Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

[Paul Lambert <paul@marvell.com>]

>On Mon, Apr 18, 2016 at 12:21 AM, Fedor Brunner <fedor.brunner@azet.sk>
>wrote:
>> XSalsa20 is Salsa20 cipher with nonce extended to 192 bits. So there is
>> no need to manage nonces, they can be generated with RNG. Could you
>> please describe applications where you would prefer AES-GCM-SIV over
>> XSalsa20+Poly1305
>
>Basically the increasing levels of hardware support for AES-GCM make
>it compelling from a performance point of view.

Yes Š GCM is becoming the preferred hardware encryption algorithm for it¹s
performance. GCM is being designed into most layer 2 encryption protocols
and the associated hardware. Encryption hardware is a significant
investment in a chip and given the dominance of AES it is unlikely that an
additional cipher (like Salsa20) will be added broadly to hardware for a
very long time.  

>
>(Storing the extra twelve bytes of nonce /might/ be a concern in some
>cases but I'm not sure about that.)

Yes - that will be an issue for many existing designs.  It¹s still a much
smaller change for a design that moving to Salsa or any other new cipher.

Nonce misuse-resistance is quite valuable in ad-hoc multicast
environments. It will be interesting to see how AES-GCM-SIV maps into the
formats of a multicast encryption protocols (like ad-hoc encrypted
multicast in 802.11). This nonce resistance is a mode I¹ve been hoping
would get support for many years for ad-hoc multicast environments. In
particular, it solves the n^2 key setup problems of 802.11 IBSS.

Paul


>
>
>Cheers
>
>AGL
>
>-- 
>Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg