[TLS] On the efficency of ETA.

Watson Ladd <watsonbladd@gmail.com> Wed, 04 December 2013 18:43 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 539D11AE120 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 10:43:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id D9BRmpeOrLLJ for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 10:43:09 -0800 (PST)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 371FB1AD8F7 for <tls@ietf.org>; Wed, 4 Dec 2013 10:43:09 -0800 (PST)
Received: by mail-we0-f177.google.com with SMTP id p61so15083152wes.8 for <tls@ietf.org>; Wed, 04 Dec 2013 10:43:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=V3HG3fHSUiCftk4fmLkmjbPDtGK692BeSF2mDjAtrYo=; b=bANWjTzr0sE7qVcbWi/xCEUYKKyAd3J7VQufAAxXDl2leg6EnfAnQKn1V9wD62joCN 2bb4EefedT2sOKjG1GlOH2Z9iH4Zup2QJsf3ms7Qt/RaTXXfgseNgR3PJXRGWLPoXDyT qs0oBC6per5NLDK0bkeinnEkwNy2kUfWwfJfjedqWeDjDxHurw0sB1qdF2o031Il2U/2 lnyyWdFXmeraYgpb7Z6ps3m6Xg848RMiUqbxgNDlTDE6QyDOf+J5+t0O7Hkkv3ylNlSg yLbTXhzDtcdaPCNvFAFK8LVIG5HZ0hc1TuR+0F12nLcOezwXbURhB3hTA1umXvDjEI7R TG0Q==
MIME-Version: 1.0
X-Received: by with SMTP id j8mr8622859wia.17.1386182585714; Wed, 04 Dec 2013 10:43:05 -0800 (PST)
Received: by with HTTP; Wed, 4 Dec 2013 10:43:05 -0800 (PST)
Received: by with HTTP; Wed, 4 Dec 2013 10:43:05 -0800 (PST)
Date: Wed, 4 Dec 2013 10:43:05 -0800
Message-ID: <CACsn0ckMnKFzJvi6v=MSahUM-VMCOTTeue45dptRfJzTDZjZQg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Kenny Paterson <Kenny.Paterson@rhul.ac.uk>
Content-Type: multipart/alternative; boundary=14dae9cdc8ff9d92ba04ecb9c8cd
Cc: tls@ietf.org
Subject: [TLS] On the efficency of ETA.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 18:43:10 -0000

CBC is IV based, not nonce based. Turning it into a nonce - based scheme
requires an additional cipher call, and a reexamination of the security
proof. (Naive use of the Bernstein interpolation lemma leads to quartic
loss as we already have quadratic loss in CBC)

That leaves us with the IV based constructions which all require three
invocations of the MAC. Let's just stick with counter mode+nonce based MAC:
the efficient, obviously secure choice.
Watson Ladd