[Cryptography] open questions in secure protocol design?

Ben Laurie benl at google.com
Tue May 26 09:35:43 EDT 2015

On 25 May 2015 at 21:55, Stephen Farrell <stephen.farrell at cs.tcd.ie> wrote:

> On 23/05/15 17:19, ianG wrote:
> >
> >
> > 1.  One True Cipher Suite versus Algorithm Agility?
> The former simply does not work as an engineering concept.
> Performance counts. Systems with AES h/w come in two practical
> flavours: CCM and GCM and those do not interoperate. There are
> also systems without crypto h/w instructions that need to use
> something in s/w such as chacha.
> Those facts are IMO entirely sufficient to demonstrate that
> the 1TCS concept doesn't work, except in an alternate universe
> where you control all platforms.
> The performance and security characteristics of platforms will
> also vary over time, say if in a few years OCB ended up being
> added to systems that now do either GCM or CCM and provided a
> way to get interop between many more systems whilst using AES
> h/w. That would be a good reason to start wanting to see OCB
> ciphesuites.
> I would really like to see us (IETF and more broadly) make
> progress on limiting pointless ciphersuite proliferation but
> the 1TCS concept is just a distraction that makes real progress
> harder to achieve IMO.
> We ought be concentrating on how to do the agility thing but
> *much* better than we have to date (so including ways to get
> rid of useless/unused cruft) but we should not be pursuing an
> apparent ideal that is really a broken idea.

The way CT works is neither 1TCS nor agility - if you want to change
ciphersuite, you start a new log. So, it seems there are other parts of the
design space...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150526/82b85553/attachment.html>

More information about the cryptography mailing list