There’s been a debate going on in IEEE 802.11 on using AES-CCM with a fixed nonce for a key wrap versus using AES-SIV: https://mentor.ieee.org/802.11/documents?is_dcn=DCN%2C%20Title%2C%20Author%20or%20Affiliation&is_group=00ai
In the voting, I see a very strong reaction from Government representatives to any inclusion of AES-SIV in this activity (IMHO). It’s an interesting AEAD mode that has not been broadly adopted – largely because it’s been impossible to get NIST interested in adding it to their list of approved algorithms(also IMO). It’s a chicken and egg problem, only algorithms that are being used get put on the list … it’s hard to use something not on the list in standards. AES-SIV is clearly a better ‘key wrap’ algorithm, but there is no literature or recommendations that are adequately prescriptive. This is an IETF list … so IEEE is not too relevant for activities here, but it might be an interesting exercise to compare the relative merits of SIV versus CCM modes of operation. Also, online or off, I could really use a ‘famous cryptographers’ quote that AES-CCM is less desirable for key wrap than AES-SIV. The spec was also using a fixed nonce for CCM since it was only sending two key exchange messages (two fixed values), but this may get changed to a sequence number. AES-SIV would be a safer choice and much easier to document and implement than a new sequence number. Thanks, Paul PS – IEEE documents are openly available, mailing list is closed (only for voters), voting requires F2F attendance, group is meeting this week in Beijing.
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
