[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Jon Callas jon at callas.org
Sun Feb 14 20:45:32 EST 2021

> On Feb 14, 2021, at 5:10 PM, Christian Huitema <huitema at huitema.net> wrote:
> Please enlighten me, Peter. I see AES-GSM (and ChaCha20-Poly1035) as the two options used to secure QUIC packets. The common knowledge is that this is fine as long as a three conditions hold: a different Nonce is used for each packet, which in QUIC is done by XORing a secret-dependent IV with the 64 bit packet sequence number; the amount of data encrypted with the same key is limited, which in QUIC is done by forcing a key rotation after 2^26 packets for AES-GCM; and the number of decryption errors for the same master secret does not exceed some limit (2^26, I believe). What part of that is "unsafe at any speed"?

I share Peter's disdain, I just phrase it differently. I refer to GCM as the mode designed for Wile E. Coyote by ACME -- the organization not the RFC 8555, 8737, 8738 protocol. (But really, people; I mean *really*. What a name. I suppose it could have been worse, but other than Certifcate Refresh Automation Protocol would have been worse or one about update mechanisms, but really.)

I trust some people to get it right, like you, anyone with apostolic succession from Dave McGrew or Yannick Sierra or Sean Devlin. It's dangerous. Speaking of Sean read this:

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS, paper at <https://www.blackhat.com/docs/us-16/materials/us-16-Devlin-Nonce-Disrespecting-Adversaries-Practical-Forgery-Attacks-On-GCM-In-TLS-wp.pdf>, talk at <https://www.youtube.com/watch?v=uxuXFK5XKEU>.

People get it wrong. People mess up. Say or think what you want, but people can't get malloc() and free() right, or understand how to use arrays properly. They're not going to get this right, either. You will, of course, but I don't even trust myself to get it right.


More information about the cryptography mailing list