Specifically: a popular standard AEAD must simultaneously be (1) based on AES, (2) fast, and (3) not patent-encumbered.
-
-
Replying to @tqbf
(1) Rules out the ChaPoly family, which should by rights be the most popular AEAD. It’s not based on AES and will never have CPU hardware.
2 replies 2 retweets 8 likes -
Replying to @tqbf
(2) Rules out things like SIV, which, unlike GCM, are safe for ordinary developers to use without thinking too hard about.
4 replies 1 retweet 4 likes -
Replying to @tqbf
Strong disagree! SIV is fatal if you need to worry about correlating plaintext. Worst case it can fail as bad as ECB if you apply it wrong.
2 replies 1 retweet 2 likes -
You can (and should) just include a nonce in the AAD. Original papers discuss this.
1 reply 0 retweets 0 likes -
Replying to @neilmaddog @tqbf
SIV is awesome and a big improvement on many nodes, but developers can still get it wrong! Like I said "if you apply it wrong".
1 reply 0 retweets 1 like -
That isn't just developers screwing nonces, it also means interpreting SIV as licensed for all use where no state coordination is practical.
1 reply 0 retweets 1 like -
True, but does any mode do better? I suppose if it mandated a nonce it would be better, but original application was key-wrap.
1 reply 0 retweets 0 likes -
Replying to @neilmaddog @tqbf
"better" is use-specific, and (so far) no mode is safe for all purposes. Developers burdened to understand at least that, and seek help.
1 reply 0 retweets 0 likes -
I think I just thought up the worst use for SIV: password encryption. Reveals length and simple keyed MAC of the password.
2 replies 0 retweets 0 likes
Colm MacCárthaigh Retweeted Colm MacCárthaigh
From earlier in the thread: https://twitter.com/colmmacc/status/886820804490518530 … - but twitter threading sucks and doesn't show it???
Colm MacCárthaigh added,
-
-
Ah yes, missed the password bit and only remembered the VOIP reference. Apologies.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.