Skip to main content
Cryptography

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

11
  • 2
    $\begingroup$ @ErikAronesty AES-GCM uses AES. My point is not that this specific paper demonstrates an attack on your specific application. Your specific application doesn't matter enough for anyone to publish a paper at a reputable cryptography conference demonstrating an attack. My point is that you have violated the security contract of AES (and anything built out of it like AES-GCM), and the paper shows an example of what goes wrong when you skimp on your contractual obligations. $\endgroup$ Commented Jul 17, 2018 at 22:03
  • 1
    $\begingroup$ @ErikAronesty The IV does not serve a similar purpose to the KDF. If you use a nonuniform key, you have voided the contract of AES. Don't play with it. $\endgroup$ Commented Jul 17, 2018 at 22:12
  • 5
    $\begingroup$ @ErikAronesty NOOOOOOOOOO! EFAIL! $\endgroup$ Commented Jul 17, 2018 at 22:14
  • 1
    $\begingroup$ @ErikAronesty If you violate the security contract of the primitive or invent a bespoke composition of it, you are asking for a shot in the foot. If you want public-key encryption, you should use an existing construction that is credibly advertised to guarantee IND-CCA2/NM-CCA2. Tweaking it to replace a MAC of the message by a hash of the key is asking for trouble. $\endgroup$ Commented Jul 17, 2018 at 22:17
  • 1
    $\begingroup$ I'm not sure what @ErikAronesty means by "SHA3 on the key", but shouldn't it be OK (or even better) to use AES-GMAC with the key derived by the KDF, instead of using separated encryption and MAC schemes as specified by ECIES? $\endgroup$ Commented Jul 18, 2018 at 11:53