IETF Logo Mail Archive

Re: [CFRG] Update of the AEGIS draft

John Mattsson <john.mattsson@ericsson.com> Tue, 18 April 2023 07:52 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29BFC16953F for <cfrg@ietfa.amsl.com>; Tue, 18 Apr 2023 00:52:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MglKo7JMi9Nd for <cfrg@ietfa.amsl.com>; Tue, 18 Apr 2023 00:52:19 -0700 (PDT)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on20610.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe13::610]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C259EC14CE2F for <cfrg@irtf.org>; Tue, 18 Apr 2023 00:52:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HipD9YAHE+EeIa/u8p1HPPC9xSpNb6G5JvMA3eBsNvUFWZVfqGdvXR5cRWGCcTkXs8D/FxQ6mNIVG23PUXYl/blEZ2TKrZ9jbHidciyY87lEA7RPmkJPMJAXgdG+LV3UtQcSaFNqCGMUk4TWnhLMqvPrQ+0v82hRwXIwQXKNVSTvTimYaHGbp30up6+naeufPB4zTA9BAafczPPd66zJnAkFAZc5qtzJf2bnaJotoR9qAmuH0N/uEsixuc8zFkj6V+1k3vyLz70rfWoDq2MQpsDnqBfrIo1V/moCSRpqZipqZ1EMRHjWA2hvavdSQsNdEd9vM7ds9gv/ADBEvPXViw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fwBb49LNBX3CTpF1iHl19zNZWIqbMv64OBdWe4pe1+w=; b=g5z8Qm1rO/cBUHCnLTb6mjEfWYCFx7YVQ+SnbtXLbjqKP47J1sqsBvq6SvYCpQ8o3TZnIMPooUMAuIR/+x1GhtAek/vVhkmDVOftH54HtE15oY/xFRG4oCfZQ7RmfR0kOTCGoMiyXbuV8iJmvqMct8OGcqIbP3lVvYo1vPRbRsuxL+s2mMzuJD1p16pZnIJrlEyy/SmW19EyBzAn85DT03eWmrujmNcKv7nqA8mMvyxdl2Vb7eMTeklWprzI/KYeYso0VapXoyishndzXz5Ny3SvgpeZVu+DiyoiWKAb6jljp5w6xeVMY26zbSkZSdqp226Wc7nT1rnEeIbWy7ywbQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fwBb49LNBX3CTpF1iHl19zNZWIqbMv64OBdWe4pe1+w=; b=sppvri/029Trvlpm6++oMC6v3n2Rt5oSedIMj6hwqfCf94eU4tUY9oKC01bPrVILaSAPeApQ0wPB/CzfGU07jX+efsztSBriPCpubOWbYFkmKMtInDeL9T+UOfzN+iNgTCbGa7tCOv9NFMj210b2QA1Acv/aV1xhL+mtU/iM6XE=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB7276.eurprd07.prod.outlook.com (2603:10a6:10:21b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.45; Tue, 18 Apr 2023 07:52:13 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%6]) with mapi id 15.20.6298.030; Tue, 18 Apr 2023 07:52:13 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Update of the AEGIS draft
Thread-Index: AQHZbtkr5ysO7IP/IEmhQQTM1bRocq8q7SvCgAGEpwCAAsUn+oABYreTgAAdwjY=
Date: Tue, 18 Apr 2023 07:52:13 +0000
Message-ID: <GVXPR07MB9678EEC9B2AA994013BE0697899D9@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <2F9EE079-3605-4451-BA69-99F12CE7AE38@pureftpd.org> <GVXPR07MB96786B0EA4017D02EFAB75D389999@GVXPR07MB9678.eurprd07.prod.outlook.com> <9CC12137-BADD-4CFB-B318-0850D68E29AF@csperkins.org> <GVXPR07MB967802E1B0116EE14AC6D675899C9@GVXPR07MB9678.eurprd07.prod.outlook.com> <GVXPR07MB967869677CF3A8E1C9205C15899D9@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB967869677CF3A8E1C9205C15899D9@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB7276:EE_
x-ms-office365-filtering-correlation-id: 272c9ad1-ea02-46cc-b67f-08db3fe1d272
