Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Mon, 28 March 2016 21:35 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E220C12D1DA for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 14:35:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9XghWqQR4Wk for <cfrg@ietfa.amsl.com>; Mon, 28 Mar 2016 14:35:09 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0675.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::675]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40C6F12D0C1 for <cfrg@irtf.org>; Mon, 28 Mar 2016 14:35:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YysrSxAyFoK2NELTRc6THBqUL/1+w8xhcSnmA003gxw=; b=NqwstM+Mi9kiQYYGuxMSf+uPD8CIpcdmsSoy69t4mKcXwmu5fimVsEP7htl3NDM3B1awaNHia/b9eT6bxvtRiT4Z5UEeRamuQT2jNKqCo+3RoLcRUAB/qR0aeoKO/EzWrOO/1yR0ATGq8+g0/A9lRK2Qmokq89hDaV690GwxK3A=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1824.eurprd03.prod.outlook.com (10.166.42.150) with Microsoft SMTP Server (TLS) id 15.1.447.15; Mon, 28 Mar 2016 21:34:48 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0447.023; Mon, 28 Mar 2016 21:34:47 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Ted Krovetz <ted@krovetz.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
Thread-Index: AQHRiP7+wUFnuBtreUe1MCzt43wYjp9vIC6AgABiygA=
Date: Mon, 28 Mar 2016 21:34:47 +0000
Message-ID: <D31F5AA8.684DD%kenny.paterson@rhul.ac.uk>
References: <D31EFD69.68456%kenny.paterson@rhul.ac.uk> <AA010FE1-75FE-49E6-860D-79E1C89FC77E@krovetz.net>
In-Reply-To: <AA010FE1-75FE-49E6-860D-79E1C89FC77E@krovetz.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
authentication-results: krovetz.net; dkim=none (message not signed) header.d=none;krovetz.net; dmarc=none action=none header.from=rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [78.146.55.80]
x-ms-office365-filtering-correlation-id: c9442817-de0b-4637-f1a9-08d35750c988
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1824; 5:WricR5fbq/halPN6Kc+G3Z0Q5xg58HJdl4Lfr0HFEu0NvhRFcFlFEPS6N7Q68+/AvpvAgYGZt32zo73jY8O+IE+yRBPL3X7/D9qYrD+jcYx+bJtHlWn1EHjQWJpCY9dlf9RF0gfGayXFo7OLl4saYQ==; 24:Sj6B6/yC6lw6mCkRasaRRZVbNe0NCnsdN8kxRpGfLftekAzaRSz9NL+P1XIxs0KKgXaKdSJwSiqv32cAoTrCzYwBm9HOhI/VgdamI6PW7hE=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1824;
x-microsoft-antispam-prvs: <VI1PR03MB1824B660F4DE029E98C5CEA9BC860@VI1PR03MB1824.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:VI1PR03MB1824; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1824;
x-forefront-prvs: 0895DF8FFD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(24454002)(377454003)(52604005)(74482002)(2906002)(5008740100001)(3280700002)(36756003)(5002640100001)(122556002)(102836003)(1096002)(81166005)(586003)(561944003)(87936001)(2501003)(1220700001)(3846002)(6116002)(106116001)(66066001)(76176999)(4001350100001)(189998001)(77096005)(15975445007)(10400500002)(107886002)(5004730100002)(2950100001)(92566002)(2900100001)(54356999)(19580395003)(19580405001)(3660700001)(230783001)(83506001)(5001770100001)(50986999)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1824; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <2B9E27AAF8F0BD40BCB67132BA395819@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2016 21:34:47.9098 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1824
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dhVBJzUGUYMONPw10YL2rYRvlfg>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 21:35:12 -0000
Hi Ted, Thanks for sharing your thoughts on these delicate issues. I can't speak for what those running the CASEAR competition might or might not want to do regarding inclusion of AES-GCM-SIV in the competition, nor what the proposers of AES-GCM-SIV might think of that option. The relevant people are generally paying attention to this list; we'll just have to let them put their heads together if they choose to do so. I can, however, report that the research paper that accompanies the proposal (see https://eprint.iacr.org/2015/102 for the free version) does contain an analysis comparing AES-GCM-SIV to the relevant group of CAESAR candidates - see pages 4 and 5. This might help to start answer your question of whether