|
|
|
|
|
|
by upofadown
730 days ago
|
|
|
From the OCB FAQ[1]: >What happens if you repeat the nonce? You’re going to mess up authenticity for all future messages, and you’re going to mess up privacy for the messages that use the repeated nonce. The loss of privacy on OCB nonce reuse is not as severe. It would be more or less the same as with ECB mode. [1] https://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm |
|
|
> It is the user’s obligation to ensure that nonces don’t repeat within a session. In settings where this is infeasible, OCB should not be used.
But earlier in that section we have:
> […] The nonce doesn’t have to be random or secret or unpredictable. It does have to be something new with each message you encrypt. A counter value will work for a nonce, and that is what is recommended. […]
* https://www.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm#nonce
So given that GCM uses a counter ("C"), and a counter is recommended for OCB, wouldn't it be simple enough to get the equivalent (?) security more efficiently?