Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06

Andy Polyakov <> Tue, 19 September 2017 11:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 07E7A132F7D for <>; Tue, 19 Sep 2017 04:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n_PBzKmmUdQ0 for <>; Tue, 19 Sep 2017 04:31:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1743613420B for <>; Tue, 19 Sep 2017 04:31:58 -0700 (PDT)
Received: from [] (localhost [IPv6:::1]) by (Postfix) with ESMTP id EC12DE03EF; Tue, 19 Sep 2017 11:31:56 +0000 (UTC)
To: Shay Gueron <>, "" <>
References: <> <> <> <> <> <> <>
From: Andy Polyakov <>
Message-ID: <>
Date: Tue, 19 Sep 2017 13:32:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Sep 2017 11:32:01 -0000

>>>> do we all agree that "consistency" is sufficient by its own?
> To me, a clean and consistent specification has value.

I don't deny its value, question was it is sufficient [to justify
additional implementation/diversity costs].

>>>> those who choose "easy way out". 
>>>> because they have dedicated GHASH hardware. 
> As Adam had mentioned, adding AES-GCM-SIV (to gain misuse resistance)
> has its cost anyway,

Yes, and assertion is that it could have been *lower* if it was
formulated with GHASH and standard CTR.

> so adding the bytes swap to that cost is not a big
> deal. I think it is very good that we have the easy way out.

As already mentioned, there is another actor in the drama, tweaked CTR.
If byte swap for GHASH can be considered acceptable (what's your
estimate by the way?), question about alternative CTR remains. Thing is
that if it's built upon single-block function, its performance would be
*significantly* lower in comparison to dedicated optimized CTR
subroutine. Well, one can mitigate it by deploying ECB, but not all
[OpenSSL] modules have dedicated ECB subroutine...

>>>> does it have to be interwoven with specific mode specification?
> In fact, one might say that it is GHASH that was interwoven with the
> specific mode...  

Fair point. But was it optimal choice? I mean does it actually mean that
it has to be that way even now and for all eternity? :-)