Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

denis bider <ietf-cfrg@denisbider.com> Thu, 31 March 2016 01:56 UTC

Return-Path: <ietf-cfrg@denisbider.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5250812D10C for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 18:56:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYHS6zJ6h-FH for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 18:56:43 -0700 (PDT)
Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30EE512D165 for <cfrg@irtf.org>; Wed, 30 Mar 2016 18:56:43 -0700 (PDT)
X-Footer: ZGVuaXNiaWRlci5jb20=
Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com for bascule@gmail.com; Thu, 31 Mar 2016 02:56:40 +0100
Date: Thu, 31 Mar 2016 02:56:40 +0100
X-User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Message-ID: <1893951588-3704@skroderider.denisbider.com>
X-Priority: 3
Importance: Normal
MIME-Version: 1.0
From: denis bider <ietf-cfrg@denisbider.com>
To: Tony Arcieri <bascule@gmail.com>, Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="=-XkVA0FzZwTwUIxARzERl"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/sSxdv0A035tuZGx2rB34f2N7HPA>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, cfrg@irtf.org, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 01:56:45 -0000

I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to derive the final encryption key.

Regardless of the original input key size, the encryption key is derived in a way that, at some point, is reduced to 128 bits of entropy.

I find this to be a good point, and indeed, a plausible concern.


----- Original Message -----
From: Tony Arcieri 
Sent: Wednesday, March 30, 2016 19:11
To: Dan Harkins 
Cc: Yehuda Lindell ; cfrg@irtf.org ; Adam Langley 
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

On Wed, Mar 30, 2016 at 12:22 PM, Dan Harkins <dharkins@lounge.org> wrote:
Would you agree that AEAD_AES_256_GCM_SIV provides no more
security than AEAD_AES_128_GCM_SIV? I say this because the
authentication key is 128-bits regardless 

I disagree with this. 128-bits of symmetric security is fine today. The threats where you might want 256-bit encryption are things like hypothetical future quantum computers which are able to use Grover's algorithm.

Encryption needs to stand the test of time. Authentication has less burdensome demands. If it's possible to pull off an online chosen ciphertext attack after the advent of quantum computers which can use Grover's algorithm to break 128-bit crypto (10+ years in the future maybe?), the story might be different, but for long-term confidentiality of ciphertexts I think a larger key size for a symmetric cipher is more important.

The same argument can be applied to digital signatures and quantum cryptography: they matter less than encryption, because we can resign data if a quantum attack seems imminent, but if a quantum attacker already has access to ciphertexts there's nothing we can do.

-- 

Tony Arcieri

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg