[noise] AES-SIV vs AES-GCM
Trevor Perrin
trevp at trevp.net
Sat Sep 29 16:40:49 PDT 2018
On Thu, Sep 27, 2018 at 7:12 AM Arvid Picciani <aep at exys.org> wrote:
>
> the authors of this paper claim their cipher is more misuse resistant than gcm.
>
> https://eprint.iacr.org/2017/168.pdf
> https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-05
>
> Does it make any sense to look at this in the context of noise?
Hi Arvid,
We have an "Unofficial crypto algorithms list" on the Wiki that
assigns names to various algorithms. There's no endorsement to any of
them, but if you wanted to use "AESGCMSIV" you could just name the
Noise protocol like "Noise_XX_25519_AESGCMSIV_SHA256".
https://github.com/noiseprotocol/noise_wiki/wiki/Unofficial-crypto-algorithms-list
Noise requires keys be randomized so hard to say how much benefit a
nonce-misuse-resistant SIV mode gets you, in this context. Also
you'll find AESGCMSIV less widely supported than AESGCM. But there's
probably nothing wrong with using it, either.
Trevor
More information about the Noise
mailing list