Hi Arne,
I read the Accodion mode requirement and a 10 minute presentation does not require a full implementation.
1. (AP)From your initial description, it seems like a separate tag is needed for decryption. Regarding the statement that the "MAC is 32, 24 and 16 to be exact", is length-preserving encryption for things like full-disk encryption also supported?...
[TJP] - These are some basic notes from the Mode Of Operations Abstract Section 4. (Note: The reference to non-secure hash is a CTR block style mask, however, it is random bit based e-mask, FDT is 64-bit or 128 bit., Mask is 16, 24 or 32 ( I can very support shorter sizes, however, in correctness of the 64-bit deprecation, the minimum I have designed in is 128-bits.
ATNA
by design has the added benefit that encryption data elements >= 16 can
benefit from the size-preserving properties of ATNA if implementation retain the
integrity tag (or FDT at least) and hence, available at decryption. Methods
also support the use of fixed elements to simplify such retention.
Implementations can store individual MACs in case such storage is efficient or
store the cumulative final MAC. The MAC is also a tokenized or pseudonym
representation (non-secure hash) of the data. One application is to store this
in a permanent store archive and pass it for decryption on or off the permanent
store (HSM.) This is different than CTR which is not coeval authenticated and
requires HMAC/CMAC for non-coeval authentication.
**Comparative to AES-FF1 and AES-FF2,
there is not format preserving, however, size preserving (>= 16), however,
the output is a unique token (32-bytes) that must be available when decrypting.
Please note that ATNA does address the issue requiring minimum entropy in the
data fields (e.g., AES-FF1 would leak data on data elements < 1,000,000 in
entropy.) This is essential for database type applications where the column records
of a fixed size. The 32-byte tag is necessary for decryption. There is no
secrecy required for the tag.
Note: Though not exact format
preserving, it is easy to map combinations of 16-byte fields for format
preservations.
Disk encryption takes many forms, nothing stops an implementation from reserving some bytes of a sector, set of blocks, files, directories, etc. for a tag. From what designs say you have to perform a FIPS integrity check anyway, hence, the tag serves it's purpose accordingly.
I hope you don't expect me to make the mistake of AES-KW or XTS in a next gen cipher, by the way, my past experience involves working with some of the best mentors who are both leading edge developers and pioneers in these areas.
2. (AP)As to my reference to counter mode: this was in relation to the mode appearing to generate an IV and keystream separate from plaintext processing, as a single-pass mode doesn't provide nonce-misuse resistance (e.g. see
https://doi.org/10.1049/ise2.12110, "NMRE [...] inherently requires off‐line, two‐pass computation"). Of course, there are modes like GCM-SIV that use CTR mode internally.
[TJP] - We have addressed this in a very novel way, again, the design has an embedded FIPS check that prevents nonce misuse and leads to failed encryption, that essentially is the purpose of Coeval Authenticated Encryption. We support speculative decryption (integrity and encryption in same pass optionbally) and is one pass decryption.
[TJP] - PLease refer to my previous patent work
11088838
3b. (AP) - In their feedback on the FIPS-197 review, Microsoft has noted that they forbid random IV generation for AES-GCM. The presentation from Amazon at last year's modes workshop goes into the CES-GCM approach sketched above as well as the alternative approach of prefixing a monotonic counter with a device ID. (The aspect of domain separation in the time dimension described in the patent doesn't seem much different from domain separation in the space dimension, let alone approaches such as TOTP described in RFC 6238 back in 2011.)
TJP] - There are many ways to solve problems, my approach has some unique elements and does not mandate the use a monotonic CTR or a device id, though you could use them, we have a much different and alternate approach.
[TJP] Key Trees are fundamental in ciphering, the atnaCM approach is much different than the usual key tree and suppports specialized pre-processing and auto-keying, from your experience you may have faced the issues when refreshing keys (hurdled chaos) in the multi-channel pipe and we are attempting designs to address that challenge for the 1,2 Billion Pkts/sec (or more) market .
Thank you for your clear indication, however, here is my stance
1. I have passed every single FIPS-CC and UCAPL (now DoD in APL) certification covering almost all of such systems, however, it is when you have a closed mind audience, there is not much we developers can do, personally, you can ask any one who has worked with me, if I have tried to sell grease.
2. My original questions was a precursor to releasing specifications.
3. The FUD is from NIST regarding 128-bit AES and this is the experts viewpoint not mine, isn't that why Accordion considers Rijndael-256 as a fute path.
4. If you look at the Market potential of the atnaCM cipher-mode possible with Cisco, Juniper, Broadcom, Hitachi, HP, Arista and others, what would you expect to achieve. By the way, if you every read my DoD I2O submission, you would have known my take in it, more of an Manager/Architect/Security Advisor/Lead doing good work. By the way, if you read the return of the AES cipher published by NIST a few years ago, you wouldn't doubt unicorn status in a capitalist country.
Just my two cents and really not sure who's wasting who's time.
Thanks,
Tushar