Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It sounds like you have constructed a way to encrypt data such that it can only be decrypted by someone who has the same (secret) key and (non-secret) associated data that was used to encrypt it, or else decryption fails.

As you said, same effect: the scheme you have described is not an alternative to AEAD. It is an example of AEAD. You're still using the offset as associated data, you just happen to be composing your AEAD scheme out of another AEAD scheme into which you pass an empty string as associated data.

Other than differences in the limit to the number of messages you can encrypt before nonce exhaustion or the number of bits of secrecy or authentication strength provided, the external interface and use case of your system perfectly matches that of AES-GCM or other popular AEAD constructions.



> Other than differences in the limit to the number of messages you can encrypt before nonce exhaustion or the number of bits of secrecy or authentication strength provided, the external interface and use case of your system perfectly matches that of AES-GCM or other popular AEAD constructions.

Ahh, but that’s not a trivial part of the design and why this is strictly better than using a single AES-GCM key with AD. And also it’s more generic across whatever type of key you choose to derive.


Whatever else using a KDF to mix Associated Data into your key might be, it's not "strictly better" than GCM. I'm not sure there's much wrong with it (it's the same approach XAES uses for extended nonces) other than how slow it is, but there's a reason cryptographers don't design all the AEADs to work this way.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: