Reading this first was helpful for me: <a href="https://www.lvh.io/posts/nonce-misuse-resistance-101.html" rel="nofollow">https://www.lvh.io/posts/nonce-misuse-resistance-101.html</a>
Going directly to CFRG with this kind of feels like stealing the thunder from the ongoing CAESAR competition.<p>Unfortunately the only misuse-resistant CAESAR candidate left in the running is AEZ, according to <a href="https://aezoo.compute.dtu.dk/doku.php" rel="nofollow">https://aezoo.compute.dtu.dk/doku.php</a>.
Do I understand correctly that the change from GHASH to POLYVAL is basically saying "screw tradition, let's put Little Endian on the wire"?<p>In general, when you see Little Endian on the wire, that means someone forgot to call htonl() in their code.
For context, this is describing an updated AES-GCM-SIV construction following a number of attacks reported by NSA earlier this year:<p><a href="https://mailarchive.ietf.org/arch/attach/cfrg/pdfL0pM_N.pdf" rel="nofollow">https://mailarchive.ietf.org/arch/attach/cfrg/pdfL0pM_N.pdf</a><p>Several cryptographers have been wary of this construction, both because of the history of attacks and also because it generally hasn't lived up to the goals of (nonce) "misuse resistant authenticated encryption" as described in the seminal Rogaway paper on the matter:<p><a href="https://eprint.iacr.org/2006/221.pdf" rel="nofollow">https://eprint.iacr.org/2006/221.pdf</a><p>It will be interesting to see more analysis on the latest version. For the intended use case (QUIC ticket encryption) it would be helpful.