You can’t just slap synthetic IVs on top of a pure stream cipher like that.
For multicast scenarios like encrypted group chats, abuse reporting systems, and PAKE, beware of the Invisible Salamanders attack. Note that key malleability is not the same as key malleability; an AEAD constructed with BLAKE3 as an XOF would still be ciphertext-malleable.
KEMs break
XXandNXbecause the responder cannot send their static key and authenticate with it in the same message because unlike DH-based constructions, KEMs are not commutative. Therefore any handshake that transmit static keys must add an additional message.A library’s core abstractions determine the long-term shape of the entire codebase.
I think sudo-rs enabling pwfeedback (show asterisks) by default was a bad idea. Haven’t we learned from OpenSSH and keystroke timings? pwfeedback doesn’t just leak password length visually; I’d agree that leaking the length of your password is very insignificant if your password is strong enough anyway. But especially when we use long passphrases instead of passwords, we type in a particular pattern. OpenSSH and such have keystroke timing obfuscation so the packets from your client to the server, but if your server emits a
*every character you type, the timing side-channel gets re-introduced.