to @Daeinar
Sane high-level APIs don’t let users specify nonces. So Enc(K, M) picks random N, returns T” || T || C ; Dec(K, T” || T || C) -> M
1 reply 0 retweets 0 likes -
Replying to @jedisct1
Okay, so this approach only works if you do not have any additional data (A,Z). I don’t see how to protect integrity of it.
1 reply 0 retweets 0 likes
Absorb A and Z also in the second pass.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.