IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

Ted Krovetz <ted@krovetz.net> Mon, 28 March 2016 17:41 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0E212D1D2 for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 10:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=krovetz-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RskdZS6zyyY for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 10:41:44 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3385212DC0E for <cfrg@irtf.org>; Mon, 28 Mar 2016 10:41:43 -0700 (PDT)
Received: by mail-pa0-x236.google.com with SMTP id td3so102685806pab.2 for <cfrg@irtf.org>; Mon, 28 Mar 2016 10:41:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krovetz-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=EoFhII3Jkvm30YpaUJcBVnXIQdz3xGsv51sBLhZNjDA=; b=nQ9HykX8jz6sV2h7f+5f8jlOr+TpthwweF0X4qKQqYQoodi4f/iMUwaRUAzDLvr3m3 NdWaCBPduVKtT+gzbCvxzKOpLLs6dN4kYcIRJEbh641CW/zhGjOG7U4i47vlwHu680hZ 1Kx61eb0Pp+KDf5n/WUg00ayPj0cSGgKA69wEf/ZotYVc0MCGqfsGvZWioXbrDV5d/nd QE51n1XSWtHbsftgj9iaF5WV+nAxQ/QCwbzW5pQ+uJ7a13pKBxdmFK+7Nf5AC9Smw92Y 4kjkDtJ3RbHDpRlA+zmH/NyNp00n5gYarypOsYFEwO7Zyz8u9OA+7dfthJsz1tGxzJZM CzXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=EoFhII3Jkvm30YpaUJcBVnXIQdz3xGsv51sBLhZNjDA=; b=AX6KbOdERbsQDzLBSok5q77qHLle0YG1fVjZgiULIfqXW7I0jIDCN3MxQomn65HXMD dXObj+X3e/vyStqAAwTmCG0/Wm+5XYnRascd6upm16+mYnpDKjQOuCmVV6KTmLlhbpi5 1WoOyYnTqyCGofLcvZcrxr6+ZSu7FQgxAwa8Y7iqRVFI+dw7vhldoqVckBRUHouZePaw tqomSAZtWdPYh7kUYjXTdvD0bNXq7mZ0pCyvZSTXsxU/LZ46D3sqRXohRVU7eebzjHub yuDCTP32rQmNNKD9tP+MTGY5KpHgFrMI63M9DaetR4JfnnGmMvwRHbhQWw7dlajgXPmo HNnQ==
X-Gm-Message-State: AD7BkJJDWaWGwGORAWI1E2W7ev2rGkRmtWFQSZyWk4YMK+9jY/a1PJ1cwgqTi6DneRprog==
X-Received: by 10.67.7.197 with SMTP id de5mr44668383pad.105.1459186903288; Mon, 28 Mar 2016 10:41:43 -0700 (PDT)
Received: from [10.118.117.244] ([130.86.98.244]) by smtp.gmail.com with ESMTPSA id yj1sm37252099pac.16.2016.03.28.10.41.42 for <cfrg@irtf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 28 Mar 2016 10:41:42 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <D31EFD69.68456%kenny.paterson@rhul.ac.uk>
Date: Mon, 28 Mar 2016 10:41:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <AA010FE1-75FE-49E6-860D-79E1C89FC77E@krovetz.net>
References: <D31EFD69.68456%kenny.paterson@rhul.ac.uk>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/7LucbvFgyx5Yze9_8zLkzlS6y1A>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 17:41:46 -0000

Introducing a new AEAD scheme outside of the CAESAR process devalues CAESAR, ultimately reducing CAESAR's importance. It would have been much better for AES-GCM-SIV to be introduced as part of the CAESAR process and have it win mindshare based on its merits rather than its "first mover" status. By advancing this RFC, we likely entrench AES-GCM-SIV to every other CAESAR candidate's detriment.

Might it be better to integrate this new proposal with CAESAR somehow? Perhaps the CAESAR committee could invite AES-GCM-SIV to become an official candidate, and then all the CAESAR candidates could be considered by CAESAR and CFRG on level terms? Or barring CAESAR allowing AES-GCM-SIV into the competition late, CFRG could delay consideration of the AES-GCM-SIV RFC until CAESAR recommends its portfolio. We don't want to bless too many AEAD schemes. If AES-GCM-SIV is not best-in-class, we don't want to recommend it at all, but we won't know that until CAESAR has finished its work.

The end result of delaying the AES-GCM-SIV RFC would likely be a smaller number of better AEAD schemes being recommended: either an improved AES-GCM-SIV RFC evolves because it goes through a more rigorous vetting process and gets improved along the way, or it doesn't get recommended and something better does.

Ted Krovetz
(author of HS1-SIV CAESAR submission)



> On Mar 28, 2016, at 7:34 AM, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote:
> 
> Dear CFRG,
> 
> Shay, Adam and Yehuda have asked the CFRG chairs whether their draft for
> AES-GCM-SIV can be adopted as a CFRG document. We are minded to do so, but
> first wanted to canvass members of the group for their opinions on taking
> this step.
> 
> We are aware of the on-going CAESAR competition for AEAD schemes.
> AES-GCM-SIV is not a CAESAR candidate. CFRG adopting this document should
> not be interpreted as competing with or pre-empting the results of that
> very valuable activity. Indeed, once CAESAR is complete, we hope that some
> or all of the competition winners will end up being turned into RFCs under
> the auspices of CFRG.
> 
> Regards,
> 
> Kenny (for the chairs)
> 
> 
> On 06/03/2016 03:50, "Cfrg on behalf of Shay Gueron"
> <cfrg-bounces@irtf.org on behalf of shay.gueron@gmail.com> wrote:
> 
>> Hello CFRG,
>> 
>> 
>> We would like to draw your attention to our new submission draft entitled
>> “AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption”. Posted on
>> https://www.ietf.org/internet-drafts/draft-gueron-gcmsiv-00.txt
>> 
>> The submission specifies two authenticated encryption algorithms that are
>> nonce misuse-resistant. Their performance is expected to be roughly on
>> par with AES-GCM,
>> when run on modern processors that have AES instructions.
>> 
>> Security and performance analysis can be found in S. Gueron and Y.
>> Lindell. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at
>> Under One Cycle
>> per Byte. In 22nd ACM CCS, pages 109-119, 2015.
>> 
>> We hope that the CFRG will take this up as a working-group item.
>> 
>> Thank you,
>> 
>> 
>> Shay Gueron, Adam Langley, Yehuda Lindell
>> 
>> 
>> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email