Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Adam Langley <agl@imperialviolet.org> Wed, 20 April 2016 15:59 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE4B12D0A9 for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 08:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpXWFM1ZjxAC for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 08:59:18 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E7812D1BE for <cfrg@irtf.org>; Wed, 20 Apr 2016 08:59:18 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id 2so56929812ioy.1 for <cfrg@irtf.org>; Wed, 20 Apr 2016 08:59:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-transfer-encoding; bh=TtSAEZD3EgmZBnwIL54K5/rN4v80y0UBpQNgUtdTFwk=; b=l7NgnkH0MO4jbgcqA/bWfERz4umkEJCfbXk0EZ4sFpBnLpiK5wVXuZt7ICQFYfocGs hj74mqGRDDs8ulgJg8ocCK+F1UkVD0ib3csBY/xyPqLDtTbXYbzOVQIbxKGbNkgV9yOa /OGlDqFoOP3ov4I2D8/7pg1SKGK+uB3v4vC08bG3wZk/tdXLls6rrx4KTdpB6An7F4Wr s+WaELJABvPGeJVkzTvdWtC8/mJmg3skhkgN5NpgAbB9NUtmeiBWQ9bbDJT62JeRPLTu JQZZsJTPjSALUS1zymYL1f7OGQVhMHqez41F4JsxwxqFvzWxgObopoMNtyyNdMxPV98Z 686g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=TtSAEZD3EgmZBnwIL54K5/rN4v80y0UBpQNgUtdTFwk=; b=Wr8ePBr3szN7pkmtTo3XKowRBn8fx3ICxaJfi6qRNnWxDRHZ1JLI44hkzapRJnPQtC EtrEjPl3BQ4WtwBWSvNHLenvc92DaxHzFS3dgudCdUkd4J4kv3L1BXMYCnTmUh9cVIBN m7Jjl4w73lSO90fTuEB7HN4i+4fBHzDyytmCQB0qfOF4Xw9zaW8BihspQt6bHYQUwaGo zNVSGGi7Ms270ktbzZ6jddm6/+yLDByCgAjISftGM7/BsR1YfsUT3SxLJY24MRHgtVoM Kj2rEOnFYuKUngpB7LmQ9Na4YhGnAU/NHgrO9ZLqmB06CoTL5h3rtA3OAFSSUpH6HLeW tQsA==
X-Gm-Message-State: AOPr4FWoglhdsLVHWxb1l6K6C/lHjuv0Yamv221IxsDXjj2Zg69O94yQApUNG8Ud/Q1tf5CdT5BGD/xSxzhUAA==
MIME-Version: 1.0
X-Received: by 10.107.184.8 with SMTP id i8mr10692906iof.96.1461167957763; Wed, 20 Apr 2016 08:59:17 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.79.117.133 with HTTP; Wed, 20 Apr 2016 08:59:17 -0700 (PDT)
In-Reply-To: <CAA0wV7QY6tTMMp6XauEPXM-r3URxs5y6sOPmKqSDMjrK9PyrZg@mail.gmail.com>
References: <57148B14.7020507@azet.sk> <20160420021208.5285C6031B@jupiter.mumble.net> <D33CFBBA.6A6ED%kenny.paterson@rhul.ac.uk> <CAA0wV7QY6tTMMp6XauEPXM-r3URxs5y6sOPmKqSDMjrK9PyrZg@mail.gmail.com>
Date: Wed, 20 Apr 2016 08:59:17 -0700
X-Google-Sender-Auth: T7oxr64DYNlltvB7K4aUV_6bJLo
Message-ID: <CAMfhd9Wjmxzspj40XRZ3xbGzO6WNnYcCyeTL=j08+eOJuAt_5Q@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Thomas Peyrin <thomas.peyrin@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/D3YxDvPgCdOCruf4aVueMjjXJhc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 15:59:20 -0000
On Wed, Apr 20, 2016 at 2:04 AM, Thomas Peyrin <thomas.peyrin@gmail.com> wrote: > I understand the explanations for the first point (considering an AEAD now > doesn't preclude from having CAESAR candidates later as well), but I don't > understand for the second point. Why do we need to wait for the end of > CAESAR competition before considering CAESAR candidates instead of > AES-GCM-SIV ? I believe we should at least take a short look at the current > algorithms available now, and not only AES-GCM-SIV ? Many CAESAR candidates may be "better designed" in the same way that XSalsa20-Poly1305 is, in some sense, "better designed" than AES-GCM-SIV: i.e. it uses operations that are independently useful on CPUs and so more performant (with fewer tricks) than the binary fields of AES and GHASH/POLYVAL. But dedicated hardware for AES-GCM is now fairly common in many environments and it's very hard for anything to beat the performance and power efficiency of this dedicated hardware. (Which seems a little like cheating, but that's where we are.) Thus AES-GCM is the default for encrypting large amounts of data. But in situations where a counter nonce isn't possible a significant amount of worry has to go into convincing ourselves that a duplicate nonce isn't possible. So what we want is AES-GCM—but with less worry. Same underlying primitives, basically the same speed, same API, but no detonation if nonce uniqueness slips for some crazy reason. Since this is so so closely related to AES-GCM, I don't think that volumes of analysis can be directly compared with CAESAR candidates: AES is nearly axiomatic now and so doesn't need the sorts of analysis that something like NORX warrants. I know that some CAESAR candidates are based around AES for this reason and in order to take advantage of hardware support. If you have one in mind then it should be considered, but I believe that AES-GCM-SIV is very useful as a tweak of AES-GCM and I'm not sure what an alternative would usefully provide without venturing into being "more exciting". I would like CAESAR to produce a primitive that provides cool features like AEZ's (any maybe other's) arbitrary block size. But, for now, I would welcome a slightly more robust AES-GCM. Cheers AGL
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay