IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Thomas Peyrin <thomas.peyrin@gmail.com> Wed, 20 April 2016 16:35 UTC

Return-Path: <thomas.peyrin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49FEF12EA44 for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 09:35:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6ZBk68gpPGm for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 09:35:29 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9AF12E970 for <cfrg@irtf.org>; Wed, 20 Apr 2016 09:35:29 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id g185so58037358ioa.2 for <cfrg@irtf.org>; Wed, 20 Apr 2016 09:35:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=7pHjrlHr9gMasOxXQqzSS4tHM6TWLv3gfxAyIfXYlG8=; b=jL/p5d1EhspyXLjRanYlq236s6Sjs9yfrXnSknrqFSxQ1s/r+R1in+t63LSCPwh2t4 MC8xep4Dbf1F1S2v4SC31Y+eFiZxdd1IJwHmwdWrREE3bx/xgWV6JmEXSJg+0XtktXPD jfqoiO543Naz09Zs0+fnCYWkes7Zsn1oP0fnYwiZY8m9fo1zPq7Udo0YP4hVtmC+NAA5 wMaSIMMoFeKjE/zQ1qlxk+V/2BFqc9icD2qfhqtNDA32vW0fYZ8o0Fj2zS905SGIHxj/ JnSPNJe4xh95XEhOA/pU9XM3Y5GnhUpIHPnx1h0OgFxi3pqdU6LUu9zsrodkbDLeVRxo wjYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=7pHjrlHr9gMasOxXQqzSS4tHM6TWLv3gfxAyIfXYlG8=; b=IAIkw3cg8vzX2dy9c+kGSCI1l0hIdhey2v5PJNhhgbPSBR3IFZ/5CG2U9xuTqF5Dpg rpjNEn+dcqlHsrVaeAkHO7OoFQuFvbtyaiyZmFOpD9Ui/Jxm5OxiyhCDpBKLIWQZtx9z 8Ic6RPEtl0rVtwS29c+perOvamYUaibm+C319LjTb7WsfJg3jeTZz/MV8cZBNs42iuJI iP3Y22BYlcAA/3yFfwq3XrKv0GWY9LJEiv0YJwZ+37woerJk6ONqXZzTP84p2OCRKWCx KdsCJtiUIaZ0vVoB6b2q1VWu8o1msKdShUKMwhl1aBhqVOMZ6x5UI1JOmesL0bmuPoKz 5bpw==
X-Gm-Message-State: AOPr4FUNA2j8HUpeOogPaxdLwb1JGWzcI3ky5vxYOWtYjGiDOJL4zwT+j4Uyre/bgRwufJPpyy8cs+tORO15XQ==
MIME-Version: 1.0
X-Received: by 10.107.168.233 with SMTP id e102mr12411409ioj.55.1461170128513; Wed, 20 Apr 2016 09:35:28 -0700 (PDT)
Received: by 10.79.34.161 with HTTP; Wed, 20 Apr 2016 09:35:28 -0700 (PDT)
In-Reply-To: <CAMfhd9Wjmxzspj40XRZ3xbGzO6WNnYcCyeTL=j08+eOJuAt_5Q@mail.gmail.com>
References: <57148B14.7020507@azet.sk> <20160420021208.5285C6031B@jupiter.mumble.net> <D33CFBBA.6A6ED%kenny.paterson@rhul.ac.uk> <CAA0wV7QY6tTMMp6XauEPXM-r3URxs5y6sOPmKqSDMjrK9PyrZg@mail.gmail.com> <CAMfhd9Wjmxzspj40XRZ3xbGzO6WNnYcCyeTL=j08+eOJuAt_5Q@mail.gmail.com>
Date: Thu, 21 Apr 2016 00:35:28 +0800
Message-ID: <CAA0wV7RxKACSMfdzifuYqkpd_F_3g5aFW=xd7=s8t6tgqJuERg@mail.gmail.com>
From: Thomas Peyrin <thomas.peyrin@gmail.com>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: multipart/alternative; boundary="001a114278d47774810530ed2e57"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GH_199izLC3slQOrnMwuIUHN5O8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 16:35:31 -0000

Indeed, if the goal is to have an AES-based AEAD candidate that offers some
kind of misuse resistance, there are quite a few among the CAESAR designs
(AEZ being indeed on of them)

2016-04-20 23:59 GMT+08:00 Adam Langley <agl@imperialviolet.org>:

> On Wed, Apr 20, 2016 at 2:04 AM, Thomas Peyrin <thomas.peyrin@gmail.com>
> wrote:
> > I understand the explanations for the first point (considering an AEAD
> now
> > doesn't preclude from having CAESAR candidates later as well), but I
> don't
> > understand for the second point. Why do we need to wait for the end of
> > CAESAR competition before considering CAESAR candidates instead of
> > AES-GCM-SIV ? I believe we should at least take a short look at the
> current
> > algorithms available now, and not only AES-GCM-SIV ?
>
> Many CAESAR candidates may be "better designed" in the same way that
> XSalsa20-Poly1305 is, in some sense, "better designed" than
> AES-GCM-SIV: i.e. it uses operations that are independently useful on
> CPUs and so more performant (with fewer tricks) than the binary fields
> of AES and GHASH/POLYVAL.
>
> But dedicated hardware for AES-GCM is now fairly common in many
> environments and it's very hard for anything to beat the performance
> and power efficiency of this dedicated hardware. (Which seems a little
> like cheating, but that's where we are.)
>
> Thus AES-GCM is the default for encrypting large amounts of data. But
> in situations where a counter nonce isn't possible a significant
> amount of worry has to go into convincing ourselves that a duplicate
> nonce isn't possible. So what we want is AES-GCM—but with less worry.
> Same underlying primitives, basically the same speed, same API, but no
> detonation if nonce uniqueness slips for some crazy reason.
>
> Since this is so so closely related to AES-GCM, I don't think that
> volumes of analysis can be directly compared with CAESAR candidates:
> AES is nearly axiomatic now and so doesn't need the sorts of analysis
> that something like NORX warrants.
>
> I know that some CAESAR candidates are based around AES for this
> reason and in order to take advantage of hardware support. If you have
> one in mind then it should be considered, but I believe that
> AES-GCM-SIV is very useful as a tweak of AES-GCM and I'm not sure what
> an alternative would usefully provide without venturing into being
> "more exciting". I would like CAESAR to produce a primitive that
> provides cool features like AEZ's (any maybe other's) arbitrary block
> size. But, for now, I would welcome a slightly more robust AES-GCM.
>
>
> Cheers
>
> AGL
>

v2.23.0 | Report a Bug | By Email