Hacker News new | past | comments | ask | show | jobs | submit login

It seems to me that this blog post is mostly about parameter choosing and this criticism could just as easily be applied to AES (there are lots of pitfalls there too), or really to any cryptography algorithm.





There definitely are similar pitfalls in AES, and nobody should be encrypting with "AES"; they should be using something like AES-GCM-SIV (or, to extend the analogy with the post, Chapoly, which has the virtue of only being usable in a relatively secure fashion). More cryptography has been broken by casual invocation of AES than has been broken by serious attempts to deploy custom ciphers.

> this criticism could just as easily be applied to AES

Not really, because the pitfalls in AES are more well-known. Moreover, there are widespread AES-modes that work pretty well. Really, once you have picked a mode of AES (besides ECB) the biggest pitfalls are 'only use a nonce once' and 'use HMAC (MAC-then-encrypt) if your mode isn't authenticated'. With AES-GCM, that last one drops off. With AES-SIV the first requirement drops, and AES-GCM-SIV has neither consideration. Granted, AES-GCM and similar are not trivial to implement, but given there are test-vectors it is harder to accidentally publish a faulty version.

Moreover, much fewer people actually know how AES works. Especially compared with the amount of people who could essentially implement primitive (insecure) RSA from memory. This comes with many more attempts at RSA. Essentially because the distance between the insecure primitive and the secure systems using RSA is so incredibly large.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: