[noise] Noise & MEM-AEAD
Philipp Jovanovic
philipp at jovanovic.io
Mon Jan 30 13:10:41 PST 2017
Resending as my EPFL address is not registered to the mailing list. Sorry for the spam.
Philipp
> On 30 Jan 2017, at 22:03, Jovanovic Philipp <philipp.jovanovic at epfl.ch> wrote:
>
> Hey everyone,
>
>> On 30 Jan 2017, at 20:30, Trevor Perrin <trevp at trevp.net> wrote:
>>
>> On Mon, Jan 30, 2017 at 9:59 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>>> Hey Trevor & folks,
>>>
>>> Anyone here interested in a Noise suite involving MEM-AEAD?
>>>
>>> https://eprint.iacr.org/2015/999.pdf
>>>
>>> MEM-AEAD uses the Blake2b permutation, and OPP mode is 0.55
>>> cycles/byte, using only 1 pass, which is pretty much the fastest AEAD
>>> that doesn't involve AES-NI.
>>
>> Seems interesting, fast, smart people behind it.
>
> Thanks Trevor.
>
>>
>> I probably wouldn't use new fast symmetric crypto for anything
>> important until it's been analyzed for several more years.
>>
>> (Maybe you can argue that the NORX/BLAKE2b/BLAKE2/ChaCha/Salsa
>> analysis applies, but I dunno, it's only using 4 rounds of BLAKE2b, so
>> it's not obvious to me how much analysis it inherits).
>>
>> But it would be fun to experiment with, totally support you naming and
>> spec'ing this, linking a doc on the Wiki, etc.
>
> I agree with Trevor here on all points. It will be very interesting to see how the algorithms perform but it’s probably a bit early to use the MEM-AEAD algorithms in an actual tool since the designs are still rather new (even if first external cryptanalysis results are already coming in: https://eprint.iacr.org/2016/1098). Moreover, to confirm Trevor’s intuition, the 4-round versions have a probably rather slim security margin and were more meant to serve as data points for the research paper to see how far we can push it. For an actual deployment, I would rather use at least the 6- or even an 8-round version which still have very good performance numbers at 0.75 cpb and ~1.00 cpb, respectively, while exhibiting a much more comfortable security margin.
>
> Fyi, some other ideas we’ve been tossing around internally for quite some time now (but unfortunately haven’t had the time to finalise) were to specify variants based on the ChaCha permutation and work out MAC- and XOF-modes which might be also of interest in some situations.
>
>>
>> Trevor
>
> All the best
> Philipp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20170130/b9688b11/attachment.sig>
More information about the Noise
mailing list