AES-GCM-SIV is best-in-class, as you put it, where the class is that of nonce-misuse-resistant AEADs. I don't want to pre-judge that issue, but it looks to me like it offers better performance than the comparable CAESAR candidates, at least on hardware with support for AES-NI and PCLMULQDQ instructions. What's your thinking on that? If that's correct, then I think it would be unfortunate for us (CFRG) to wait another two years to turn this scheme into an RFC if it's already better than all the other schemes in the same class in the competition for a particularly relevant hardware profile. That need not rule out CFRG adoption of other competition winners in the same class but targeting, for example, constrained environments, after the competition has completed. Regards, Kenny On 28/03/2016 18:41, "Cfrg on behalf of Ted Krovetz" <cfrg-bounces@irtf.org on behalf of ted@krovetz.net> wrote: >Introducing a new AEAD scheme outside of the CAESAR process devalues >CAESAR, ultimately reducing CAESAR's importance. It would have been much >better for AES-GCM-SIV to be introduced as part of the CAESAR process and >have it win mindshare based on its merits rather than its "first mover" >status. By advancing this RFC, we likely entrench AES-GCM-SIV to every >other CAESAR candidate's detriment. > >Might it be better to integrate this new proposal with CAESAR somehow? >Perhaps the CAESAR committee could invite AES-GCM-SIV to become an >official candidate, and then all the CAESAR candidates could be >considered by CAESAR and CFRG on level terms? Or barring CAESAR allowing >AES-GCM-SIV into the competition late, CFRG could delay consideration of >the AES-GCM-SIV RFC until CAESAR recommends its portfolio. We don't want >to bless too many AEAD schemes. If AES-GCM-SIV is not best-in-class, we >don't want to recommend it at all, but we won't know that until CAESAR >has finished its work. > >The end result of delaying the AES-GCM-SIV RFC would likely be a smaller >number of better AEAD schemes being recommended: either an improved >AES-GCM-SIV RFC evolves because it goes through a more rigorous vetting >process and gets improved along the way, or it doesn't get recommended >and something better does. > >Ted Krovetz >(author of HS1-SIV CAESAR submission) > > > >> On Mar 28, 2016, at 7:34 AM, Paterson, Kenny >><Kenny.Paterson@rhul.ac.uk> wrote: >> >> Dear CFRG, >> >> Shay, Adam and Yehuda have asked the CFRG chairs whether their draft for >> AES-GCM-SIV can be adopted as a CFRG document. We are minded to do so, >>but >> first wanted to canvass members of the group for their opinions on >>taking >> this step. >> >> We are aware of the on-going CAESAR competition for AEAD schemes. >> AES-GCM-SIV is not a CAESAR candidate. CFRG adopting this document >>should >> not be interpreted as competing with or pre-empting the results of that >> very valuable activity. Indeed, once CAESAR is complete, we hope that >>some >> or all of the competition winners will end up being turned into RFCs >>under >> the auspices of CFRG. >> >> Regards, >> >> Kenny (for the chairs) >> >> >> On 06/03/2016 03:50, "Cfrg on behalf of Shay Gueron" >> <cfrg-bounces@irtf.org on behalf of shay.gueron@gmail.com> wrote: >> >>> Hello CFRG, >>> >>> >>> We would like to draw your attention to our new submission draft >>>entitled >>> “AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption”. Posted >>>on >>> https://www.ietf.org/internet-drafts/draft-gueron-gcmsiv-00.txt >>> >>> The submission specifies two authenticated encryption algorithms that >>>are >>> nonce misuse-resistant. Their performance is expected to be roughly on >>> par with AES-GCM, >>> when run on modern processors that have AES instructions. >>> >>> Security and performance analysis can be found in S. Gueron and Y. >>> Lindell. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption >>>at >>> Under One Cycle >>> per Byte. In 22nd ACM CCS, pages 109-119, 2015. >>> >>> We hope that the CFRG will take this up as a working-group item. >>> >>> Thank you, >>> >>> >>> Shay Gueron, Adam Langley, Yehuda Lindell >>> >>> >>> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay