Co-creator of GCM agrees it’s not great, would rather you not point that out.https://twitter.com/viega/status/886808443952271360 …
-
-
Replying to @tqbf
GCM is the most widely supported AEAD (read: modern) cipher construction, because of a quirk of standards.
1 reply 3 retweets 6 likes -
Replying to @tqbf
Specifically: a popular standard AEAD must simultaneously be (1) based on AES, (2) fast, and (3) not patent-encumbered.
3 replies 3 retweets 5 likes -
Replying to @tqbf
(1) Rules out the ChaPoly family, which should by rights be the most popular AEAD. It’s not based on AES and will never have CPU hardware.
2 replies 2 retweets 8 likes -
Replying to @tqbf
(2) Rules out things like SIV, which, unlike GCM, are safe for ordinary developers to use without thinking too hard about.
4 replies 1 retweet 4 likes -
Replying to @tqbf
Strong disagree! SIV is fatal if you need to worry about correlating plaintext. Worst case it can fail as bad as ECB if you apply it wrong.
2 replies 1 retweet 2 likes -
Replying to @colmmacc
This is a really good point, but I think the GCM failure mode is more realistic, in that it happens routinely.
1 reply 0 retweets 0 likes -
I know intellectually that whole-message repeats are an issue for SIV, but never saw a protocol where I could abuse, so not visceral to me.
2 replies 0 retweets 1 like -
Replying to @tqbf
Simple examples: would be pretty bad to encrypt passwords, or VOIP traffic, using SIV. Would break VOIP wide-open, which is interesting.
2 replies 0 retweets 0 likes -
AES-SIV can still take a nonce (i.e. headers)... it doesn't make sense to use it without a nonce except for keywrap
1 reply 0 retweets 0 likes
Key-wrap can be its own SIV anti-pattern too :( E.g. wrapping flowlet keys/ids using SIV exposes system to flowlet-level TA.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.