IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Thomas Peyrin <thomas.peyrin@gmail.com> Wed, 20 April 2016 09:04 UTC

Return-Path: <thomas.peyrin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9498612E61F for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 02:04:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o2fEjAig5Ujr for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 02:04:23 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14B2A12EA82 for <cfrg@irtf.org>; Wed, 20 Apr 2016 02:04:21 -0700 (PDT)
Received: by mail-ig0-x22a.google.com with SMTP id gy3so122878640igb.0 for <cfrg@irtf.org>; Wed, 20 Apr 2016 02:04:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=Ai7aFdSjYdvVA3U2v8Ef1YZ4xLnxOc5aHwV5Bqpg6Lg=; b=plKYKhVNNdXXoHx+mMp8sBO3lDwKVzC2c25IvQfgUfXipIC9z6vGsDWarGKfVla+D+ xQZUufNuEFpHvYegnR9RBLaNBY/yoX9OyH+kFJZ6SzVBRTxoEA4s/z74uJNqYB4gzn1X xnM+/H/+4w2xmd9sQfjZjfy8zfXjNbtGDMi4MQIeNHqaWUPUaHnaUEs9+Z6pFeDtaGgP qrJxwJg1jSnqvdb3Ivk0OvNMG3bPXfekKwTtCFX7VjYtuxfOUxNVpqVY135xazB047RR xSMBwX0cYTrmTAoV0XooRvkPggZ2wf4OYdAwG1CrBRtqKn+iBKJhCIA4UpqxyaM5pjyc jc4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=Ai7aFdSjYdvVA3U2v8Ef1YZ4xLnxOc5aHwV5Bqpg6Lg=; b=JfdKwH3h4JoiUrsOd0S80J5S4ggX1Ts6YW0EUAk4L+ruqT9ABWqP9fQySNCGgxXh5q TDH2Ro2LsgsmeNf4/4SMVO5lNF2xESopT2AH2gvnd23PHQHjnznSdZwf3SF3b8te7x0g H3wZgXwZ5KJDnv85J7lCLQu95Dsn9kt0u6NhgaIhUnBT8UaIc8QSHHJhKl9lvYOQ6qwn TB31U8LVeEqqb0rN3iUcdihfs/H8NKqKvMdB28+OX/kFQFvKGtlqIN2s0CF9TBF0FfyW asiPpyueCmZZBtaaTyshH1mcyTxHTBnXMWieEzUIt/Bx3v3K5SBJ1iK1lJmpDkUdTvJV B4Sg==
X-Gm-Message-State: AOPr4FWjnU+VPppkhbcWx7A6WRryEn2d/LtNP/9j63Nx3JxwtrvKwxrDxRekTbnPvd54bGUe8oEhli0xbB0pYQ==
MIME-Version: 1.0
X-Received: by 10.50.119.131 with SMTP id ku3mr2065155igb.75.1461143061212; Wed, 20 Apr 2016 02:04:21 -0700 (PDT)
Received: by 10.79.34.161 with HTTP; Wed, 20 Apr 2016 02:04:21 -0700 (PDT)
In-Reply-To: <D33CFBBA.6A6ED%kenny.paterson@rhul.ac.uk>
References: <57148B14.7020507@azet.sk> <20160420021208.5285C6031B@jupiter.mumble.net> <D33CFBBA.6A6ED%kenny.paterson@rhul.ac.uk>
Date: Wed, 20 Apr 2016 17:04:21 +0800
Message-ID: <CAA0wV7QY6tTMMp6XauEPXM-r3URxs5y6sOPmKqSDMjrK9PyrZg@mail.gmail.com>
From: Thomas Peyrin <thomas.peyrin@gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: multipart/alternative; boundary="001a11348b0a213aba0530e6e15f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/p9NtbB-7UVxTKdsV5zqYoViE6FA>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 09:04:25 -0000

Hi,

Sorry to continue this discussion, but I'm still dubious on the
consideration of AES-GCM-SIV. I think there are two questions here:
- the first one is why do we need to push an AEAD now, while the CAESAR
competition will lead to a selected portfolio in a few years ?
- the second is if we really want to have an AEAD now, why looking at
AES-GCM-SIV only, while there are candidates from the CAESAR competitions
(that have probably been much more analysed than AES-GCM-SIV and thus
present a direct important advantage) ?

I understand the explanations for the first point (considering an AEAD now
doesn't preclude from having CAESAR candidates later as well), but I don't
understand for the second point. Why do we need to wait for the end of
CAESAR competition before considering CAESAR candidates instead of
AES-GCM-SIV ? I believe we should at least take a short look at the current
algorithms available now, and not only AES-GCM-SIV ?

Cheers,

Thomas.


2016-04-20 16:37 GMT+08:00 Paterson, Kenny <Kenny.Paterson@rhul.ac.uk>:

> Hi
>
> On 20/04/2016 03:13, "Cfrg on behalf of Taylor R Campbell"
> <cfrg-bounces@irtf.org on behalf of campbell+cfrg@mumble.net> wrote:
> >
> >The creators of AES-GCM-SIV and chairs of the CFRG evidently decided
> >that it would be better to sidestep the competition and endorse crypto
> >that is, lacking hardware support, either unusably slow or vulnerable
> >to timing side channels, recommending it for general-purpose use on
> >the internet.
>
> As we said right back at the start, CFRG adopting AES-GCM-SIV does not
> preclude us from also adopting other algorithms when they eventually
> emerge from the CAESAR process. Indeed, we look forward to that happening.
> There's certainly nothing definitive or final about AES-GCM-SIV as far as
> we are concerned.
>
> Moreover, as chairs, we do not "endorse" anything, nor are we deliberately
> side-stepping the CAESAR competition. Rather, we have the difficult task
> of attempting to balance the interests and needs of some participants in
> the group against those of others.
>
> It's fine that you disagree on where we've struck the balance in this
> case, but please do understand that these decisions are not black and
> white.
>
> Regards,
>
> Kenny
>
> >
> >
> >_______________________________________________
> >Cfrg mailing list
> >Cfrg@irtf.org
> >https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email