IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

Tony Arcieri <bascule@gmail.com> Thu, 31 March 2016 01:11 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A17A112D0CC for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 18:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R7GY2EMUdKmf for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 18:11:21 -0700 (PDT)
Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05D9D12D0BE for <cfrg@irtf.org>; Wed, 30 Mar 2016 18:11:21 -0700 (PDT)
Received: by mail-ig0-x235.google.com with SMTP id l20so56664611igf.0 for <cfrg@irtf.org>; Wed, 30 Mar 2016 18:11:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=km3wpE9TZiZWTovdqd4/331+ijhnp0OIRFJCT8gtihs=; b=0UyaJH8Tbfdi16cF+aloeaqmIPwZRs74UpXUGuu5ljynwtpvvepvLfNL1QZoNDgowB Kj2e4ZH5bqbtR8p8thjlyJXXbpKzZ4vHemx5s3d+mS4EQGPj9aeEWcLFg1e/gvDCKsbi SH1SvoFXxKsqy6CpqZglZ32xgmci6BbCFoMeV1fIuTflZn+JnwFO02jD2NI6ozaIBFVN DzdH5p5BVdT68Ivrqq1bciJ2/I7DV+cpaoRsDV/rMo+KAFT+vvmUKm0YzwEbchT0knQz q5yPyYVM26LF+31FMy83c/i9ir5brXxL9X4mGLMu8z0rh/BftY+I78BiTqOHO8co2QUX tf5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=km3wpE9TZiZWTovdqd4/331+ijhnp0OIRFJCT8gtihs=; b=ceEOwh9HG6mXT5mRiZFy2J2h5J87JljDp7rRNeEekMH4YMxuv0MnqF3SD7gqpYzXcl 7zBMA4sArGQiukMd5YDGMIG+sa5dBquQlQ8h40uk6UskJP4oh3VXUmGRg/8TrJdEUSX3 aGAFP769Nap8GpcQfE3hgLET6AijmrZnMCYLc7tS9eGOyMvnSn+RDz7rGavx9RBhlpM2 s5lzYQqoskOffde0iKBq9xS+hugWZoM/rH6PQ5gE6U1PGCskJZcrXwnr+tpiUy2jLTc0 QpoTduBrxPF8OK3I0FfHeeLLjogAHQ/eFDJPX269GrdCLZQF3MJsEe0dKhsz0NttJZ7X y/+g==
X-Gm-Message-State: AD7BkJJ4gJXyqu3QhUTfln/y7kGX6pb5D5mGlNx2SvJo2zDWeePj1x0DpgucdTnGdWvQFaIPP2obaIWVu/wAog==
X-Received: by 10.50.20.161 with SMTP id o1mr26085426ige.2.1459386680320; Wed, 30 Mar 2016 18:11:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.132.4 with HTTP; Wed, 30 Mar 2016 18:11:00 -0700 (PDT)
In-Reply-To: <ba797271296147fdf44e0cc0e13be520.squirrel@www.trepanning.net>
References: <D31EFD69.68456%kenny.paterson@rhul.ac.uk> <6F0FF2D1-BE7B-4793-A872-9AE908BE2B80@gmail.com> <CAHP81y8hTXJJh=Cng+ZqgrpQVrHTX9bzd6c5vTLPVxpS5=GRuw@mail.gmail.com> <ba797271296147fdf44e0cc0e13be520.squirrel@www.trepanning.net>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 30 Mar 2016 18:11:00 -0700
Message-ID: <CAHOTMVJoCAoHgA=TQ+KFk-Om8yJXAGPQ2A4psjdP=aRdo8M=uA@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="047d7bd75708abcc35052f4df07d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/np4ZLcNdmLW4eZVFAxZwkQIHDqM>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 01:11:22 -0000

On Wed, Mar 30, 2016 at 12:22 PM, Dan Harkins <dharkins@lounge.org> wrote:

> Would you agree that AEAD_AES_256_GCM_SIV provides no more
> security than AEAD_AES_128_GCM_SIV? I say this because the
> authentication key is 128-bits regardless


I disagree with this. 128-bits of symmetric security is fine today. The
threats where you might want 256-bit encryption are things like
hypothetical future quantum computers which are able to use Grover's
algorithm.

Encryption needs to stand the test of time. Authentication has less
burdensome demands. If it's possible to pull off an online chosen
ciphertext attack after the advent of quantum computers which can use
Grover's algorithm to break 128-bit crypto (10+ years in the future
maybe?), the story might be different, but for long-term confidentiality of
ciphertexts I think a larger key size for a symmetric cipher is more
important.

The same argument can be applied to digital signatures and quantum
cryptography: they matter less than encryption, because we can resign data
if a quantum attack seems imminent, but if a quantum attacker already has
access to ciphertexts there's nothing we can do.

-- 
Tony Arcieri

v2.23.0 | Report a Bug | By Email