[Cfrg] AES-SIV
Paul Lambert <paul@marvell.com> Tue, 18 March 2014 23:47 UTC
Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 003381A0463; Tue, 18 Mar 2014 16:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.566
X-Spam-Level:
X-Spam-Status: No, score=-1.566 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbtRk40v8z-F; Tue, 18 Mar 2014 16:46:59 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id 055CD1A0434; Tue, 18 Mar 2014 16:46:58 -0700 (PDT)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s2INknHN032097; Tue, 18 Mar 2014 16:46:49 -0700
Received: from sc-owa04.marvell.com ([199.233.58.150]) by mx0b-0016f401.pphosted.com with ESMTP id 1jpnsdb3f9-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 18 Mar 2014 16:46:48 -0700
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA04.marvell.com ([fe80::e56e:83a7:9eef:b5a1%16]) with mapi; Tue, 18 Mar 2014 16:46:48 -0700
From: Paul Lambert <paul@marvell.com>
To: "perpass@ietf.org" <perpass@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Tue, 18 Mar 2014 16:46:47 -0700
Thread-Topic: AES-SIV
Thread-Index: Ac9DBFORf4LPmfdkT7W4Rq1pZD0wSQ==
Message-ID: <CF4E28F7.35FA1%paul@marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CF4E28F735FA1paulmarvellcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-03-18_08:2014-03-19, 2014-03-18, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1403180139
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/lbXpyMkjokAZ_72Z5qC0g8B2hgo
Subject: [Cfrg] AES-SIV
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Mar 2014 23:47:01 -0000
There’s been a debate going on in IEEE 802.11 on using AES-CCM with a fixed nonce for a key wrap versus using AES-SIV: https://mentor.ieee.org/802.11/documents?is_dcn=DCN%2C%20Title%2C%20Author%20or%20Affiliation&is_group=00ai In the voting, I see a very strong reaction from Government representatives to any inclusion of AES-SIV in this activity (IMHO). It’s an interesting AEAD mode that has not been broadly adopted – largely because it’s been impossible to get NIST interested in adding it to their list of approved algorithms(also IMO). It’s a chicken and egg problem, only algorithms that are being used get put on the list … it’s hard to use something not on the list in standards. AES-SIV is clearly a better ‘key wrap’ algorithm, but there is no literature or recommendations that are adequately prescriptive. This is an IETF list … so IEEE is not too relevant for activities here, but it might be an interesting exercise to compare the relative merits of SIV versus CCM modes of operation. Also, online or off, I could really use a ‘famous cryptographers’ quote that AES-CCM is less desirable for key wrap than AES-SIV. The spec was also using a fixed nonce for CCM since it was only sending two key exchange messages (two fixed values), but this may get changed to a sequence number. AES-SIV would be a safer choice and much easier to document and implement than a new sequence number. Thanks, Paul PS – IEEE documents are openly available, mailing list is closed (only for voters), voting requires F2F attendance, group is meeting this week in Beijing.
- [Cfrg] AES-SIV Paul Lambert