Initialization vector requirements
Werner Koch
wk at gnupg.org
Thu Sep 19 11:11:35 CEST 2024
[Re-sent to the list]
Hi,
and thanks for looking at the specs.
On Tue, 10 Sep 2024 09:56, Falko Strenzke said:
> says that "the initialization vector per message MUST be distinct" for
> OCB. Distinctness is not sufficient here, since the per-chunk nonce is
> derived by XORing the IV with the chunk index. Thus, for messages with
Right. A simple fix might be to write
"the initialization vector and thus derived nonces MUST be distinct per
message chunk"
> Accordingly, random IVs are required here. After this correction, it
Well, that is the easiest solution and given that an RNG is anyway
required most likely that what everyone will do.
> considerations regarding the number of repeated messages under the
> same key using random IVs and the resulting nonce-collision
> probabilities.
That is hard to describe because it depends on the size of the chunks
and the message. In this regard a mimimal but large chunk size would be
better. But we better don't open that issue again.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20240919/41e1b6ea/attachment.sig>
More information about the LibrePGP-discuss
mailing list