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: t0q0EwbrmPpCAO98pfOTapVt9RgOXSeP/IvdgKxzSsDAxNYHvvztFYKr7FjAjXdeUU/D6MD+mXjsILiOwgAU4eQW31PRu8otN5yPSMnbTAf5fT/DMTStkA8xTjtpQjAPLmkb0xDZmsAwlUrBi/POwHcb2+WsJPTfTvm9IWaWuryePWB/9UrzjNyPwaPeBA/wg/Slp5i744Mbz4cirZALocJjMj08a5I0N8FXKX1JzZnbTzg8zv8ug97sVR6CaymliYH2uYVgmVCBHqAdGKpbMlDz9pdeZcNyL+pdb5bQtKM3bzXnjhtnoJnsVZ8mZC8a3r62aP86G+PGxtpJucFo9DzjePmsMHE3eKqcBBF6Mv0DExuC2cWYQ8n6fQo65WAbRMBarUt40qRkGNIjCK9rQMf5dBtuLaupw+lIjQ0GCEcZy7jhnlRxLHHRMnDKR77OBisFTWEUxe31EZ0TUG7PrtU2EIYYZeAJiAMC538ewNuwj46EdsveIdgsJ2QLemPdDWSFO1G/JjddLdSVnS4Rawn49mFcJHPmdOxPGHNXHSghFBf5LntT/Fw61vhvDp8pP1WbKMStTdto9CxjM4bdywI9zUg6jZ5BSB1JrVm9SKNWCEmMWoFnXU5JZVi2ETA7QF++P+d/uf9Fl2I+/qNfAA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(376002)(346002)(39860400002)(396003)(366004)(451199021)(44832011)(52536014)(966005)(8936002)(166002)(55016003)(7696005)(71200400001)(8676002)(66446008)(66476007)(66556008)(64756008)(6916009)(33656002)(86362001)(41300700001)(66946007)(38070700005)(76116006)(122000001)(38100700002)(5660300002)(82960400001)(478600001)(83380400001)(26005)(15650500001)(2940100002)(186003)(316002)(9686003)(6506007)(53546011)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: F/a24r6qrG5tNoRuv3OxZ42rlk9pDZcO9Wo5CR4iDjLuNsKKjXGevvUZYoBFuU1zpLx0OsNqoLgrnRlXKOWrA3Qf4x2z4HGOBfBlMAnPlffEQILf2C2DDHxrTOnlIv530Zp4k5mPv6fYrVNZlmRO+j6JPte18qVM+DoPCxBYOfOQ1rHW9vu+GYDI6nqDnd+PF7O+PxiYzsbEQHB1uC/ZrsyGMAaG6clZW4e8njp3ivp01vcbVmGnGl1xwuaxfo/zgVujM0/bkbG4RkTNtFZhieNwW8+2T9c7dYQlYb8v0n+vguX7G6wEas0L0PO/HuI7xiw3ECk/BQfhnhlrS7eSwjIJIPQrkkwbRd9cEpu6FAQT7AEQJbUi0G3anwjbw7gxbKg/NexmUItW78Ia8WQUw3D/lC23j8r/6bwiXn3CkcHSTWw25IGLY0VtTp4/s/pBKWpUMOAJlwGbMuvjoexsmkm7Ed6pDXcwybeMrkdV3iNLBGOylSClRcxPidYTD6E5Q5kvtXNrwBd+kIAqMEyDGxjBZotzDBe7aYD+s7ynm8nIUwh3FPo1srIib0p/7TpJ1gF7NwG95qrXBOKTpmvQn8AGiXLfQPQvMNmEm16BrEYdWuQy8oi6BMH2V8LzQsT2ciPHK+uHIFsQ0J2GGycdlMlp4tfbJ/s3K8tybd3hdPLbGMZc9R5syZK1+Y89i/lbMNR311ypHz55U/s9akJsxfA5iAb/r5b3R14ckAbPgmZh/Bv3S/4UPzdO7ObIucD5kyNgA1vdNdB4oQcJ6tRzbuaovcSr7P6Wn8n+HXMYzJTQgzEXy4Vn4qmW9r+e9jg4BFXz2r3kNmSEDtpFl9WJqWEobtyMWTtBBIHXc8XoWrlh36BYFZ9l2PMBvnLI7m+Hpbn4eGNDjNth5HI23RHaK2qd+MnH/HwA0U0TMjtdi1lcVaNCvOMfkbXW9TiArIw22u6WITjEEVTbJffq4jtoSY2iNIX/YefkutVzj8tEETQIaiaPr4zqqQi9La/AyWJ6hFuaRYhm7JPoFlD0IZ8ZjfyecwAuQwmTyHJW478Co2GD2KGAgmRlBu89QiwAXVP3M6mS76JgTETqCt6avvHXjCbs8zBslJjzZuSFTJfa3dfH8Otd/zl2wS8Wfo9+BvBOlXBJagTHCpAUWysqOGxxNkl9eZoozypTk2POxebiX81FiQP0fqEYYGiCX8VkUKjxUB7v+W8s9FnWCT7OlFAxzrUBweBqaCulBixIfroXlIRC2hw31lwCboOkHBFCINYjVh/6jquh09BUWsWGb2uI6Fo0PDFYzfsIEFWGIY6VytUe8d/UciYBpqpbu4a+i9bbKgAxKCfqhUxSMW2cLvgfk5gPAXya2/xm9KNT1oYjB9YSUnRBdZLdGBlfNt3n8pCAqWubx7a6qrIy98sAQ5R+F69ch0NBXpu2ULdesHW+JdLSjRMJN4y/1pBvSQhDvAyASJkzMmyGvPaSL82IoItid3BFO+tj6Jnt0/ot6qDAKyCRUx21UoIKni4e3tvTy96Bqjv0qJxFeXjAU2mHC9gR2fokCgHVsvW7Yfn//sBmHBpKXuhgmsMq6KbU14CnwKlkfLWDFEBOsOLvuVij/yVK19eJZi5BiVVlJlDn8tAr5ec=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678EEC9B2AA994013BE0697899D9GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 272c9ad1-ea02-46cc-b67f-08db3fe1d272
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2023 07:52:13.3509 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JHbDzmUS8zGew3M4aIU1JDqbiTazjnzbMys+gMSa4C/4Wh+QgvZR7vEc6mEwjrAyLn9Kd5O0Y6EOWGGR6p034+G1NMrTfL4lQJtWhuMJZwA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7276
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9REMToiIVLogxk1NL2df6pw0QDs>
Subject: Re: [CFRG] Update of the AEGIS draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 07:52:23 -0000

