Re: [Cfrg] new authenticated encryption draft
Greg Rose <ggr@qualcomm.com> Sun, 20 August 2006 23:00 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEwHY-00047x-DS; Sun, 20 Aug 2006 19:00:40 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEwHW-00047r-SG for cfrg@ietf.org; Sun, 20 Aug 2006 19:00:38 -0400
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GEwHV-0006Lk-I7 for cfrg@ietf.org; Sun, 20 Aug 2006 19:00:38 -0400
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id k7KN0Vqh015514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sun, 20 Aug 2006 16:00:31 -0700
Received: from [10.30.1.9] (vpn-10-50-16-46.qualcomm.com [10.50.16.46]) by neophyte.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id k7KN0DAN013219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 20 Aug 2006 16:00:26 -0700 (PDT)
Mime-Version: 1.0
Message-Id: <p06230910c10e98a55c4c@[10.30.1.9]>
In-Reply-To: <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com>
Date: Sun, 20 Aug 2006 16:00:10 -0700
To: Hal Finney <hal.finney@gmail.com>
From: Greg Rose <ggr@qualcomm.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d
Cc: cfrg@ietf.org, "David A. McGrew" <david.a.mcgrew@mindspring.com>
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
At 11:47 -0700 2006/08/20, Hal Finney wrote: > >It is outside the scope of your document, but I have found from my >disk experience that the approach in these algorithms of letting the >AEAD algorithm manage uniqueness of IVs at the "micro scale" while the >caller manages uniqueness at the "macro scale" can actually lead to >very inefficient allocation of IV space. For example, with GCM taking >an external IV contribution of 64 bits, if the caller is encrypting a >lot of short messages in a context where it must be stateless and pass >in a random IV contribution, it can only encrypt 2^32 such messages >under a given key. The seemingly vast IV space is eroded to a very >significant limitation similar to what we had in the old days of DES. This "erosion" only happens if the requirement is that the IV be random and unpredictable to an attacker. Most AEAD systems don't require this strong guarantee, and any form of Nonce will usually do; the only requirement being uniqueness. So the 64 bit input, provided in the form of a counter, is good to the same order-of-magnitude limit as the block cipher itself. (Note: I haven't looked at the new mode to verify that this is the case, but I think it probably is.) I've been lightly pushing for a terminology change in this area for some time: Use "IV" when randomness and/or unpredictability are requirements Use "Nonce" when uniqueness is the only requirement. Greg. _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew