Section 4.2.10: More context for reforgeability resilience

[cjpatton]

I'm fairly familiar with AEAD and have never heard of this property. I think more context would be helpful.

• Are there commonly used AEADs that are vulnerable to reforgery?
• How likely are attacks?
• How do we build AEADs that are resilient to reforgery?

[AndAlBo]

Unfortunately, I don't think I can provide here more context than [FLLW17]. Briefly (as I see it), the notion is relevant for applications such as VoIP, video streaming, or IoT in a lightweight setting. Tags in these scenarios may be relatively short, potentially allowing an adversary to forge a single frame in a stream's lifetime. Without reforgeability resilience, it could then forge the rest of the stream at no cost. As for vulnerable AEADs, GCM and CCM fall into this category. [FLLW17] proposes some countermeasures to reforgery attacks and also suggests that, for example, Deoxys and AEGIS are resilient.

I plan to add lightweight VoIP and streaming as examples of functional applications and provide some examples of resilient AEAD.