I don't really understand the threat model in which this provides a real security benefit. If someone can inspect the contents of memory, can't they also recover the encryption key somehow?
AEZ uses a non-standard AES variant in a sui generis fashion; as a result some people have called its security into question: https://eprint.iacr.org/2016/832.pdf
Point being, its inclusion in the final CAESAR portfolio is far from clear at this point.
>you can almost always delegate that kind of interface up one layer in your application stack and pass AES-SIV chunks of messages.
Without additional precautions this approach is vulnerable to a fairly basic chunk-reordering attack, since any re-ordering of the "chunks" is a valid ciphertext. I strongly recommend against this approach.
EDIT: Unfortunately there is not really a better way to implement a streaming interface on top of a nonce-misuse-resistant encryption scheme: it's fairly easy to prove that any nonce-misuse-resistant construction must necessarily be "offline" in the sense tptacek describes.
These schemes achieve a security definition called OAE2 (STREAM specifically achieves nOAE, which Rogaway proves equivalent to OAE2) and are robust against reordering and truncation attacks. For more information, please see the paper:
Ah, thanks for the reply Tony. This would indeed prevent the problem I described. Kinda curious about the downvotes, since tptacek's original comment suggested nothing like CHAIN or STREAM, but on crypto HN you gotta roll with the punches.
Does anyone know if the IOTA devs ever wrote down a justification for using a hand-rolled hash instead of, like, SHA-256? If so, can you link it in a comment?
EDIT: I feel compelled to explicitly say that this was a mind-bogglingly stupid thing to do, and there is almost no way to justify it. I'm just curious what they thought they were accomplishing.
The IOTA devs are deluded. Here's there justification:
"Creating a new cryptographic hash function is no trivial undertaking, even when it is being built on preexisting world class standards. “Don’t roll your own crypto” is a compulsory uttered mantra that serves as a good guiding principle for 99.9% of projects, but there are exceptions to the rule. When spearheading technology for a new paradigm this statement is no longer axiomatic. Progress must march on."
"Because we needed an efficient hash function for IoT and the future of ternary computing (memristors, spintronics, optical computing and the trend in Artificial Neural Networks)
This has been known since before we even began the project. I spoke with the Keccak team about this all the way back in early 2015 before a code of IOTA was written"
Aren't there MASSIVE (read: showstopper) complications when you want to use FHE for "looping" computations?
I always thought FHE was only good if you can fully unroll your "fixed-length" computation, and even then you can only use each "program" once without compromising security.
Under that assumption, general purpose differing-inputs obfuscation cannot exist.
The way I understand it, FHE being applicable to anything other than "unwrapping a path through a circuit" seems implausible. Any claims of arbitrary encrypted computation should be viewed with the highest dose of skepticism.
Every time you want to run a computation on your FHE-enabled VPS you would need to upload data proportional to the maximum number of operations in the computation. Otherwise, re-running the same computation with a different input gives away information about both of your inputs and about the computation.
The paper at http://www.shoup.net/papers/helib.pdf should give you an idea of what goes in a HE scheme. They also report performance of multiplying two 1024x1024 matrices: 473 seconds.
I may have missed something in the whitepaper, but using a confidentiality-only encryption scheme like AES-CTR seems bad because it enables trivial attacks on file integrity (bit-flipping attacks and such). How does Storj protect the integrity of a file? I see that proofs of retrievability are used, but PoRs don't guarantee protection against integrity attacks in general.
The author incorrectly calling them "elliptical curves" is like nails on a chalkboard. An "elliptical" is an exercise machine or an adjective used to describe something shaped like an ellipse. The set of points in a field satisfying an equation of the form y^2 = x^3 + ax + b (which set, when enlarged to include the point at infinity and associated with the point addition group law, forms an abelian group) is an "elliptic curve".
Paxos is an enterprise private blockchain snake oil company, but nobody there even knows it. When asked how they solve problems X, Y and Z, it turns out they have a blog article about how they haven't invented the solution yet. Tall order. Maybe commissions on their itBit exchange will keep them solvent enough to keep trying.
You're letting your modern biases color how you view Tacitus' writings. Most people educated in the last ~hundred years or so were taught "history" as you understand it - an impartial account of the facts of an actual event or person. This view of history is actually pretty recent, and it's widely understood that ancient historians did _not_ practice what we would consider the modern discipline of history. For example, Herodotus is considered the historian ne plus ultra of the ancient world, but he still wrote about lots of weird shit like zombies and races of headless people.
It's not so much that modern historians think Tacitus was too "biased" to "record history accurately"; they read his works critically because they know he wasn't really even trying to record history accurately in the way we think about doing that today.
EDIT: Another good example of ancient versus modern history is Pericles' Funeral Oration, as related to us by Thucydides:
https://en.wikipedia.org/wiki/Pericles%27_Funeral_Oration
Thucydides probably edited the speech heavily (even by adding or removing content), and may have even combined multiple different speeches to create what we know as the speech. A modern historian would most likely blanch at the thought of doing this, but Thucydides was fine with it because he wasn't even trying to relay an impartial and 100% accurate account of the events of the Peloponnesian War (as a modern historian would).
Historical records did not begin 100 years ago, that much I don't think anyone can truly believe. We have detailed contemporary histories of the American Revolutionary War, for one, and they seem no more "biased" than histories of WWII.
There is a 500 year difference bt Herodotus and Tacitus. Even so, Herodotus did no more than accurately record what he was told, assiduously pointing out when he saw something first hand. Early ancient historians made up speeches, that much is known. But by Tacitus's day, the act of writing an objective history was not a novelty, and in fact he complains in the beginning of his text that he is undertaking the work because he thinks his peers, also ostensibly engaged in objective history, have not been objective enough out of fear or hatred when covering the reigns of Tiberius, Caligula, Claudius, and Nero. Once again, with no reason to doubt him, I ask: why not even consider taking one of the greatest historians whose works have been preserved for posterity at face value?
Is there anything in particular Tacitus says in any of his works that you doubt happened?
Well, everything everyone says is some kind of summary of the facts. This doesn't mean no one is trying to tell the truth. Thucydides may have combined and paraphrased speeches because he is trying to put down the essentials.
Can you explain how you would use FHE instead of garbled circuits in the Arx range query data structure? I don't see how that would work - wouldn't you have to (re-)introduce interaction to let the server learn intermediate results?