Another comment on -02

The document registers two AEAD algorithms but does not specify how 'ct' and 'tag' are combined to create C compatible with the RFC 5116 interface which requires a single output.
https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml

For the same reasons, the following are a bit contradictiing.
  "ct: the ciphertext."
 "C_MAX (maximum ciphertext length) = P_MAX + tag length"

RFC 8439 (ChaCha20-Poly1305) seems to have the same problem, it is unspecified how to create C. There are infinite ways (most bad) to combine ct and tag.

RFC 8452 (AES-GCM-SIV) specifies that "The final ciphertext is the result of XORing the plaintext with the keystream and appending the tag."

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Date: Tuesday, 18 April 2023 at 08:10
To: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Update of the AEGIS draft
Should be simplified and generalized as:

When the AEAD is based on AEGIS, then the mask is generated by the AEGIS Encrypt function with a 128-bit tag length, sn_key as the key, and the first 16 bytes of the ciphertext zero padded to the nonce length:

     Mask = Encrypt( , , sn_key, ZeroPad(Ciphertext[0..15], nonce length))


When the AEAD is based on AEGIS, then the mask is generated by the AEGIS Encrypt function with a 128-bit tag length, hp_key as the key, and the 16 bytes ciphertext sample zero padded to the nonce length:

     mask = Encrypt( , , hp_key, ZeroPad(sample, nonce length))

Cheers,
John


From: CFRG <cfrg-bounces@irtf.org> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Date: Monday, 17 April 2023 at 12:05
To: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Update of the AEGIS draft
Hi,

Thinking more about QUIC and DTLS 1.3 header protection, I think this should be addressed in the CFRG draft. The header protection solution should reuse the current AEGIS interfaces.

