IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

Ted Krovetz <ted@krovetz.net> Mon, 28 March 2016 22:46 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A894812D1B6 for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 15:46:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=krovetz-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrBCcjIAgPHm for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 15:46:27 -0700 (PDT)
Received: from mail-pa0-x230.google.com (mail-pa0-x230.google.com [IPv6:2607:f8b0:400e:c03::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CDCE12D14A for <cfrg@irtf.org>; Mon, 28 Mar 2016 15:46:27 -0700 (PDT)
Received: by mail-pa0-x230.google.com with SMTP id zm5so22530811pac.0 for <cfrg@irtf.org>; Mon, 28 Mar 2016 15:46:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krovetz-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=yIJaX1XsCOyhY7/Rvp0oax46D6PtFxO9oS5HKMwlNaA=; b=EMD8rrbPAQ03XDonilFab1sCCKTDcklUt5GNNdhvxlZYqcsu+zxaHWIiGyGtF3zA9Y tmUtaVYokLW+YG4c9OYaiZEghz39XY/eEqsKkj76texBnQz2DWazKkwbM+HTYU82FBfS 2/RtW+r3qx3xbjQa0eSP3lHMlxl8UGTu0gqk8jXyHIjr6CHKfHHoaD0CkD2/seLTdjOy rA+AWzXs21tDeZ9gFNclpNDCMrQWZG5zJL739W6hDhKufaA7NnRObcgApyRo8b+qM8rQ JFMyhyMj3f+OVAJNk+lhjLuVbtIbnJLHtKw5RjMkbaqwbdMsTQy5l6mfzKMsZ/dqC4D/ as9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=yIJaX1XsCOyhY7/Rvp0oax46D6PtFxO9oS5HKMwlNaA=; b=QilVBalEW1/QqrhkJHhEsrT5wMonBeGG8EByfGK3MuFJ+eYT4rYgZNRar3gWBj4oyH 9iRteZ88Vrbj55pS5A5TJPB8QJKDQy07EozWMD7g26en+vgSfAD+fu/sdn/rH/PMMfMt 3s9U5JQA7RS6ALzBfhyzO5mneDoXBIqgkeOrTAU2Z8VtzXN4oLVrag6zOkNPdM1qAJMj aLyZ13EXwOtpN2sXR5v9OfOJUlBRBS6SUdUxFSG5x4zS8hzlup5xj9887lN5Nmqw/MhZ d50cwhsC351ac4IIxziS0IhnXH9uM5gXHdi0RMi3Cmkqwsxv4hMVY6Eg+OBuqQNKiIqE Mksg==
X-Gm-Message-State: AD7BkJL5b9/+uGE2eVKhWu56U+s7dBHA1b/oX4qMYVx+h5G2vldqTpV75AXTeW1Pe2lqDA==
X-Received: by 10.66.167.237 with SMTP id zr13mr47039939pab.85.1459205186835; Mon, 28 Mar 2016 15:46:26 -0700 (PDT)
Received: from [10.118.117.244] ([130.86.98.244]) by smtp.gmail.com with ESMTPSA id kw10sm38136695pab.0.2016.03.28.15.46.25 for <cfrg@irtf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 28 Mar 2016 15:46:25 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Ted Krovetz <ted@krovetz.net>
In-Reply-To: <D31F5AA8.684DD%kenny.paterson@rhul.ac.uk>
Date: Mon, 28 Mar 2016 15:46:24 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <25BF4974-98A9-473D-BF2C-012DC6ABE780@krovetz.net>
References: <D31EFD69.68456%kenny.paterson@rhul.ac.uk> <AA010FE1-75FE-49E6-860D-79E1C89FC77E@krovetz.net> <D31F5AA8.684DD%kenny.paterson@rhul.ac.uk>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Z5DwZQ4rxLr4hbSyAM7iaxTQjrs>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 22:46:30 -0000

> I don't want to pre-judge that issue, but it looks to me like it offers
> better performance than the comparable CAESAR candidates, at least on
> hardware with support for AES-NI and PCLMULQDQ instructions. What's your
> thinking on that?


We've seen AEZ achieve peak performance of 0.63 cpu cycles per byte on Intel Skylake and 1.3 cpu cycles per byte on Apple's A9. And because it doesn't use GF(2^128) operations, AEZ is likely much faster than AES-GCM-SIV on other architectures.

I don't want to make any claims of superiority, I just don't understand what the rush is. Once AES-GCM-SIV is an RFC and starts appearing in protocols, it will be very hard to displace, even if it's not the best choice.

Uri suggested that other proposed AEAD schemes interested in short-circuiting the CAESAR process could submit proposed RFCs to CFRG. Is that what you'd like?

-Ted

v2.23.0 | Report a Bug | By Email