CryptoDB
I want to encrypt 2^64 bytes with AES-GCM using a single key
| Authors: | |
|---|---|
| Download: | |
| Presentation: | Slides |
| Abstract: | This talk will discuss a simple approach to “encrypt forever” with a single AES-GCM key. It is called Double-Nonce-Derive-Key AES-GCM (DNDK-GCM) and is based on extending the 96-bit nonce length to any s-bit nonce length for s < 256 (e.g., 192). The security of the resulting AEAD can be proven under the same assumptions that base the security of AES-GCM because no additional cryptographic primitive is involved. The talk will discuss these security margins and explain why it is possible to use DNDK-GCM for processing even a total of 264 bytes under one key and remain withing the NIST specified 2^(-32) margins. This implies that the cryptoperiod of a key is not limited by the cryptographic bounds that indicate key wear-out. As a bonus, we will also toss in a key commitment string. By now, DNDK-GCM has become the default encryption mode on Meta infrastructure. The talk will provide a detailed performance analysis to show the cost of DNDK-GCM, relative to AES-GCM, and to some other AEADs that are being used at Meta. It will explain some considerations and challenges associated with defining and migrating to a new default on live cloud systems, discuss the standards compliance aspect, and provide some numbers on the scale at which this mode operates. |
| Video: | https://youtu.be/GsFO4ZQlYS8 |
BibTeX
@misc{rwc-2024-35375,
title={I want to encrypt 2^64 bytes with AES-GCM using a single key},
note={Video at \url{https://youtu.be/GsFO4ZQlYS8}},
howpublished={Talk given at RWC 2024},
author={Shay Gueron},
year=2024
}