The simplest solution seems to just use the 128-bit PRF tag for header encryption. Suggestion:

------------
# QUIC and DTLS 1.3 Header Protection

## DTLS 1.3 Record Number Encryption

In DTLS 1.3, record sequence numbers are encrypted as specified in Section 4.2.3 of [RFC9147]. When the AEAD is based on AEGIS, then the mask is generated by the AEGIS Encrypt function with a 128-bit tag length, sn_key as the key, and the first 16 bytes of the ciphertext as the nonce. The Mask for AEGIS-128L is

     Mask = Encrypt( , , sn_key, Ciphertext[0..15])

and the Mask for AEGIS-256 is

     Mask = Encrypt( , , sn_key, ZeroPad(Ciphertext[0..15], 256))

## QUIC Header Protection

In QUIC, parts of the QUIC packet headers are encrypted as specified in Section 5.4 of [RFC9001]. When the AEAD is based on AEGIS, then the mask is generated by the AEGIS Encrypt function with a 128-bit tag length, hp_key as the key, and the 16 bytes ciphertext sample as the nonce. The mask for AEGIS-128L is

     mask = Encrypt( , , hp_key, sample)

and the Mask for AEGIS-256 is

     mask = Encrypt( , , hp_key, ZeroPad(sample, 256))



------------

Alternatively, you could encrypt 128 zeroes and take the first 128-bits of 256-bit ciphertext, but that would be slower, and I don’t see any practical security benefits.

Cheers,
John



From: Colin Perkins <csp@csperkins.org>
Date: Saturday, 15 April 2023 at 16:37
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Frank Denis <cfrg@pureftpd.org>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Update of the AEGIS draft


On 14 Apr 2023, at 17:05, John Mattsson wrote:

> Review of draft-irtf-cfrg-aegis-aead-02
>
> Hi,
>
> Thanks for driving this work! I have always been very supportive of this work. Reading and providing comments on the NIST SP 800-38 series during the last year has made me even more supportive. I think AEGIS fills several important requirements that are missing from current AEAD algorithms, espcially high-performance on commodity CPUs as well as large nonces. I hope the authors will submit AEGIS to the upcoming NIST workshop on encryption modes.
>
> I think the draft seems in a very good state. Some comments:
>
> - Title: Titles of RFCs should be capitalized according to RFC 7322, i.e., change to "The AEGIS Family of Authenticated Encryption Algorithms"
>
> - Abstract: I think the abstract should mention all the nice high level properties: support of large nonces, large plaintexts, key commitment…
>
> - Abstract: I think you should remove "It is not an IETF product and is not a standard." All needed text is automatically added to the RFC.

Section 2.1 of RFC 5743 requires certain statements be included in the Abstract and Introduction of IRTF drafts. This includes making it “very clear throughout the document that it is not an IETF product and is not a standard”. Having this text in the Abstract is one way of addressing that requirement, so I would not remove it.

