[AVTCORE] FW: I-D Action: draft-mattsson-cfrg-aes-gcm-sst-06.txt
John Mattsson <john.mattsson@ericsson.com> Sat, 30 November 2024 08:12 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58F4BC15154E for <avt@ietfa.amsl.com>; Sat, 30 Nov 2024 00:12:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.255
X-Spam-Level:
X-Spam-Status: No, score=-2.255 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YR79017PRIU for <avt@ietfa.amsl.com>; Sat, 30 Nov 2024 00:12:54 -0800 (PST)
Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazon11011009.outbound.protection.outlook.com [52.101.70.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33964C14F739 for <avt@ietf.org>; Sat, 30 Nov 2024 00:12:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PDaqupge7yNUNxCoS19BOZG2QN5bQ/t9c+qlWUDfalwBGVdXaUIbAW73QmhijLCQxaGXHcm97NZM2yLFvMo3Iw0HAPlchI6fzOSyJwMhdGgE8v7kexT8tn30S5GbgdNsXGiqqbSSrYB8/B4GNIbTw6/Q9NAEFTsXHp2VRRJcEpUSoVhkIkWIb1fC2kIZV/SrD1SlkcnVBTz97ZYGmEOfnGIizmHXgJiNKa+YvWN2XHupteJjnOsKg5HVLdN8RIZ5hDfKz6jIBs6L8Sf4M8HMWbgzisqeOg21LjF0OuFFZ6qXvUxIGIPeNr/PXxUkrhwN3+VgU7vY7uaMVULLKM46EA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nteZVaz9Wf8KBliMKPAw1R75zO/vUKExEFroJKaLse0=; b=XBaSQZ2ZNV4yvZ4++OrFGXukaUvb9ACSO9Smc0yZa/x8DIofbJRHEWw/HGcV1Uk3jBnVuKthQeisq9QjsrAtY3dU9L8wRW8qkX5BqzdBB46yjsiKFOfNa0HY8njl/02X4EIM+HIgQTPPq8IWoztbMd9zsCTiyvw+SAufZdPWHoUAPETI1/g9VmwFywdegDofVM5SCS0CkaVaxGZCPtr7M6juj18FrBkrOmR7LJusjswjLYcaJI2+iwmIYcBpOowskK0IopS6b7BDxbweDfZeYZ9CHif0xRFRJSFOp5S5oAGfFN3zfL0i0EymG4OaXl4900o2ZywG9zAiOAPVPq+t6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nteZVaz9Wf8KBliMKPAw1R75zO/vUKExEFroJKaLse0=; b=cWY0V8eEExuK02OpfX8JbdrXlgaWnAo4lG7ZUsAbVtFbMc3u2ISfbpi9R4kbOJz0+O4A3ZEyNayUcb5glXnkAgI7I3IuLxStXutRzU/A+gKb4cZclxTm15HBm/ul1lZtzetaw/JfHTsete++xLY89bpI1FBwrPNv+7JcTJT1XYCdn/DoqEukSbCN94NMe/CaVxwbm+ltTYSMhp8fLQvFuVR4vLhwlm2B3PS+N+8ZPCgXXawcVHeX2jtaJm9630agdSvTalEgwmocfc0WTltJDIuWrziBxcKkzx+cNrFaqhcGchU3aGBGr1mR51+C1VgG8o6aU6BDxCJ2J/18eXstwA==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS8PR07MB7365.eurprd07.prod.outlook.com (2603:10a6:20b:2a8::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.16; Sat, 30 Nov 2024 08:12:51 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%5]) with mapi id 15.20.8207.014; Sat, 30 Nov 2024 08:12:51 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: IRTF CFRG <cfrg@irtf.org>, IETF AVTCore WG <avt@ietf.org>
Thread-Topic: I-D Action: draft-mattsson-cfrg-aes-gcm-sst-06.txt
Thread-Index: AQHbQonPPbDAjgq5cUGjAF7xTO6hWrLPeaWw
Date: Sat, 30 Nov 2024 08:12:50 +0000
Message-ID: <GVXPR07MB967831466514255C80E45EB0892B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB96786F887DA4A8D32A0BEF42892A2@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB96786F887DA4A8D32A0BEF42892A2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS8PR07MB7365:EE_
x-ms-office365-filtering-correlation-id: 37306b6d-4404-477f-39cd-08dd1116c879
