IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

Greg Rose <ggr@qualcomm.com> Sun, 20 August 2006 23:00 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEwHY-00047x-DS; Sun, 20 Aug 2006 19:00:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEwHW-00047r-SG for cfrg@ietf.org; Sun, 20 Aug 2006 19:00:38 -0400
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GEwHV-0006Lk-I7 for cfrg@ietf.org; Sun, 20 Aug 2006 19:00:38 -0400
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id k7KN0Vqh015514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 20 Aug 2006 16:00:31 -0700
Received: from [10.30.1.9] (vpn-10-50-16-46.qualcomm.com [10.50.16.46]) by neophyte.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id k7KN0DAN013219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 20 Aug 2006 16:00:26 -0700 (PDT)
Mime-Version: 1.0
Message-Id: <p06230910c10e98a55c4c@[10.30.1.9]>
In-Reply-To: <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com>
Date: Sun, 20 Aug 2006 16:00:10 -0700
To: Hal Finney <hal.finney@gmail.com>
From: Greg Rose <ggr@qualcomm.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: cfrg@ietf.org, "David A. McGrew" <david.a.mcgrew@mindspring.com>
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

At 11:47  -0700 2006/08/20, Hal Finney wrote:
>
>It is outside the scope of your document, but I have found from my
>disk experience that the approach in these algorithms of letting the
>AEAD algorithm manage uniqueness of IVs at the "micro scale" while the
>caller manages uniqueness at the "macro scale" can actually lead to
>very inefficient allocation of IV space. For example, with GCM taking
>an external IV contribution of 64 bits, if the caller is encrypting a
>lot of short messages in a context where it must be stateless and pass
>in a random IV contribution, it can only encrypt 2^32 such messages
>under a given key. The seemingly vast IV space is eroded to a very
>significant limitation similar to what we had in the old days of DES.

This "erosion" only happens if the requirement is that the IV be 
random and unpredictable to an attacker. Most AEAD systems don't 
require this strong guarantee, and any form of Nonce will usually do; 
the only requirement being uniqueness. So the 64 bit input, provided 
in the form of a counter, is good to the same order-of-magnitude 
limit as the block cipher itself.

(Note: I haven't looked at the new mode to verify that this is the 
case, but I think it probably is.)

I've been lightly pushing for a terminology change in this area for some time:
Use "IV" when randomness and/or unpredictability are requirements
Use "Nonce" when uniqueness is the only requirement.

Greg.


_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email