Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis

Yoav Nir <> Thu, 25 December 2014 06:50 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 280DC1A8733 for <>; Wed, 24 Dec 2014 22:50:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p2exUfr2OFpY for <>; Wed, 24 Dec 2014 22:50:55 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5A75B1A872E for <>; Wed, 24 Dec 2014 22:50:55 -0800 (PST)
Received: by with SMTP id n3so15028127wiv.1 for <>; Wed, 24 Dec 2014 22:50:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SbiYjzBmMWB5KX32P39PE7ED2FO07edbOFfYqS/7kNc=; b=TTPQy1NWRoXHqyuyqree3aCHzvT8wt/ldB/M8Wlr+jGhBkd7MI/4S71e/ZcVtSMU9v qP0wdVJfNkNDVzWBIUhYg62ofM/qWck7fU6KvS3+qQ6v3AiZtxwj5FsQkE/SBC3bTcQ/ X9Qk04EAY0DZj/v9Qh3qfwNeiO2mnUb5UmQLyyIQGhkiBrMgNzXlI10S28l3ktnKz4Cn 0rHBbhZJh3MA1x3oWMJ7bMZ4qXHSmkzdEyqmZSngCfkMSkiwJMzE87HRYqMjxwJmlrXv r2qPWIMxFFr7bGepsP5m4PjH0Ju/pPmhXKqKb6MR8oIpivF+eKmkucTISB1NE7XExhEk HqJg==
X-Received: by with SMTP id fi8mr58294284wib.77.1419490254078; Wed, 24 Dec 2014 22:50:54 -0800 (PST)
Received: from ([]) by with ESMTPSA id o16sm705269wjw.7.2014. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 24 Dec 2014 22:50:53 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Thu, 25 Dec 2014 08:50:44 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Michael Clark <>
X-Mailer: Apple Mail (2.1993)
Cc: "<>" <>
Subject: Re: [TLS] AAED ciphers: AES-GCM vs AES-EAX/AES-CCM: a meta-analysis
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Dec 2014 06:50:57 -0000

> On Dec 25, 2014, at 3:01 AM, Michael Clark <> wrote:

<snip />

> I like the idea of >= 256 bits authentication, and the idea of the
> combination of a cipher based MAC and PRF based MAC for AES-GCM, given
> the properties of the AES-GCM CTR mode 'variant' and GHASH GF(2^128).

Why? Why do you want 256-bit or more message authentication?

There is value in making encryption and key agreement more secure. There is great value to attackers in recording a session and later breaking the encryption or the key agreement. Breaking the message authentication after the TLS session has terminated provides no value to the attacker. Messages need to be forged online for the attack to be successful. 

So bit lengths whose only justification is being future-proof for 30 years are not relevant for message authentication. Even for encryption, where there is value in after-the-fact breakage, the BCP being written in UTA recommends 128-bit AES rather than 256-bit.  ChaCha20 uses a 256-bit mostly because of the nature of the algorithm. It would not be any faster if the key was reduced to 128-bit. The same is not true for your proposals.