IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Bryan Ford <brynosaurus@gmail.com> Wed, 20 April 2016 07:37 UTC

Return-Path: <brynosaurus@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5F312EC82 for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 00:37:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrZIDLM3q5eN for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 00:37:24 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04E7212EC7E for <cfrg@irtf.org>; Wed, 20 Apr 2016 00:37:23 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id e201so39666640wme.0 for <cfrg@irtf.org>; Wed, 20 Apr 2016 00:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=U8V4JFD0mJH5vznIBLXpnCWlsZikNzTXIG1duTFENko=; b=Fak+C3CniQbq1DmQA7w4hG+hfeTxuyaiYz8Ydn0OmmKceTPIockpuEn4yBe5zNM8dU Mq8h330JroyGB/LuPge+9gBBQu9FRL0Wv9L0Vr5H0w6xtNZyxrDAXk2wjDCHFzBxxkgI 1w3zUk1OgTq8McZmV9xqKz9pjOIuiTFfNgxhzYmsYhTkxiz0N6Lcy9B0sNIhUY7RR3Md D7KAnSo6BTRHxo8g99BkrzGKM+4qx12l/dK6n6XpN/0o6mCqHZ7cgEHL93A0AN+CzXpL kUIHDJcBzDzwQjMHy8jYwVUA0TYbtoSco9iU1i7ayGCvT2MNJm7wpzzOPnaQWEb/51mX Or+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=U8V4JFD0mJH5vznIBLXpnCWlsZikNzTXIG1duTFENko=; b=lpa4KJwzqJW4K4DuvETPnESqzPaIy9q8qvFdgrm8CLIuEUaFVnCPD5a6GOkiDlRxTE TCKOzjpTvtzITKWD+Man2ryXV3ZmMH6lixuK/Bb02Za8FCpualQ2Aw5SqygBKtr0Evs6 TE9Z4dCfqJCUbAog7i4jZG08wZXyauxQKkLCe/pOOeKuVd8/lqEUlZbFpAffwBAyXl4/ YnE6/gC59wVydKFOC3dRlEOdA+nIX60Ya47XQbJudtd+SxDy3dme4N3YwA4jFttzqvTg aXXrnonX5QQDzZP2qtJJ1Zncu00aFUlIo6CxBqQ5t6oO9ADDKtZjmkCMIp4H/CCjy649 73qQ==
X-Gm-Message-State: AOPr4FXryibWCb9Igs9C3wVYmBj0qEQtmWzEWFWxjDAVsqqllU2dHRq9ULkhocpN3zpNPg==
X-Received: by 10.194.134.3 with SMTP id pg3mr6990237wjb.141.1461137841404; Wed, 20 Apr 2016 00:37:21 -0700 (PDT)
Received: from tsf-436-wpa-5-044.epfl.ch (tsf-436-wpa-5-044.epfl.ch. [128.179.141.44]) by smtp.gmail.com with ESMTPSA id r2sm4120762wjm.8.2016.04.20.00.37.19 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Apr 2016 00:37:19 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_67D21FAA-F6B4-400A-A50A-6A412016B125"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Bryan Ford <brynosaurus@gmail.com>
In-Reply-To: <20160420021208.5285C6031B@jupiter.mumble.net>
Date: Wed, 20 Apr 2016 09:37:18 +0200
Message-Id: <2D9489C8-326D-4425-A3A5-DF0C1B8D3CE5@gmail.com>
References: <20160420021208.5285C6031B@jupiter.mumble.net>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/dxNnXAflxGZWi5ajFqtQtM2i7IQ>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 07:37:25 -0000

On Apr 20, 2016, at 4:13 AM, Taylor R Campbell <campbell+cfrg@mumble.net> wrote:
> The creators of AES-GCM-SIV and chairs of the CFRG evidently decided
> that it would be better to sidestep the competition and endorse crypto
> that is, lacking hardware support, either unusably slow or vulnerable
> to timing side channels, recommending it for general-purpose use on
> the internet.

I have to say I was also quite surprised by the declaration that there is “rough consensus” to adopt.  While I haven’t been following this thread extremely closely, what I remember seeing is:

- 2-3 messages (mostly early on in the thread) explicitly opposed to adoption due to this concern about sidestepping the CAESAR competition
- 2-3 messages expressing explicit support for adoption
- A whole bunch of E-mails discussing various technical issues, but neither explicitly supporting or opposing adoption as far as I could tell.

I admit I did not do any kind of precise tally on any basis, this is merely my impression, which is why the adoption declaration took me by surprise.

I personally also have deep concerns about CFRG hastily adopting an AEAD proposal that has not received the careful scrutiny that the CAESAR competitors are receiving, especially not primarily on the basis of performance claims.  I have not seen evidence of an urgent need for a misuse-resistant AEAD scheme to be standardized “right now” - and if there were an urgent need, the CFRG should at least choose among those CAESAR competitors still in the running (after the first round) that seem to have received the greatest analysis and community support so far.

Again just my $.02

B

v2.23.0 | Report a Bug | By Email