Thanks Morris,
Very good news. In addition to supporting large volumes there are many strong security reasons for larger block sizes even when processing modest volumes of data.
- The complexity of distinguishing attacks against current AES-256 modes is only ≈ 128 - log2(σ) bits. It can be discussed how dangerous distinguishing attacks are, but TLS 1.3, DTLS 1.3 and QUIC mandates rekeying to limit the complexity of distinguishing attacks to 93.5 bits. 64-bit security against distinguishing attacks as allowed by 800-38D does not feel optimal.
- The complexity of IV collision attacks against AES-256-GCM with random nonces is ≈ |IV| – log2(q). Compared to distinguishing attacks (lack of collisions) this is definitely a serious attack directly affecting practical security.
- The authenticity advantage of AES-GCM has as a factor the Bernstein bound δ ≈ 1 + (q + v)2 ⋅ ℓ2 / 2129, which is tight. Keeping δ ≈ 1 puts a lot of constraints on the usage. Not keeping δ ≈ 1 leads to bad security. NIST should enforce that δ ≈ 1 when updating 800-38D.
-
The expected number of forgeries for AES-CMAC
and AES-CCM with 128-bit tags is cubic in the number of queries.
The above issues are all directly linked to the narrow 128-bit block size of AES. The impact is low security, complex constraints, or both. Rijndael-256 solves all of the issues.
Two very good questions that NIST asked during the Accordion workshop [1–2]
were:
- Should the key schedule be revised to mitigate related-key attacks? As discussed during the workshop, very small changes to the key schedule mitigates related-key attacks, and the performance on x86-64 platforms equipped with AES-NI and VAES is independent of the key schedule. I think NIST has two options. Revise the key schedule or clearly state that NIST does not think related-key attacks needs to be considered in general. I don’t have a preference here.
-
New or adapted modes? I don’t
think CBC, CFB, OFB, or CTR, XTS, KW, or KWP should be allowed. They should be
replaced by better modes. I think CMAC and CCM could be adopted. A CBC-MAC with
Rijndael-256 truncated to 96- or 128-bit behaves like an ideal MAC and offers good
integrity comparable to HMAC-SHA-256/128 and KMAC128. GCM and GMAC should be improved
to behave like an ideal MAC in unicast protocols with replay protection,
including reforgeability resistance.
Cheers,
John
The complexity of distinguishing attacks against current AES-256 modes is only ≈ 128 - log2(σ) bits. It can be discussed how dangerous distinguishing attacks are, but TLS 1.3, DTLS 1.3 and QUIC mandates rekeying to limit the complexity of distinguishing attacks to 93.5 bits. 64-bit security against distinguishing attacks as allowed by 800-38D does not feel optimal.
FYI, on Monday NIST requested public comments by June 25 on a plan to develop a draft standard for Rijndael-256 over the next year.
--
To unsubscribe from this group, send email to ciphermodes-fo...@list.nist.gov
View this message at https://list.nist.gov/ciphermodes-forum
To unsubscribe from this group and stop receiving emails from it, send an email to ciphermodes-fo...@list.nist.gov.