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|8096899003|38070700018;
x-microsoft-antispam-message-info: /0DqbMDeoLiVPO+TFWd6igj1ymSiRPAfzunWCg0NchPpTrgveI9gnsFSv0c31kyYoRKmN3o2zML8dWxW0EX9U037GP3+P5oI8SR7k14unB0HwFw4AYjpG/JOL0OWSYKDGdcr1//8bmrMVhaahmbmz+eMbFW7y0AewUEAO3PtQMibWcMjoGoR71y6OyOABAmDXZ0LIzU0uwBs5xPkJj4AB0elEqmflHrBsBwaFAuxYG0HLTcSks4SsPcjVVbfFS0d3Ue24D4Eb1D3WPGXNxErzKKzHROrm27nbQiDpSiiPQGk8ux7s5+/uGfHeSceibC5Obn3Um9OX8kA9fpap3ZDwAJmyWTVCzUADBkUbjZSbGG0lLVdvKAheveL3ee7X6Zu85Xwt5wizyB7wI2U5uCdN5vOHasA11n/vXOPt/AizSnNpV2wKug8XUKELJVvv8PopJiVpk5IlVflSFG5QJvWqhgbbJbmzqrBkpoxmhD9sunje9+sie84Utml+/LoT/UTC3RvumoYBARhAulmIwVX2aoLJ/9k3ycuxgLV1XzImrYIBsFvETYY4g9a6ruOVH3mvsnKw/B5crRW8pM86Elg/Cl+OHeU+kzucoQZVBwXnWjM6GIsUG0Xkapg/96WBwjGejOr7Pa7G75Jl2ofWiArtjtb7VU/8dC0iljg0Th/Is7TRI/zwVheeULdqVB55rLiR4MptuYxIm3ohK69XIgv5o7qIzEp+gnxSNPrICRCHj70oTi1JiNRX26P7MyedVE7Y7VoXvnGt0YOhU/jK7mqNMyR/ZF5mMrroNXwKCH9E3N7zqL/fbGsfUV8LUSeg6OlSc5U+EaZOXGSvbcEfEZXUS80MOCAmn3yJgzXAiaHqohEYFVoOdQNN5xzj8oOk5SmlrFX55yimVAutZg5mASf7WehPGbpYo2tqB0YwTKjPtQSs1ItOR8RlN/6fKlBE5KfpgDi+POfzDzEbs34c9but+aP0ix6Q0JuFjLqjZzBQXZ64mbNbrAIzW//f32Sxf32zyvI25lQWXJDtFSkOiO+84gB3Hgr8hHy4/czAr9mKAPAkCqQOqjpvNG3mCHuK8O3eHMtSdrjBE+6mAPMuwjC4GSfpFngT+zfti0SsijdIpbW7QyyjYC8Zq40GmRDVkuxOcbHg4TL364B2p/5oWdtfCgXOo1DdIdKA6zUDZI+hfbwNIpQdYDvAEmQuiqSJkWh4tpEHTjfpqGR6mFWcSqKQTnYbnn3CaL6kWzNVIUHyvstjEDjljEPAho3qPL65X1jNOsXU9rJnzFoINkdpVpV085KMa2/Qb2q5vH6UW8VzbOyHoPof/uw6DJSAQ8ndQbiutcQrGsgzA4o1dmqnTiiQJwBCsQdB7EMRiP9hDAQi/NLSBJU0r8U1fWP9O4Fz1eMWbh3CSDX/rqkGfF1zRgsWw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: y8MsS5/L9xBrHzNXRfU0nwvpI6jBx+6HxpKSta8TW2Spbtjlh95YeoByWh+NgLLte0hWBBB/JEzm79c3LDzlTNRyp1tD4tJ6amJufe0aR6az3rBhq/LxvMDwpT4SA30V/X6nIOOABj+wghShyb5IEpXxhfWcPpa4qp1FQyZI4yXriSOVdHyEVrbx+xKr8W28IsHfDPV5YLYW/NKdnjouJQIRQ6f7N7kPlWfeiTaywzZi8R6rU1kxQjbfSFmIwqKfbmUneOJeZkzZZ6Qi7bcjpXEHCIE5uYZda0NCCk+SYons03lnm8TFkfeeSyDigZC5HR1obeOPSkmkUcK3hd8n/gBiFRnyLw2hGHvYKLMO3W83WMB3Qm7xxEVwj20PtIveiwMcE12m06ZRR9kGujJ+OTqUS8QprDgroD8FPaUghJYshBI0D7SS9xuGnnRPYgzcaWfQDQYyDUBRWkdRb+ZWW00PhFQ9F4QL2R74hgl10I9f8eOxMi5CkQqZ4IDJqCmZJKTaeNnpVzswjtpr+IK7LnSvUkYvqQg9zcRCVYi+NnxedsiywC334GLQ+nd8agOYLWFz02fljAcNja8w+vx9UH9VqFrjpCW+WtwOoG2uJ+fiQx2mbzoFR2F1gaVe6zSF0da3dboQ5Kh4J6Z8kZK2kGtHb2JF267e7BEJTJaaQCDitv32VIZc9RSpsPsNm4GyZFGMkz9EMEe5eFWoc5g+VLFMDvTjFFixoq4jfFPZpcKTwMEXC3fbY/hHa68Uq7EF8IP7OXLvY3cHuWOQRkGET/F8SMeVuxDh8cKVYtDgnSvpckGatg+oGs19rEvlvFVT45l2BHsC4mZSFh71UfzsKsxo5CEYwzEUhg4xntSS4ixn2CCCZVpfIheYFl4gWZjGaM0jFSOSGBA7p0nXL7109n4lVNWloS0XbafL3yDjogqw/p9G/T8s9Lp3XM/S8j3mItDJVnMgYLJ5lt17PV6gNWyAJfOiY4/2OirgzCCHUE8PRaCQbHC3/6CehczKygOiVJBtx6ByRr1rP7BQBq8uvLpwu7D4iXy6uK/mzOq6duBb47uv+ahGE6+kzZ3xBY2nEUBVxdM3cGTJOI3TEn0vQ/FnZSq6YAnUkHfYohB7GZitnsz6g52PeWT/aSH2YC94CZ9mp+519RARgfG0N6bi+6OxkBJycC6rIMc/SxnpQSERvYuGnrqOLeUQPHc6Q4c3TN13/oZQ0BNY908fMwp9DXec2cbR3AM4SRtl51ivHCAIQzo6qJJl9sYtAVArXojsuIchBFZ/xvyU4yFQI8LXBS1Dzngj7edG1o