Re: [CFRG] how to guard against VM rollbacks

[Phillip Rogaway <rogaway at cs.ucdavis.edu>]

Hi Wei,

WD> ... the security of a nonce-based
WD> cryptographic scheme may be compromised due to unintentional nonce reuse ...
WD> Apparently ... no one has proposed a solution (that I could find)....
WD> Where possible, it may be best to go back to deterministic cryptography....

Let me point you in this connection to

  P. Rogaway and T. Shrimpton, Deterministic Authenticated Encryption:
  A Provable-Security Treatment of the Key-Wrap Problem,
  http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html, full version
  of Eurocrypt 2006 paper.

Section 7 is about making encryption schemes maximally robust against 
nonce-reuse.  Besides formalizing the goal, the suggestion is to use a 
deterministic authenticated-encryption (DAE) scheme that supports 
vector-valued associated data. Hijack one component of it to use as the 
(anticipated) nonce.  A concrete instantiation, SIV, is proposed and proven 
secure.  If a proper nonce is supplied you get the usual notion of nonce-based 
semantic security; but if a nonce should get reused, all that is leaked 
is repetitions in (message, nonce, further-associated-data-components)-tuples,
with no damage to future privacy or integrity.


phil

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg