Re: [Cfrg] authenticated encryption with replay protection (AERO) - internet draft

Watson Ladd <> Fri, 03 January 2014 02:26 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 356B11A802E for <>; Thu, 2 Jan 2014 18:26:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6snMsc7ufVs2 for <>; Thu, 2 Jan 2014 18:26:12 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c00::231]) by (Postfix) with ESMTP id D0D7D1A1F72 for <>; Thu, 2 Jan 2014 18:26:11 -0800 (PST)
Received: by with SMTP id x12so12879785wgg.4 for <>; Thu, 02 Jan 2014 18:26:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FS4u2RwZCukTZBcT+LYjTw75T4xu2in7SpsRPU3ORAA=; b=fJUVa6TIK+lSOygdpBs+MN9CMhX66n9BcHXlGlb0n6XEKe+hAvseiyER9r1mOQUkAs hqyDAKdMu5st7NsaCQxR5MlOhl1VF3NDhwWcrVHY2Jfk3HFP1x0zCKCpwV4yJil12OsM YollCS99ZxhReJt1CQ1+qq4rwCG30BQ+bptjqzdU0xcTLPvPa0Jn6vQz756nxVlMabV3 diwVwe6MmHqta65Ws+ud1tiCMRfG/NjqUmCSBnZlIC+n23V24SeZKjE/aLmkc/dwAYD6 7gjrcj4+vRNmXLMdwbwY9LPvtBY8ixa5p8A+BNzyFFUf62hwhmEzG1sy6j3bQ4g1+Fsd Fk2Q==
MIME-Version: 1.0
X-Received: by with SMTP id gi4mr54995372wjc.5.1388715963992; Thu, 02 Jan 2014 18:26:03 -0800 (PST)
Received: by with HTTP; Thu, 2 Jan 2014 18:26:03 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 02 Jan 2014 21:26:03 -0500
Message-ID: <>
From: Watson Ladd <>
To: David McGrew <>
Content-Type: text/plain; charset="UTF-8"
Cc: "John Foley (foleyj)" <>, "" <>
Subject: Re: [Cfrg] authenticated encryption with replay protection (AERO) - internet draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Jan 2014 02:26:14 -0000

On Thu, Jan 2, 2014 at 7:40 PM, David McGrew <> wrote:
> Hi CFRG,
> I have a new proposal for authenticated encryption, which is particularly
> well suited for communication security.   An internet draft describing the
> idea has been published at
> and I would like to request a slot at the upcoming CFRG meeting to present
> this work. (I am assuming that we will be meeting in London in March along
> with IETF 89).   I alluded to this work on the thread about misuse resistant
> authenticated encryption earlier today.
> From the draft:
> Authenticated Encryption with Replay prOtection (AERO)
>    This document describes Authenticated Encryption with Replay
>    prOtection (AERO), a cryptographic technique that provides all of the
>    essential security services needed for communication security. AERO
>    offers several advantages over other methods: it has more compact
>    messages, provides stronger misuse resistance, avoids the need to
>    manage implicit state, and is simpler to use.  This document defines
>    a particular AERO algorithm as well as a registry for such
>    algorithms.
> Comments are welcome, and I especially encourage discussion about the
> appropriate goals for authenticated encryption.  The draft explains the
> rationale well enough, I believe, though it does not mention decryption
> misuse.   I will send a separate note on that topic.

INT-PTXT+IND-CPA is pretty much expected.

My one question is why not submit to CAESER? Yes, you are judging it,
but it would bring more eyes
and perspective.

The big weakness of this proposal is speed. It requires one pass of
AES-CTR followed by several passes of a
GCM calculation. On commodity hardware this is very slow. SIV with the
nonce as AAD would get equivalent anti-replay
properties with greater speed, namely two AES passes.

> A formal proof of security has not yet been published, but is believed to be
> possible, and the draft does include a security analysis.

It's straightforward, if tedious: use the lemma of Bernstein on PRP vs
PRF, then argue that the messages emerging from
an attacker's insertion are indistinguishable from random, so the
forgery probability is low. For privacy argue that IND-* is
satisfied. Then use the fact that forgery is hard to get that IND-CCA
is satisfied. I haven't actually done this so there might be
a nontrivial obstacle.

Watson Ladd

> Just for the sake of formality - in requesting this review and a slot at the
> upcoming meeting, I am acting as a CFRG member and not a chair.
> David
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin