Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Mon, 28 March 2016 21:35 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E220C12D1DA for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 14:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9XghWqQR4Wk for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 14:35:09 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0675.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::675]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40C6F12D0C1 for <cfrg@irtf.org>; Mon, 28 Mar 2016 14:35:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YysrSxAyFoK2NELTRc6THBqUL/1+w8xhcSnmA003gxw=; b=NqwstM+Mi9kiQYYGuxMSf+uPD8CIpcdmsSoy69t4mKcXwmu5fimVsEP7htl3NDM3B1awaNHia/b9eT6bxvtRiT4Z5UEeRamuQT2jNKqCo+3RoLcRUAB/qR0aeoKO/EzWrOO/1yR0ATGq8+g0/A9lRK2Qmokq89hDaV690GwxK3A=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1824.eurprd03.prod.outlook.com (10.166.42.150) with Microsoft SMTP Server (TLS) id 15.1.447.15; Mon, 28 Mar 2016 21:34:48 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0447.023; Mon, 28 Mar 2016 21:34:47 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Ted Krovetz <ted@krovetz.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
Thread-Index: AQHRiP7+wUFnuBtreUe1MCzt43wYjp9vIC6AgABiygA=
Date: Mon, 28 Mar 2016 21:34:47 +0000
Message-ID: <D31F5AA8.684DD%kenny.paterson@rhul.ac.uk>
References: <D31EFD69.68456%kenny.paterson@rhul.ac.uk> <AA010FE1-75FE-49E6-860D-79E1C89FC77E@krovetz.net>
In-Reply-To: <AA010FE1-75FE-49E6-860D-79E1C89FC77E@krovetz.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
authentication-results: krovetz.net; dkim=none (message not signed) header.d=none;krovetz.net; dmarc=none action=none header.from=rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [78.146.55.80]
x-ms-office365-filtering-correlation-id: c9442817-de0b-4637-f1a9-08d35750c988
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1824; 5:WricR5fbq/halPN6Kc+G3Z0Q5xg58HJdl4Lfr0HFEu0NvhRFcFlFEPS6N7Q68+/AvpvAgYGZt32zo73jY8O+IE+yRBPL3X7/D9qYrD+jcYx+bJtHlWn1EHjQWJpCY9dlf9RF0gfGayXFo7OLl4saYQ==; 24:Sj6B6/yC6lw6mCkRasaRRZVbNe0NCnsdN8kxRpGfLftekAzaRSz9NL+P1XIxs0KKgXaKdSJwSiqv32cAoTrCzYwBm9HOhI/VgdamI6PW7hE=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1824;
x-microsoft-antispam-prvs: <VI1PR03MB1824B660F4DE029E98C5CEA9BC860@VI1PR03MB1824.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:VI1PR03MB1824; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1824;
x-forefront-prvs: 0895DF8FFD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(24454002)(377454003)(52604005)(74482002)(2906002)(5008740100001)(3280700002)(36756003)(5002640100001)(122556002)(102836003)(1096002)(81166005)(586003)(561944003)(87936001)(2501003)(1220700001)(3846002)(6116002)(106116001)(66066001)(76176999)(4001350100001)(189998001)(77096005)(15975445007)(10400500002)(107886002)(5004730100002)(2950100001)(92566002)(2900100001)(54356999)(19580395003)(19580405001)(3660700001)(230783001)(83506001)(5001770100001)(50986999)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1824; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <2B9E27AAF8F0BD40BCB67132BA395819@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2016 21:34:47.9098 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1824
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dhVBJzUGUYMONPw10YL2rYRvlfg>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 21:35:12 -0000

Hi Ted,

Thanks for sharing your thoughts on these delicate issues.

I can't speak for what those running the CASEAR competition might or might
not want to do regarding inclusion of AES-GCM-SIV in the competition, nor
what the proposers of AES-GCM-SIV might think of that option. The relevant
people are generally paying attention to this list; we'll just have to let
them put their heads together if they choose to do so.

I can, however, report that the research paper that accompanies the
proposal (see https://eprint.iacr.org/2015/102 for the free version) does
contain an analysis comparing AES-GCM-SIV to the relevant group of CAESAR
candidates - see pages 4 and 5. This might help to start answer your
question of whether AES-GCM-SIV is best-in-class, as you put it, where the
class is that of nonce-misuse-resistant AEADs.