Colin



> - "With AEGIS-128L, random nonces can safely encrypt up to 2^48 messages
>    using the same key with negligible collision probability."
>
>   Not sure 2^-33 is always considered negligible. Maybe good to inform the reader that after n messages the collision probability is n^2 / 2^129. I assume 2^48 was chosen to align with the NIST required 2^-32 probability for GCM.
>
> - IANA Considerations: How do I use AEGIS in QUIC and DTLS 1.3? Code points have been registered for TLS 1.3, which means that AEGIS can be used for TLS 1.3. It can however not be used for QUIC, DTLS 1.3, and cTLS as that requires standardization of how to do the QUIC and DTLS 1.3 Header Protection. What is the plan for that? I think this should be done very soon. Should that be done it this draft or a separate draft? Happy to help write such a separate draft/drafts if needed. The IANA registry says "DTLS-OK = Y", but that is only true for DTLS 1.2. How to encrypt the DTLS 1.3 header when TLS_AEGIS_256_SHA384 or TLS_AEGIS_128L_SHA256 is used is not specified. I would also like to see AEGIS being Recommended = 'Y' in the future. Unless done in this draft, I think a TLS WG draft should be processed in parallel with the CFRG draft doing these three things:
>
> 1. Recommended = 'Y'
> 2. How to encrypt DTLS 1.3 headers
> 3. How to encrypt QUIC headers
>
> Cheers,
> John
>
> From: CFRG <cfrg-bounces@irtf.org> on behalf of Frank Denis <cfrg=40pureftpd.org@dmarc.ietf.org>
> Date: Friday, 14 April 2023 at 15:58
> To: IRTF CFRG <cfrg@irtf.org>
> Subject: [CFRG] Update of the AEGIS draft
>
> Hi all,
>
>
>
> A new revision of the draft on the AEGIS family of authenticated encryption algorithms was recently published.
>
>
>
> AEGIS is an AEAD designed for high performance applications, with significant advantages over AES-GCM:
>
> - Fast. 2x to 4x faster than AES-GCM on CPUs with AES pipelines. Software implementations also tend to be faster
>
> - Very simple to implement securely and efficiently using only the AES forward round function
>
> - Reduced memory usage: doesn’t require precomputing a key schedule nor powers of the MAC key to achieve optimal performance
>
> - Large nonce size (128 bits for AEGIS-128L, 256 bits for AEGIS-256)
>
> - Better security bounds
>
> - Context committing
>
> - Backtracking resistant
>
>
>
> In addition to internal deployments, AEGIS is already deployed in OVH routers, in the Linux kernel and in VPN software.
>
>
>
> Multiple implementations exist (C, C++, Rust, Zig, Python, Go, Assembly), most of them having been written independently, using only the specification:
>
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3b0fdf065dc1e6ef&q=1&e=d465abc6-e170-4c80-99e2-705daad7bfd1&u=https%3A%2F%2Fgithub.com%2Fjedisct1%2Fdraft-aegis-aead%23known-implementations<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3b0fdf065dc1e6ef&q=1&e=c68cc6f1-dbc0-4c3d-8ff6-e92a201f6a59&u=https%3A%2F%2Fgithub.com%2Fjedisct1%2Fdraft-aegis-aead%23known-implementations><https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3b0fdf065dc1e6ef&q=1&e=d465abc6-e170-4c80-99e2-705daad7bfd1&u=https%3A%2F%2Fgithub.com%2Fjedisct1%2Fdraft-aegis-aead%23known-implementations%3chttps://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3b0fdf065dc1e6ef&q=1&e=c68cc6f1-dbc0-4c3d-8ff6-e92a201f6a59&u=https%3A%2F%2Fgithub.com%2Fjedisct1%2Fdraft-aegis-aead%23known-implementations%3e>
>
> In addition to reference code and to the specification, Google’s Project Wycheproof includes an extensive set of test vectors for AEGIS.
>
>
>
> For evaluation purposes, AEGIS can be used as an alternative to AES-GCM in the context of TLS.
>
> In order to ensure interoperability, IANA has assigned identifiers for AEGIS-based cipher suites.
>
> There is a maintained fork of BoringSSL that supports these cipher suites. The TLS stack of the Zig standard library also supports these suites out of the box.
>
>
>
> Feedback would be very useful. We would love to see this document move forward.
>
>
>
> Direct links to the draft:
>
> - latest version (editor’s copy): https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-7d2fee82ec540a8d&q=1&e=d465abc6-e170-4c80-99e2-705daad7bfd1&u=https%3A%2F%2Fjedisct1.github.io%2Fdraft-aegis-aead%2F%23go.draft-irtf-cfrg-aegis-aead.html<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-7d2fee82ec540a8d&q=1&e=c68cc6f1-dbc0-4c3d-8ff6-e92a201f6a59&u=https%3A%2F%2Fjedisct1.github.io%2Fdraft-aegis-aead%2F%23go.draft-irtf-cfrg-aegis-aead.html><https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-7d2fee82ec540a8d&q=1&e=d465abc6-e170-4c80-99e2-705daad7bfd1&u=https%3A%2F%2Fjedisct1.github.io%2Fdraft-aegis-aead%2F%23go.draft-irtf-cfrg-aegis-aead.html%3chttps://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-7d2fee82ec540a8d&q=1&e=c68cc6f1-dbc0-4c3d-8ff6-e92a201f6a59&u=https%3A%2F%2Fjedisct1.github.io%2Fdraft-aegis-aead%2F%23go.draft-irtf-cfrg-aegis-aead.html%3e>
>
> - datatracker page: https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead
>
>
>
> Kind regards,
>
>
>
> -Frank.

> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=d465abc6-e170-4c80-99e2-705daad7bfd1&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg

v2.23.0 | Report a Bug | By Email