<i>Using a large nonce is possible but would add protocol overhead, and we intend ZeroTier to be a very low-overhead high performance protocol</i><p>No?<p>"Large" in the context of nonces means "larger than the headroom GCM provides". To get to a place where you can safely use random nonces, you're talking about just a couple extra bytes.<p>This is neither here nor there, since the <i>actual</i> problem this system has is a marketing decision to simultaneously comply with FIPS and use a nonce-based AEAD (which means, in practice, using GCM). But "larger nonce" is, I think, the general "right answer" to this problem, and the logic used here is alarming.
I do not represent an NVLAP lab, but I'd question whether this would pass strict muster for FIPS given IG A.5: <a href="https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf" rel="nofollow">https://csrc.nist.gov/csrc/media/projects/cryptographic-modu...</a><p>(Disclaimer: author of AES-GCM-SIV. Not casting shade here, it's a fair idea! But not sure about the specific FIPS claim.)
Fascinating that FIPS not only permitted but basically <i>encouraged</i> them to roll their own crypto instead of using a standard, well-analyzed system. (They're being cautious about their approach but it's still more work to design something that's as safe as a known approach than to just use the known approach.)<p>I suspect that's the exact opposite of the intention behind FIPS....
Adam Langley also has a good primer post on AES-GCM-SIV:<p><a href="https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html" rel="nofollow">https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html</a>
Obviously SIV is reviewed by people much more familiar with cryptanalysis than I am, but I am not sure how an IV based upon a hash of the message contents is any less likely to collide than an IV that is randomly generated?<p>Isn't the ideal case for a hash that two different inputs will generate outputs exactly as likely to collide as two random numbers?<p>[edit]<p>I found the RFC[1] and it explains it. In SIV mode, the inputs are a (Key, Nonce) just like AES-GCM, but the keys used internally are generated deterministically from the key and nonce, so that each nonce provided uses a different key for the AES primitive, and <i>then</i> uses a synthetically generated (from plaintext) IV as input to AES.<p>1: <a href="https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-05" rel="nofollow">https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-05</a>
If the creators of Zerotier are here, could you consider doing a kickstarter or something to pay for getting a professional cryptographer to look at it?