some common bitwidths in symmetric encryption (communicating parties have already established a pre-shared secret, i.e., key).

HMAC may be truncated to any width. RFC 2104 specifies keeping the leftmost bits. maximum width is that of the underlying hash, so at most 512 bits for commonly used hash functions. having more than 128 bits is probably not useful; this is not a situation where collisions matter: if the receiver does not trust the sender, then they have bigger problems than the sender nefariously creating colliding messages. probably choose a bit width a multiple of 4 for easy representation in hexadecimal; probably choose a bit width a multiple of 8 for easy representation, manipulation, and transmission as bytes.

AES has a block size of 128 bits.

AES in GCM mode for Authenticated Encryption (optionally with attached authenticated Associated Data): commonly 96-bit initialization vector (nonce), ciphertext in blocks of 128 bits, then a tag of 96, 104, 112, 120, or 128 bits. at most 2^32 blocks of payload.

assuming cryptographic primitives are secure, ciphertext and HMAC blocks are indistinguishable from random. not sure about GCM tag.

nonce is user-chosen, not necessarily random, but be sure you don't use the same nonce twice. devising a robust scheme for this is nontrivial.

optional Associated Data is of course unencrypted. here are some supposedly common uses for AD, citing RFC 5116.

if you want to send a Three Letter Agency on a wild goose chase, transmit (mostly) random blocks of the right sizes: chaff.

more complicated: encrypted files and protocols.

## No comments :

Post a Comment