On 24 May 2016 at 10:46, Dang, Quynh (Fed) <quynh.d...@nist.gov> wrote: >>We discussed this at quite some length. I originally took your >>position, but the IVs add an extra layer of safety at very little >>cost. > > I don¹t see any extra layer here.
The argument here is that there are only 2^128 keys and some protocols have predictable plaintext. A predictable nonce would allow an attacker to do some pre-calculation with a large number of keys to get a chance of a collision (and a break). It's a long bow, but not entirely implausible. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
