IETF Logo Mail Archive

Re: [CFRG] Call for adoption for draft-denis-aegis-aead

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 28 July 2022 19:16 UTC

Return-Path: <prvs=620804b8d5=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D293BC15C501; Thu, 28 Jul 2022 12:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CoqAUI_etiZ1; Thu, 28 Jul 2022 12:16:03 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16474C15C502; Thu, 28 Jul 2022 12:15:26 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 26SJFJbt159242 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 28 Jul 2022 15:15:20 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=KxPqKusxvzy2j5/L25w53LZKMqazgLFNP86pQM+VOB4A7oFCSOPaCvadmlr2ftAZBJJPvyjiumwI8GEG1kWldhNhZQsS6S0PGVZG0kihOzT0oj8b/IkzrAFXjyqwLIssQzsU5v6/1xnikKUnp8xq1246w9LudhX8dqME4z9RfC1jXjKH2LwL6TQSNKfk/f7DpEWuuRPcp0h+LHRfBf9FIeKUn33GXOtxkHZbqrgc2/SjFkoHfkS5JhCsR1qgXsikM986QpPTD+X2TVZPYNtcHuCGLIOtKCNFiSGEZo4ZB+qzZt63V3pW73Hof/H/mG6Zo114+2cY4N8yJhuRBvk/dA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=79WVWyCb06dN2pkjT9Gl9zs2Dib5It3Y520yXP2rm9s=; b=lyjSOzMvHu8zpqkZlwxELXXVrWe7PT4agx1YfYS6ai+aiAQkEfecTCgTtWeZfigcWcBto21Zx/nZsQRO54p9XG+dNVfN+Fu2Qa2cIWxHUf9B08kADsm310Fvq8q239W3UOGQIX6NBFX+4dm/N11TG45OAgglzrVJrn7ptj3jXxU5JpjzHZx/Nucwb3NICD8fDiiAMVrDlF3qEp+aDsl0NVzLVezn1e28+ULAF7OKxL5BscJjV/7waXiB5iKF0BZxOVb4bGtyY6jGdZ31beVacCOPFMgQskCw7Kp3y2R/0LBQTzT2Hr81AkSvxc53DvbgtX2Ahsacj73xRrXjR97WCg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Crockett, Eric" <ericcro=40amazon.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Call for adoption for draft-denis-aegis-aead
Thread-Index: AQHYkoujVZJRQiw3EkKwXT5yOH+wKq2ULdGAgAATSAD//8OGgA==
Date: Thu, 28 Jul 2022 19:15:23 +0000
Message-ID: <5755C7A7-3073-41E2-89D2-44E0439743B8@ll.mit.edu>
References: <CAMr0u6mGob_+HTNuV01fXrECCheHeZuvC0rZ8c=_JVcBB9Npdw@mail.gmail.com> <e70195fb-9208-4f8a-b78a-728975d3c53e@www.fastmail.com> <228c3ee4e5c14141b8b6e198f56b41da@EX13D20UWA001.ant.amazon.com>
In-Reply-To: <228c3ee4e5c14141b8b6e198f56b41da@EX13D20UWA001.ant.amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 06239f95-3823-42ef-a13c-08da70cd8597
x-ms-traffictypediagnostic: BN0P110MB1515:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: G6FfEHkvVhbx3tCFC4LFL/vKZSxq7s23Q6V7RiQLXaXpOsNLxYxoKXPu42m2xa61gCLjvqXB7Q48Tcf1sYBUvZxO7t2tyHMp6p9oWyf5Iv/EtbUvPqckKNoa7Udms7XlMfDpUSR2e0/ezD6ZKttZ/juTOnLDzUzew759YNCPpTMH6iApmrSA4PrwsAFjhIl6C2XL5Xf6JukN9CQyoHK47Qv2O0Eap0qdJ43+KvJZ6pzo9cbNQYn0gc9lrRsLCtxAUQ8Su465K6yNL5PDKum3vCMNjYTqd1dx0VnmIyEiVOUtZJKIbqYLYMCkODlRFsof+g7I3UuR+cYhBfovtZZFoxCnzhl2uUbfKkS9yqZD+20wL0SILUQx5zsZnQk1a3HH/sAEmkH0m2SKUmsQDKGBJ/BGrVU3v1kFT6HwHU12fHS0+PAXCWB9F9QX7d2X/C118rWXUIPuYob89lnxk/t+tLrMAZYSk8tERbYJmeekOhwOQqQo/HVkEt8s4D470ombm+rABEk5JzoLesJr3vcTR7VX0SAsiS5X7IvpukZpUJtvXTiBi/fnn7Lkmaw2F/F6qofVEb2xXcrObw686ByUsPSJ03Hgq9MV5+KmkYvwaadjIa41Tn6Fh6qgj/FFiOhq1bdC0mgVaYp3tzvwxYNwHBrxMDukVTN5CxUTPdK2nnnAf5AGFfOeHsCn5Vv0ov71TFuaKn2leF/IYhw/KX68AUQDKvXh2i9SC57taJ8amZFbLgEIEjAVYfcdyR/uW4Up1pDANpS94b/jbPluR11jKg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(122000001)(8936002)(53546011)(966005)(6506007)(6486002)(38100700002)(26005)(6512007)(71200400001)(498600001)(83380400001)(76116006)(66446008)(66556008)(186003)(8676002)(66476007)(75432002)(64756008)(86362001)(110136005)(38070700005)(66946007)(5660300002)(33656002)(2906002)(99936003)(2616005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: GRcKJ7W4lOp7EmkXm7bsZa9znPHtO/K3Pa1zdF5d9fGdanQNXNDyYbVKuxWSoxp9DkbsfMNPVJht2url8n2dC9BkuURKio56enxAXtrnGbvOnACiQqBIyAcG4GXgo0qhNcvaHdUyL1dyHnqMsbyTiUWzPt5aQK1a2fPhUTi+/q1ZNolz0OfhAtZmgNBo4bn/EB9VEl+x/H1DoCr4wRXTVR0h6Z8xZKv5MBKdV79juwrSDk0L7zIWVptDxCapbU+iDV7OvVxML5tC1An2ViuyeXyY47kUwEB7Q3xWItzjGyQWfgD87At19oh58xcJyyRgeA2aRtMlriIS/q8OkGNZrR8UcQVst+PTBvrFzAhbqQ6smTGQM2aXQsnODRWeVHDOGtVrPs86me4+NcI5HqnhPtIQ01V1jjsTvlw39aTFZ4o=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3741866123_1630656442"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 06239f95-3823-42ef-a13c-08da70cd8597
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2022 19:15:23.7791 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1515
X-Proofpoint-GUID: aiip0fWNT4KeYsrLLHU0DmhvYd1ryLN8
X-Proofpoint-ORIG-GUID: aiip0fWNT4KeYsrLLHU0DmhvYd1ryLN8
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-28_06,2022-07-28_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207280087
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yMk5VQedmIuu9j0gc52rMP-tdZk>
Subject: Re: [CFRG] Call for adoption for draft-denis-aegis-aead
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 19:16:07 -0000

