[Ach] The sad story of lonely AES-CTR

Aaron Zauner azet at azet.org
Fri Dec 20 16:39:01 CET 2013


On 20 Dec 2013, at 14:43, ianG <iang at iang.org> wrote:
> 
> I don't want to :)
> 
> There are several things going on here.
> 
> 1.  there has been a big 'thought' shift in the last decade.  We have realised that modes and macs and padding are bad, and we need AE algorithms (because software side is too hard to get right reliably). So things like GCM are thrust forward, but this game has only just begun.  In particular CAESAR is a competition to find a better AE, so we are basically in waiting...
> 
> 2.  There are so many modes and suites and thems and thats that the TLS WG and similar are always arguing about what to do.  There is no particular belief that what is good for users will win those battles. The problem here is that because there are so many suites, and because there is such a battle to get a new suite in place and broadspread use, the suites we have are all last decade's thinking ... so the arguments roll on.
> 
> 3.  Snowden has put the cat amongst the pigeons, everyone is rushing to put in PFS modes, and deprecate all the old stuff.  If one is an archivist of ciphersuites, this is a busy time!  Oh, and we need opportunistic modes.  Oh, and we need ...
> 
> 4.  there is also some patent FUD in there somewhere.
> 
> 5.  There is a big fight between the software people and the hardware people.  They have very big differences which spill out to modes. Software people want logical simplicity, agility, and don't care about parallelizable because it is all done serially anyway.  Hardware people want circuit simplicity but not too much because they're out of a job, and want masses of parallelization, but care less about ultimate security than market adoption for hardware.  So they hate agility.
> 
> 6.  CTR versus anything else has its fans and critics.  CBC too, and both sides argue for a long time.  To my mind, it somewhat depends on context, but really, we need AE....
> 
> 7.  SO, if we switch to stream ciphers like chacha and near-AE-algorithms like poly1305chacha20 then we don't care about a lot of the above.  So the smart money atm is putting poly1305chacha20 into TLS and SSH.
I totally agree.

> 8.  then there is MD5 which is being replaced in all suites ... but does this mean the suite is being changed or dropped?  Then there is SHA1 which should also be replaced, ditto...  And des and t-des and so forth, each "suggestion" causes an issue.
> 
> 
> 
> Ok, that's some things going on in the space.  What it really amounts to is that there is often not one logical reason, but a roomful of interests.  You might not get an answer.
Thanks for your extensive answer!

Aaron

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131220/357e73e1/attachment.sig>


More information about the Ach mailing list