[TLS] Re: SIV as WG item?

[Yoav Nir <ynir@xxxxxxxxxxxxxx>]

Supporting only GCM has the advantage that it works well with the "In  
NIST we trust" model of cryptographic reasoning.

I'm also missing some performance measurements of AES-GCM vs AES-SIV  
vs AES-CBC+HMAC-SHA1. We have the original papers from the authors,  
who made the measurements on a 1 GHz PPC processor. I'm not sure how  
much of an advantage we'd get with more common processors and with  
optimized code. Right now, I don't know what, if anything, any of the  
AEAD ciphersuites would give me.

I don't think GCM is seriously flawed at least in its use in TLS or  
IPsec. But like you, I'm not comfortable claiming it.  In this it may  
be wise to defer to NIST, unless some cryptographer has a different  
view and would like to weigh in.

On Jan 14, 2008, at 12:23 PM, Simon Josefsson wrote:

> Yoav Nir <ynir@xxxxxxxxxxxxxx> writes:
>
> > That gives the writers of OpenSSL/GnuTLS/Windows CAPI no guidance.
>
> I think part of my point is that at this time there is not enough
> guidance to give: or do we actually know which properties of the  
> various
> AEAD proposals are critical for Internet-wide use?
>
> I don't feel comfortable claiming that the nonce-reuse problem in  
> GCM is
> never going to lead to serious security problems.  Nor would I feel
> comfortable to claim that GCM is inherently flawed because of it.
>
> If there are specification for several AEAD ciphersuite to chose from,
> they would each contain discussions of their applicability.  If we  
> only
> specify AES-GCM and kill other proposals, I suspect that will make it
> more difficult to re-consider the situation later on.
>
> I guess I have argued my point of view now, so I'll try to shut up and
> let others talk.
>
> /Simon
>
> Scanned by Check Point Total Security Gateway.



_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls