[Cfrg] authenticated encryption with replay protection (AERO) - internet draft

David McGrew <mcgrew@cisco.com> Fri, 03 January 2014 00:41 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 33C5A1AC4AC for <cfrg@ietfa.amsl.com>; Thu, 2 Jan 2014 16:41:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.039
X-Spam-Status: No, score=-15.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DcjABVXbB5da for <cfrg@ietfa.amsl.com>; Thu, 2 Jan 2014 16:40:59 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id 7F7DE1A1F76 for <cfrg@irtf.org>; Thu, 2 Jan 2014 16:40:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1680; q=dns/txt; s=iport; t=1388709653; x=1389919253; h=message-id:date:from:mime-version:to:cc:subject: content-transfer-encoding; bh=j46lj/Nn8zAOSudEY1JoF4FYdbwlmUpl8SkSH8YnktQ=; b=I8PDB2DY+ofktVxmO5lE6/QcvVamprkHr/DJaZI+EziqG6461DtquMXS ChbhVnDuhAsBIwPcN0C/rRGv3eRsfJbDlZMpfUzk4GNqZgtA6Sz+73k1/ qsOGz4LzQprhKOVH5YipV8VQFK7sGW9NNJzL4pFgNKIYKmgrbP2WIPuFC E=;
X-IronPort-AV: E=Sophos;i="4.95,594,1384300800"; d="scan'208";a="294974773"
Received: from rcdn-core2-1.cisco.com ([]) by rcdn-iport-5.cisco.com with ESMTP; 03 Jan 2014 00:40:52 +0000
Received: from [] (rtp-mcgrew-8913.cisco.com []) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id s030ep8T003229; Fri, 3 Jan 2014 00:40:52 GMT
Message-ID: <52C60713.6030204@cisco.com>
Date: Thu, 02 Jan 2014 19:40:51 -0500
From: David McGrew <mcgrew@cisco.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130922 Icedove/17.0.9
MIME-Version: 1.0
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "John Foley (foleyj)" <foleyj@cisco.com>
Subject: [Cfrg] authenticated encryption with replay protection (AERO) - internet draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2014 00:41:01 -0000


I have a new proposal for authenticated encryption, which is 
particularly well suited for communication security.   An internet draft 
describing the idea has been published at 
http://tools.ietf.org/html/draft-mcgrew-aero-00 and I would like to 
request a slot at the upcoming CFRG meeting to present this work. (I am 
assuming that we will be meeting in London in March along with IETF 
89).   I alluded to this work on the thread about misuse resistant 
authenticated encryption earlier today.

 From the draft:

Authenticated Encryption with Replay prOtection (AERO)

    This document describes Authenticated Encryption with Replay
    prOtection (AERO), a cryptographic technique that provides all of the
    essential security services needed for communication security. AERO
    offers several advantages over other methods: it has more compact
    messages, provides stronger misuse resistance, avoids the need to
    manage implicit state, and is simpler to use.  This document defines
    a particular AERO algorithm as well as a registry for such

Comments are welcome, and I especially encourage discussion about the 
appropriate goals for authenticated encryption.  The draft explains the 
rationale well enough, I believe, though it does not mention decryption 
misuse.   I will send a separate note on that topic.

A formal proof of security has not yet been published, but is believed 
to be possible, and the draft does include a security analysis.

Just for the sake of formality - in requesting this review and a slot at 
the upcoming meeting, I am acting as a CFRG member and not a chair.