On 5/24/16, 2:42 PM, "Martin Thomson" <martin.thom...@gmail.com> wrote:
>On 24 May 2016 at 10:46, Dang, Quynh (Fed) <quynh.d...@nist.gov> wrote: >>>We discussed this at quite some length. I originally took your >>>position, but the IVs add an extra layer of safety at very little >>>cost. >> >> I don¹t see any extra layer here. > > >The argument here is that there are only 2^128 keys and some protocols >have predictable plaintext. A predictable nonce would allow an >attacker to do some pre-calculation with a large number of keys to get >a chance of a collision (and a break). It's a long bow, but not >entirely implausible. Ciphers use nonces are designed/proved to be secure when nonces are predictable: nonces are not random values. > _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
