Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Adam Langley <agl@imperialviolet.org> Wed, 20 April 2016 15:59 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE4B12D0A9 for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 08:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpXWFM1ZjxAC for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 08:59:18 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85E7812D1BE for <cfrg@irtf.org>; Wed, 20 Apr 2016 08:59:18 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id 2so56929812ioy.1 for <cfrg@irtf.org>; Wed, 20 Apr 2016 08:59:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-transfer-encoding; bh=TtSAEZD3EgmZBnwIL54K5/rN4v80y0UBpQNgUtdTFwk=; b=l7NgnkH0MO4jbgcqA/bWfERz4umkEJCfbXk0EZ4sFpBnLpiK5wVXuZt7ICQFYfocGs hj74mqGRDDs8ulgJg8ocCK+F1UkVD0ib3csBY/xyPqLDtTbXYbzOVQIbxKGbNkgV9yOa /OGlDqFoOP3ov4I2D8/7pg1SKGK+uB3v4vC08bG3wZk/tdXLls6rrx4KTdpB6An7F4Wr s+WaELJABvPGeJVkzTvdWtC8/mJmg3skhkgN5NpgAbB9NUtmeiBWQ9bbDJT62JeRPLTu JQZZsJTPjSALUS1zymYL1f7OGQVhMHqez41F4JsxwxqFvzWxgObopoMNtyyNdMxPV98Z 686g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=TtSAEZD3EgmZBnwIL54K5/rN4v80y0UBpQNgUtdTFwk=; b=Wr8ePBr3szN7pkmtTo3XKowRBn8fx3ICxaJfi6qRNnWxDRHZ1JLI44hkzapRJnPQtC EtrEjPl3BQ4WtwBWSvNHLenvc92DaxHzFS3dgudCdUkd4J4kv3L1BXMYCnTmUh9cVIBN m7Jjl4w73lSO90fTuEB7HN4i+4fBHzDyytmCQB0qfOF4Xw9zaW8BihspQt6bHYQUwaGo zNVSGGi7Ms270ktbzZ6jddm6/+yLDByCgAjISftGM7/BsR1YfsUT3SxLJY24MRHgtVoM Kj2rEOnFYuKUngpB7LmQ9Na4YhGnAU/NHgrO9ZLqmB06CoTL5h3rtA3OAFSSUpH6HLeW tQsA==
X-Gm-Message-State: AOPr4FWoglhdsLVHWxb1l6K6C/lHjuv0Yamv221IxsDXjj2Zg69O94yQApUNG8Ud/Q1tf5CdT5BGD/xSxzhUAA==
MIME-Version: 1.0
X-Received: by 10.107.184.8 with SMTP id i8mr10692906iof.96.1461167957763; Wed, 20 Apr 2016 08:59:17 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.79.117.133 with HTTP; Wed, 20 Apr 2016 08:59:17 -0700 (PDT)
In-Reply-To: <CAA0wV7QY6tTMMp6XauEPXM-r3URxs5y6sOPmKqSDMjrK9PyrZg@mail.gmail.com>
References: <57148B14.7020507@azet.sk> <20160420021208.5285C6031B@jupiter.mumble.net> <D33CFBBA.6A6ED%kenny.paterson@rhul.ac.uk> <CAA0wV7QY6tTMMp6XauEPXM-r3URxs5y6sOPmKqSDMjrK9PyrZg@mail.gmail.com>
Date: Wed, 20 Apr 2016 08:59:17 -0700
X-Google-Sender-Auth: T7oxr64DYNlltvB7K4aUV_6bJLo
Message-ID: <CAMfhd9Wjmxzspj40XRZ3xbGzO6WNnYcCyeTL=j08+eOJuAt_5Q@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Thomas Peyrin <thomas.peyrin@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/D3YxDvPgCdOCruf4aVueMjjXJhc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 15:59:20 -0000

On Wed, Apr 20, 2016 at 2:04 AM, Thomas Peyrin <thomas.peyrin@gmail.com> wrote:
> I understand the explanations for the first point (considering an AEAD now
> doesn't preclude from having CAESAR candidates later as well), but I don't
> understand for the second point. Why do we need to wait for the end of
> CAESAR competition before considering CAESAR candidates instead of
> AES-GCM-SIV ? I believe we should at least take a short look at the current
> algorithms available now, and not only AES-GCM-SIV ?

Many CAESAR candidates may be "better designed" in the same way that
XSalsa20-Poly1305 is, in some sense, "better designed" than
AES-GCM-SIV: i.e. it uses operations that are independently useful on
CPUs and so more performant (with fewer tricks) than the binary fields
of AES and GHASH/POLYVAL.

But dedicated hardware for AES-GCM is now fairly common in many
environments and it's very hard for anything to beat the performance
and power efficiency of this dedicated hardware. (Which seems a little
like cheating, but that's where we are.)

Thus AES-GCM is the default for encrypting large amounts of data. But
in situations where a counter nonce isn't possible a significant
amount of worry has to go into convincing ourselves that a duplicate
nonce isn't possible. So what we want is AES-GCM—but with less worry.
Same underlying primitives, basically the same speed, same API, but no
detonation if nonce uniqueness slips for some crazy reason.

Since this is so so closely related to AES-GCM, I don't think that
volumes of analysis can be directly compared with CAESAR candidates:
AES is nearly axiomatic now and so doesn't need the sorts of analysis
that something like NORX warrants.

I know that some CAESAR candidates are based around AES for this
reason and in order to take advantage of hardware support. If you have
one in mind then it should be considered, but I believe that
AES-GCM-SIV is very useful as a tweak of AES-GCM and I'm not sure what
an alternative would usefully provide without venturing into being
"more exciting". I would like CAESAR to produce a primitive that
provides cool features like AEZ's (any maybe other's) arbitrary block
size. But, for now, I would welcome a slightly more robust AES-GCM.


Cheers

AGL