I don't want to pre-judge that issue, but it looks to me like it offers
better performance than the comparable CAESAR candidates, at least on
hardware with support for AES-NI and PCLMULQDQ instructions. What's your
thinking on that?

If that's correct, then I think it would be unfortunate for us (CFRG) to
wait another two years to turn this scheme into an RFC if it's already
better than all the other schemes in the same class in the competition for
a particularly relevant hardware profile.

That need not rule out CFRG adoption of other competition winners in the
same class but targeting, for example, constrained environments, after the
competition has completed.

Regards,

Kenny 


On 28/03/2016 18:41, "Cfrg on behalf of Ted Krovetz"
<cfrg-bounces@irtf.org on behalf of ted@krovetz.net> wrote:

>Introducing a new AEAD scheme outside of the CAESAR process devalues
>CAESAR, ultimately reducing CAESAR's importance. It would have been much
>better for AES-GCM-SIV to be introduced as part of the CAESAR process and
>have it win mindshare based on its merits rather than its "first mover"
>status. By advancing this RFC, we likely entrench AES-GCM-SIV to every
>other CAESAR candidate's detriment.
>
>Might it be better to integrate this new proposal with CAESAR somehow?
>Perhaps the CAESAR committee could invite AES-GCM-SIV to become an
>official candidate, and then all the CAESAR candidates could be
>considered by CAESAR and CFRG on level terms? Or barring CAESAR allowing
>AES-GCM-SIV into the competition late, CFRG could delay consideration of
>the AES-GCM-SIV RFC until CAESAR recommends its portfolio. We don't want
>to bless too many AEAD schemes. If AES-GCM-SIV is not best-in-class, we
>don't want to recommend it at all, but we won't know that until CAESAR
>has finished its work.
>
>The end result of delaying the AES-GCM-SIV RFC would likely be a smaller
>number of better AEAD schemes being recommended: either an improved
>AES-GCM-SIV RFC evolves because it goes through a more rigorous vetting
>process and gets improved along the way, or it doesn't get recommended
>and something better does.
>
>Ted Krovetz
>(author of HS1-SIV CAESAR submission)
>
>
>
>> On Mar 28, 2016, at 7:34 AM, Paterson, Kenny
>><Kenny.Paterson@rhul.ac.uk> wrote:
>> 
>> Dear CFRG,
>> 
>> Shay, Adam and Yehuda have asked the CFRG chairs whether their draft for
>> AES-GCM-SIV can be adopted as a CFRG document. We are minded to do so,
>>but
>> first wanted to canvass members of the group for their opinions on
>>taking
>> this step.
>> 
>> We are aware of the on-going CAESAR competition for AEAD schemes.
>> AES-GCM-SIV is not a CAESAR candidate. CFRG adopting this document
>>should
>> not be interpreted as competing with or pre-empting the results of that
>> very valuable activity. Indeed, once CAESAR is complete, we hope that
>>some
>> or all of the competition winners will end up being turned into RFCs
>>under
>> the auspices of CFRG.
>> 
>> Regards,
>> 
>> Kenny (for the chairs)
>> 
>> 
>> On 06/03/2016 03:50, "Cfrg on behalf of Shay Gueron"
>> <cfrg-bounces@irtf.org on behalf of shay.gueron@gmail.com> wrote:
>> 
>>> Hello CFRG,
>>> 
>>> 
>>> We would like to draw your attention to our new submission draft
>>>entitled
>>> “AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption”. Posted
>>>on
>>> https://www.ietf.org/internet-drafts/draft-gueron-gcmsiv-00.txt
>>> 
>>> The submission specifies two authenticated encryption algorithms that
>>>are
>>> nonce misuse-resistant. Their performance is expected to be roughly on
>>> par with AES-GCM,
>>> when run on modern processors that have AES instructions.
>>> 
>>> Security and performance analysis can be found in S. Gueron and Y.
>>> Lindell. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption
>>>at
>>> Under One Cycle
>>> per Byte. In 22nd ACM CCS, pages 109-119, 2015.
>>> 
>>> We hope that the CFRG will take this up as a working-group item.
>>> 
>>> Thank you,
>>> 
>>> 
>>> Shay Gueron, Adam Langley, Yehuda Lindell
>>> 
>>> 
>>> 
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg