Re: [Cfrg] authenticated encryption with replay protection (AERO) - internet draft

Robert Ransom <> Sun, 05 January 2014 17:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B389A1AF0D1 for <>; Sun, 5 Jan 2014 09:24:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i27xagDbPcfd for <>; Sun, 5 Jan 2014 09:24:18 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c01::22b]) by (Postfix) with ESMTP id 162FE1AF0D0 for <>; Sun, 5 Jan 2014 09:24:18 -0800 (PST)
Received: by with SMTP id c9so16826005qcz.30 for <>; Sun, 05 Jan 2014 09:24:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=tPzJRyAZtU1HKTWeLIV5tvBtKfrjAWYmXJ1+/LQYIUg=; b=RPj2Eop1pMxNN8QmQriQmDYfaU511qYtKNfKbBQmlVZ48naRrWQE9ZkI74QSzJjF3d 8X+ZtamKADrdPLtDNX7dEqfxQozG0aGE/yvToHZQC9be+BwOZ2TQnBRU8PI177JKsdaA zgmdaTAXbR5htMDfrZr3gPTH7OtoyL4zDSLYTF30bD0QJEsECwFYJkx2jg08k44x3WA4 tR60l5mdvKTGzj9twlcGJY98hGLfdaf9JcoTOJGKizrGXhK9OAiZaxlmUz1Nq0lZG999 m0W3rhK9iQh8fnl7QvHnQOG9MVD8O/MGz0lRXM2Ts+UOSQAdo5ld6t9orwvY/Kbm1F/g KzCg==
MIME-Version: 1.0
X-Received: by with SMTP id 6mr83366069qah.12.1388942649770; Sun, 05 Jan 2014 09:24:09 -0800 (PST)
Received: by with HTTP; Sun, 5 Jan 2014 09:24:09 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Sun, 05 Jan 2014 09:24:09 -0800
Message-ID: <>
From: Robert Ransom <>
To: David McGrew <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "John Foley (foleyj)" <>, "" <>
Subject: Re: [Cfrg] authenticated encryption with replay protection (AERO) - internet draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Jan 2014 17:24:19 -0000

On 1/2/14, David McGrew <> wrote:
> Hi CFRG,
> I have a new proposal for authenticated encryption, which is
> particularly well suited for communication security.   An internet draft
> describing the idea has been published at
> and I would like to
> request a slot at the upcoming CFRG meeting to present this work. (I am
> assuming that we will be meeting in London in March along with IETF
> 89).   I alluded to this work on the thread about misuse resistant
> authenticated encryption earlier today.
>  From the draft:
> Authenticated Encryption with Replay prOtection (AERO)
>     This document describes Authenticated Encryption with Replay
>     prOtection (AERO), a cryptographic technique that provides all of the
>     essential security services needed for communication security. AERO
>     offers several advantages over other methods: it has more compact
>     messages, provides stronger misuse resistance, avoids the need to
>     manage implicit state, and is simpler to use.  This document defines
>     a particular AERO algorithm as well as a registry for such
>     algorithms.
> Comments are welcome, and I especially encourage discussion about the
> appropriate goals for authenticated encryption.  The draft explains the
> rationale well enough, I believe, though it does not mention decryption
> misuse.   I will send a separate note on that topic.
> A formal proof of security has not yet been published, but is believed
> to be possible, and the draft does include a security analysis.

Since AERO uses a large-block block cipher, I believe that the
folklore approach (‘count the bits’) used in the draft is adequate, as
long as it is used with care.  (It can be abused: section 4 (PDF page
6) of <> gives
the example of a standardized protocol which relies on a
replay-prevention counter for part of its message redundancy
(i.e. authentication), but obtains only one bit of redundancy due to
poor design of the replay-prevention mechanism.  Fortunately, the
standard replay-prevention practice in modern protocols would not have
introduced that weakness, and AERO uses the modern standard practice.)

(In other constructions, simply ‘counting the bits’ may require some
theoretical justification, and/or may produce the wrong result.  For
example, in Poly1305-AES, verification is equivalent to recovering s
from the MAC, decrypting it, and checking the result for equality to
the nonce; if w nonces are to be accepted when verifying a single
message, that is equivalent to allowing the attacker to try w times as
many forgery attempts; and the security bounds published for
Poly1305-AES turn out to have a term linear in the number of forgery
attempts (denoted D in the paper).  But the other term (probability of
distinguishing AES from a uniform random permutation after C + D
queries) is also a function of D, and is not necessarily linear in D.)

I noticed that there are IPR disclosures for AERO, with rather nasty
terms.  Exactly what parts of AERO are claimed by the patent and
patent application listed there?

Robert Ransom