It is often said to never use a nonce for more than one message when using a stream cipher. It seems this is to prevent something like this: Taking advantage of one-time pad key reuse? Yet what if I keep the same nonce, but increment the block counter depending on the amout of blocks exchanged so far? This should be the same thing as turning the whole exchange into one long message, thus not needing more than one IV. By exchange I mean two people sending each other stuff.
Asked
Active
Viewed 801 times
1 Answers
2
[What] if I keep the same nonce, but increment the block counter depending on the amout of blocks exchanged so far?
This is a "bad" idea.
What Salsa20 is doing can be considered to be "CTR-Mode like" $E_k(IV\parallel CTR)$ where you have to supply $k$ and $IV$.
If you were allowed to supply $IV'=IV\parallel CTR$ this would also mean you'd to absolutely make sure that no two blocks ever happen to share the same $IV'$ under the same key. Even worse to make sure this doesn't happen, you'd have to pick $IV'$ at random (or actually keep track of all the blocks encrypted under the key) as opposed to being able to just increment $IV$ (= uniqueness).
Note that this change was made to the usual API of authenticated encryption schemes to avoid the above mentioned problems and this approach is now standard with modern authenticated encryption schemes (like ChaCha20-Poly1305 and AES-GCM)
SEJPM
- 46,697
- 9
- 103
- 214