| Yes, it's that bad. See Hanno's talk a few years ago about nonce reuse. https://www.usenix.org/conference/woot16/workshop-program/pr... It was presented at Black Hat by injecting their slides into the MI6 website, IIRC, using this exact weakness. It's not just a bad issue, it's also deceptively easy to run into and not realize it. AES-GCM has a 96-bit nonce. If you sample these randomly, after 2^32 messages, you have a greater than 2^-32 chance of reuse for each subsequent message. If you're using this algorithm with a static key to encrypt customer records, as a small business, you might never hit this bound. If you're as large as a cloud provider, you get a nonce reuse every hour. (Check out Amazon's KMS white paper if you'd like to see how they avoid this sharp edge in practice.) |
why do cryptographers ever do things with fewer than 256 bits? like sure speed is nice, but it's also really nice to know that even if you have a birthday attack and lose another factor of a billion somewhere you're still fine.