jedisct1
commented
11 months ago If you agree with that change, the paper will be updated as well.
Closed jedisct1 closed 11 months ago
jedisct1
commented
11 months ago If you agree with that change, the paper will be updated as well.
jedisct1
commented
11 months ago Hi @samuel-lucas6 , whenever it's convenient for you, could you take a look at this? It would be great to tag a new version with the parallel variants.
samuel-lucas6
commented
11 months ago Sorry Frank, I was on holiday. I'll take a look tomorrow morning. It sounds sensible, and it's a good idea to also update the paper.
jedisct1
commented
11 months ago No worries Samuel! Vacations are more important than anything 😊
jedisct1
commented
11 months ago The ZeroPad repetition was originally there because the context itself was the byte, not the padding.
But that didn't really match the way it would actually be implemented. Describing it as a mask solved it :)
This is a breaking change, and it is not strictly necessary, but since it is not too late, it may be desirable.
Currently, if a (key,nonce) is reused with different variants of the same security level, the key streams initialized with the same context will be the same.
For example, with AEGIS-128L and AEGIS-128X2, the 128L key stream will be the same as the first half of the 128X2 key stream.
Tags will be different, but reusing a (key,nonce) with different variants would still reveal the difference between the messages.
We can document that (key,nonce) pairs must not be reused with different algorithms.
But a better alternative would be to include the degree in the context.
We actually use (degree - 1), so that when the degree is 1, the context remains all-zero, and it doesn't break the equivalence between AEGIS-128L and AEGIS-128X1.