Rejecting weak states
Closed this issue · 1 comments
jedisct1 commented
As in many constructions, AEGIS has weak states. If the keys are randomly chosen as required, getting them is very unlikely. But with specifically crafted keys and inputs, weak states be reached.
As a safeguard, we can add an additional step in the decryption function, before expected_tag = Finalize(|ad|, |msg|), that checks if all the AES blocks are identical, and returns an error if this is the case.
jedisct1 commented
Scratch that. In order to be useful, it should be done after every update, which would be way too expensive.