> > From the draft:
> >
> > With AEGIS-256, random nonces can be used with no practical limits.
>
> We have use cases where we would like to encrypt >>>2^32 messages
> with random nonces. GCM limits us to 2^32 messages with random IVs,
> and it's not always possible to use deterministic IVs. Even when
> it _is_ possible to use deterministic IVs, we sometimes would like
> to encrypt >>2^64 messages with the same key. So having an AEAD scheme
> which supports a practically-unbounded number of messages per key would be useful.

As I said before, my main problem with AEGIS is that nonce misuse/reuse breaks it.

With that in mind, I think that AEGIS is better than AES-GCM, but worse than an "ideal" AEAD that I'd like to see standardized and widely deployed. 

Thanks

    -----Original Message-----
    From: Martin Thomson <mt@lowentropy.net> 
    Sent: Thursday, July 28, 2022 1:43 PM
    To: cfrg@irtf.org
    Subject: Re: [CFRG] Call for adoption for draft-denis-aegis-aead

    During the meeting I asked what justifies the definition of another AEAD.

    AEGIS looks cool, it's fast, it has a wide block, the key commitment, etc...  But it is still yet another AEAD and that comes with costs.  Not just for this group in terms of documenting and reviewing the work, but for implementations and for interoperation.  In environments where there is no pre-existing AEAD usage, this might be justified, but for those scenarios I work on, AES-GCM or ChaCha20Poly1305 are still vastly superior, simply by virtue of them being widely deployed.

    Are there cases that might use AEGIS but cannot use these other AEADs?

    On Fri, Jul 8, 2022, at 01:27, Stanislav V. Smyshlyaev wrote:
    > Dear CFRG participants,
    >
    > This email commences a 2-week call for adoption for "The AEGIS family 
    > of authenticated encryption algorithms" draft
    > (draft-denis-aegis-aead-05) that will end on July 22nd 2022:
    > https://datatracker.ietf.org/doc/draft-denis-aegis-aead/
    >
    > The document was introduced at the IETF 113 CFRG meeting, see
    > https://datatracker.ietf.org/meeting/113/materials/slides-113-cfrg-aeg
    > is-fast-authenticated-encryption-family-00
    >
    > Please give your views on whether this document should be adopted as a 
    > CFRG draft, and if so, whether you'd be willing to help work on 
    > it/review it.
    >
    > Please reply to this email (or in exceptional circumstances you can 
    > email CFRG chairs directly at cfrg-chairs@ietf.org).
    >
    > Thank you,
    > Stanislav (for the chairs)
    > _______________________________________________
    > CFRG mailing list
    > CFRG@irtf.org
    > https://www.irtf.org/mailman/listinfo/cfrg


    _______________________________________________
    CFRG mailing list
    CFRG@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email