Oddbean new post about | logout
mleku | 12 days ago (raw) | root | parent | reply | flag 
 ah yes, what i was going to say was GCM differs from CTR in that CTR just uses a set of bytes, 4 or 8 or so, that just counts upwards, in addition to the secret and the nonce

GCM changes this up by using a hash chain instead of a simple sequential counter, which spices it up some more, but AES-GCM only uses a 4 byte counter
mleku | 12 days ago (raw) | root | parent | reply | flag 
 yeah, i think if i am gonna do an impossible to crack ECDH based encryption scheme it will use a 256 bit GCM style based on the hash of the secret and nonce, so it will have zero repeats within the realms of our current bandwidth requirements, and a 32 bit nonce

all of those short bits, like GCM-AES 32 bit counter and CTR's 64 bit counter

the ideal is GCM, and the strongest hash we know of to date is SHA256

the others that are trendy these days, like Blake2/2b/3 and ChaCha20 etc make compromises to make them more performant, but if performance is no issue, as it isn't for most hardware now, 64 bit AMD architecture or ARM, or even RISCV, they all have now got SIMD capabilities that mean these hash functions are now cheap and all those bit shavings are not essential

sure, support teh old style, for old stuff and low power stuff, i mean really low power stuff, where security is zero if the thing goes dark, but for everyone else...
mleku | 12 days ago (raw) | root | parent | reply | flag 
 not sure if you understand how hash chains work... yes, a GCM style cipher you have to generate hash chains, so for message block 10000 you have to do 10000 hashes on the seed

GCM is the best design, but the shitty AES standard limits a stream of data on one nonce/secret to 4gb, and i think that should be bigger by now