This repository was archived by the owner on Feb 5, 2021. It is now read-only.
Is the STREAM construction misuse-resistant? #197
Comments
|
That's a reasonable concern with STREAM, yes. Nonce reuse could allow blocks to be swapped from one STREAM to another. CHAIN would be required to prevent that. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
My understanding from the paper is that STREAM's security notion (nOAE) requires that nonces don't repeat. Instantiating STREAM on top of AES-SIV does make nonce reuse slightly less harmful, I think.* But an attacker can do something like chunk swapping between two messages that share the same nonce, which means that authenticity is immediately lost after a single reuse. Do I have that right? Is that something worth clarifying in the docs?
* It seems like some privacy might be retained after a few nonce reuses, but the "chosen prefix, secret suffix" attack described in the same paper would work if the attacker could make a lot of queries.
The text was updated successfully, but these errors were encountered: