[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Christian Huitema huitema at huitema.net
Sun Feb 14 21:21:39 EST 2021

On 2/14/2021 5:57 PM, Peter Gutmann wrote:

> Christian Huitema<huitema at huitema.net>  writes:
>> Please enlighten me, Peter. I see AES-GSM (and ChaCha20-Poly1035) as the two
>> options used to secure QUIC packets. The common knowledge is that this is
>> fine as long as a three conditions hold: a different Nonce is used for each
>> packet, which in QUIC is done by XORing a secret-dependent IV with the 64 bit
>> packet sequence number; the amount of data encrypted with the same key is
>> limited, which in QUIC is done by forcing a key rotation after 2^26  packets
>> for AES- GCM; and the number of decryption errors for the same master secret
>> does not exceed some limit (2^26, I believe).
> I'm going to have to invoke Poe's Law here and ask: Are you making a point via
> satire, or are you serious here?  Given that's it's taken eight lines of
> incomprehensible-to-normal-humans cryptobabble to explain why it's easy to get
> right, I assume the former?
> (I've never met you in person so I don't know what your sense of humour is
> like; if I'd written that it would be meant as satire).

I was not making the case that it is easy to get right, just that when 
used within the narrow domain of applicability it does work. It also 
delivers encryption at high speed -- over 20Gbps when encrypting 1500 
byte packets using Intel's instruction set. And yes, it is very easy to 
get it wrong. For example, some of the proposals to add multipath 
support to QUIC overlooked the "unique nonce" requirement and were 
insecure as a result. And I certainly remember the joy of RC4 and Wi-Fi.

But hey, I do not design my own encryption algorithms. Protocol 
developers like the QUIC folks have to use the available tools. Yes, it 
is easy to use GCM the wrong way, but at least AEAD get us out of the 
debate over encrypt-then-MAC or MAC-then-encrypt. I certainly wish there 
was a better tool in the box, one for example without this brittle 
dependency on nonces. If possible, one that also delivers 20Gbps in my 
scenarios. And one that would not be encumbered by patents. If you have 
that, then sure I can see switching to it.

-- Christian Huitema

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210214/6874531c/attachment.htm>

More information about the cryptography mailing list