tarcieri
commented
3 years ago That's a reasonable concern with STREAM, yes. Nonce reuse could allow blocks to be swapped from one STREAM to another.
CHAIN would be required to prevent that.
Open oconnor663 opened 3 years ago
tarcieri
commented
3 years ago That's a reasonable concern with STREAM, yes. Nonce reuse could allow blocks to be swapped from one STREAM to another.
CHAIN would be required to prevent that.
My understanding from the paper is that STREAM's security notion (nOAE) requires that nonces don't repeat. Instantiating STREAM on top of AES-SIV does make nonce reuse slightly less harmful, I think.* But an attacker can do something like chunk swapping between two messages that share the same nonce, which means that authenticity is immediately lost after a single reuse. Do I have that right? Is that something worth clarifying in the docs?
* It seems like some privacy might be retained after a few nonce reuses, but the "chosen prefix, secret suffix" attack described in the same paper would work if the attacker could make a lot of queries.