Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
Andy Polyakov <appro@openssl.org> Tue, 19 September 2017 11:32 UTC
Return-Path: <appro@openssl.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07E7A132F7D for <cfrg@ietfa.amsl.com>; Tue, 19 Sep 2017 04:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_PBzKmmUdQ0 for <cfrg@ietfa.amsl.com>; Tue, 19 Sep 2017 04:31:59 -0700 (PDT)
Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1743613420B for <cfrg@irtf.org>; Tue, 19 Sep 2017 04:31:58 -0700 (PDT)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by mta.openssl.org (Postfix) with ESMTP id EC12DE03EF; Tue, 19 Sep 2017 11:31:56 +0000 (UTC)
To: Shay Gueron <shay.gueron@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <EA4347BF-D26F-4303-9A8D-E7B28986DE56@isode.com> <71d10985-4c46-4a7c-e634-76a822102a61@openssl.org> <CACsn0cnSq9nJpdjpDQ-HpHX7i6W-0=JkCOB-WenBRoMSKO9ypA@mail.gmail.com> <b751593d-20bb-8914-de96-e9040080e15d@openssl.org> <CAHP81y_CUTvA9Ftqz0Q_qzs94iPddW+4g5ObhzruNKR5zaEPvw@mail.gmail.com> <46eaa04f-09ef-3f11-4729-dfeec1b1cf60@openssl.org> <CAHP81y-bNDvF9_tQZO0BvrCqPU=Wa71PyraiRm39oh1bJo0sWw@mail.gmail.com>
From: Andy Polyakov <appro@openssl.org>
Message-ID: <3b106ff6-373c-eb5c-c8a8-98cc4a5060ce@openssl.org>
Date: Tue, 19 Sep 2017 13:32:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAHP81y-bNDvF9_tQZO0BvrCqPU=Wa71PyraiRm39oh1bJo0sWw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/UNuAMzrFJ99kz2SumEHkdLcWJfE>
Subject: Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 11:32:01 -0000
>>>> do we all agree that "consistency" is sufficient by its own? > > To me, a clean and consistent specification has value. I don't deny its value, question was it is sufficient [to justify additional implementation/diversity costs]. >>>> those who choose "easy way out". >>>> because they have dedicated GHASH hardware. > As Adam had mentioned, adding AES-GCM-SIV (to gain misuse resistance) > has its cost anyway, Yes, and assertion is that it could have been *lower* if it was formulated with GHASH and standard CTR. > so adding the bytes swap to that cost is not a big > deal. I think it is very good that we have the easy way out. As already mentioned, there is another actor in the drama, tweaked CTR. If byte swap for GHASH can be considered acceptable (what's your estimate by the way?), question about alternative CTR remains. Thing is that if it's built upon single-block function, its performance would be *significantly* lower in comparison to dedicated optimized CTR subroutine. Well, one can mitigate it by deploying ECB, but not all [OpenSSL] modules have dedicated ECB subroutine... >>>> does it have to be interwoven with specific mode specification? > In fact, one might say that it is GHASH that was interwoven with the > specific mode... Fair point. But was it optimal choice? I mean does it actually mean that it has to be that way even now and for all eternity? :-) Cheers.
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Paterson, Kenny
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Yehuda Lindell
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Stefano Tessaro
- [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06 Alexey Melnikov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Ted Krovetz
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Watson Ladd
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Adam Langley
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Shay Gueron
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Shay Gueron
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Stefano Tessaro