THAT is ZT advantage.
EDIT: I got back to WireGuard after writing this comment, and I may be wrong. I may have misunderstood a lot about wireguard so far, I'll check it again soon.
No?
"Large" in the context of nonces means "larger than the headroom GCM provides". To get to a place where you can safely use random nonces, you're talking about just a couple extra bytes.
This is neither here nor there, since the actual problem this system has is a marketing decision to simultaneously comply with FIPS and use a nonce-based AEAD (which means, in practice, using GCM). But "larger nonce" is, I think, the general "right answer" to this problem, and the logic used here is alarming.
I'm not sure if that's really the right choice, but I could at least see that being their reasoning, especially if they're going for FIPS certification which maybe (correct me if I'm wrong) would care about something being provably impossible rather than just provably unlikely?
(disclaimer: my crypto knowledge is fairly surface level and I'm making this comment in a genuine attempt to learn)
Why? I agree that a larger nonce would be better and that's possible, but even with a larger nonce not having sudden total compromise of authentication on nonce duplication would be a good thing would it not?
Even with larger nonces/IVs nonce reuse can still be an issue. If you store your counter/seed, storage can be corrupted. If you store your counter/seed, your VM can be cloned creating an exact copy of your counter/seed. If you rely on system entropy you can have entropy issues. The latter is fairly common on small and embedded devices including a ton of ARM boards that are on the market. I have actually seen cheapo ARM boards that ship with kernels where /dev/urandom outputs the same bits at boot every time. I imagine it's a combination of disabling every ad-hoc entropy source option in the kernel parameters (because code size!) combined with no non-volatile clock and no hardware entropy source and a very deterministic single in-order core.
Sudden death properties are a footgun and I'm a little surprised that constructions with this property have become the standard. Increasing the size of the nonce/IV just makes the footgun's trigger less squirrely.
This post (I'm the author) is just research notes posted for feedback, not a final design that is shipping. (I edited the post and added a disclaimer just in case people get confused about that.) My goals are four-fold: (1) to avoid sudden death properties entirely, (2) to be fast (on modern hardware with AES acceleration, which pretty much all targets where performance matters), (3) to be potentially FIPS-certifiable if I plug in FIPS libraries/modules for my primitives, and (4) to avoid adding more packet overhead if possible. My thought is that if (1) is achievable then (4) is also achievable.
<rant>
I really find the fear-mongering around crypto to be counterproductive. This post is just an idea, and the problem it is attempting to address is a real one. No, I don't like FIPS either, but I do like making money and numerous large clients do require it. So why not research ways to be FIPS compliant and be better than the average FIPS-compliant (stock AES-GCM with sudden death footgun) implementation? Why is that goal alarming?
Every time I discuss crypto I get people who just chime in with "don't write crypto, just use standard stuff." (I do agree that it's best to use standard stuff if it meets all your goals, that's not the point.)
What does saying that actually accomplish?
The people who really shouldn't write crypto will ignore it because they think they know more than they really know (or their boss is telling them to). The people who should write crypto will ignore it because it doesn't apply to them. The only people who will follow those kinds of admonitions are the people who don't know crypto and know they don't know but want to learn, and they'll be discouraged from doing so.
I learned about crypto because I realized it was hard, ignored this kind of advice, and read and listened to people who did understand it. When I ask questions about crypto or post ideas for feedback I've learned to only pay attention to replies that contain specific information or point out actual specific issues or flaws in a design. I ignore hand-wavey fear mongering that contains no actual content, and I'd encourage others who are interested in learning about crypto or anything else to do the same.
</rant>
1. Nonces large enough that you can safely use random nonces (XSalsa being the best example).
2. Stateful nonces, such as in systems where the nonce is tied to another protocol, or recorded in non-volatile storage.
3. NMR systems where the nonce isn't necessarily large enough to safely use randomly, but the system doesn't fail catastrophically on the rare occasions they collide.
If you're trying to do cryptography on systems with no functioning random number generator, my presumption is you have bigger problems than which AEAD you're using.
I don't have much of a stake in this story. To the extent I do, I guess what I'm here to say is:
* "Performance" and "overhead" aren't good reasons to use a smaller nonce with an AEAD.
* FIPS is bad, and a requirement to be FIPS-compliant will ultimately harm the security of a cryptosystem.
That's it.
You will better answers on Crypto Stack Exchange than on HN, though.
I suspect that's the exact opposite of the intention behind FIPS....
You are correct that part of FIPS is encouraging folks to use previous validated crypto modules instead of going from zero.
However you are not forced to do so - if you write your own crypto and pay to have it FIPS validated, more power to you - that's great. It is more competition.
To be fair, I see nothing obviously wrong with their solution, it's their approach that concerns me.
Yeah, maybe a flight and some expensive beers.
Most academic crypto guys are ecstatic at the thought of someone asking them prior to using their stuff wrong.
(Disclaimer: author of AES-GCM-SIV. Not casting shade here, it's a fair idea! But not sure about the specific FIPS claim.)
Edit: plan is to re-key often enough than plain GCM with 64-bit tags would be "fine" from a FIPS point of view. The goal here is to do better than the FIPS requirement by closing a potential attack vector.
Isn't the ideal case for a hash that two different inputs will generate outputs exactly as likely to collide as two random numbers?
[edit]
I found the RFC[1] and it explains it. In SIV mode, the inputs are a (Key, Nonce) just like AES-GCM, but the keys used internally are generated deterministically from the key and nonce, so that each nonce provided uses a different key for the AES primitive, and then uses a synthetically generated (from plaintext) IV as input to AES.
