HS1-SIV #560
Comments
|
There are no plans to do this unless/until there's a compelling use case. In particular the CAESAR contest is over and HS1-SIV wasn't included in the final selection, so the use case would have to be really compelling for us to include it now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
AES-GCM-SIV is already slated to be incorporated into ring, but is slow (and often vulnerable to timing attacks) on many CPUs.
Fortunately, HS1-SIV is a good alternative. It has a tight security reduction to the security of ChaCha20 under related-key attack. My understanding is that, due to ChaCha20’s construction, this is considered a reasonable assumption. The CAESAR competition has a couple other nonce-misuse-resistant AEADs, but none of the others have a security assumption to an already-established cipher, which is why I chose HS1-SIV.
If it is not a reasonable assumption, then it should not be too difficult to whip up a different nonce-misuse-resistant AEAD based on ChaCha20 and Poly1305, and possibly a hash function such as Blake2b or SHA256. My understanding (don’t quote me on this – I’m just an amateur!) is that there are many secure ways to do this. The hard part would be choosing one.
The text was updated successfully, but these errors were encountered: