I've a friend using ERIS https://inqlab.net/projects/eris/ which is based on https://grothoff.org/christian/ecrs.pdf and someone audited.
It does some signature check instead of using an AEAD, which maybe fine, and maybe better for encryption-at-rest, about which they seemingly care, but maybe also leaks something via side channels if done wrong, like maybe if decryption occurs first. Can anyone give me some background on what this stuff is really for? Why the encryption-at-rest appears? And: Why does it not use an AEAD like chacha20-poly1305? I know less than I should about encryption-at-rest, just that it's historically fucked up as much as other things, but less studied than networking. Jeff