0zQ2gAE6llXlkjh0JHIRgiKA7WyOVUA3mAqRmWHoQpIIzfD1lQxBNUvZJVC1yfDhjvO4fYXwDGohFwlbBFJSX9V7708QlfMaaM8EJ+wvjC85Kca8sn9w7fVUXYGT/hLTGZ3snE0tSk+OU7FvjqnzrvcSekCKTJQ7k7ciFvw8daFacGNaTtS90At5L+fwoB2IDdRoqWbmIThta+kAfvRbxByupLwVIuFG/7xZaszYmms5VOOyeYDjDPoHSiMhiXmPh0hf7jTBz0QJd2HTAlWA2zsOYwjSBd374F3oOEAnlCldIGiNu/Y/0QOa9rS7mZQhPUBqnCXRw=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967831466514255C80E45EB0892B2GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 37306b6d-4404-477f-39cd-08dd1116c879
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2024 08:12:50.6698 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Jd1Si3fojFCWPhHJS6kYhQ+WmIYVIq8rRKxVr/7auBuRZw/pc5ZRy9ZFgmVDdaixyF90ym2Uqtzv2gyJtFSQob2HoAtpYmtpfa3mCxuts7k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7365
Message-ID-Hash: T5MPDHKI5ZEN7VZS6G2DLTVSYUXSE5SA
X-Message-ID-Hash: T5MPDHKI5ZEN7VZS6G2DLTVSYUXSE5SA
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-avt.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [AVTCORE] FW: I-D Action: draft-mattsson-cfrg-aes-gcm-sst-06.txt
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/gsG8dsWVlWDDImX-mMMT46wqdy0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Owner: <mailto:avt-owner@ietf.org>
List-Post: <mailto:avt@ietf.org>
List-Subscribe: <mailto:avt-join@ietf.org>
List-Unsubscribe: <mailto:avt-leave@ietf.org>
Hi, The -06 draft of “Galois Counter Mode with Secure Short Tags (GCM-SST)” includes references to the paper “Generic Security of GCM-SST” by Akiko Inoue, Ashwin Jha, Bart Mennink, and Kazuhiko Minematsu, which has been accepted to ACNS 2025 and was published on the IACR ePrint archive today. https://eprint.iacr.org/2024/1928. Key contributions of Inoue et al. include: * The authors prove that GCM-SST achieves security within the nonce-misuse resilience model of Ashur et al. (CRYPTO 2017). This ensures that even if nonces are reused, evaluations of GCM-SST for fresh nonces remain secure. * They show that masking in GCM-SST can be replaced by non-zero injecting padding of the ciphertext. This optimization reduces the number of AES invocations for approximately 94% of plaintext lengths, improving performance. * The paper describes a universal forgery attack that improves the complexity of Lindell's attack. However, note that this attack is only relevant if GCM-SST is used without replay protection—a scenario explicitly prohibited since version -04. * Provides nice drawings comparing the bounds of GCM and GCM-SST, which demonstrate that GCM-SST has significantly reduced the security degradation for truncated tags (the dominating authentication portion improves from 2^t/ℓ to 2^t). See Fig. 3 of the paper. We will evaluate and consider the non-zero injecting padding optimization for a later version of the draft. Cheers, John On 2024-11-29, 19:08, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote: Internet-Draft draft-mattsson-cfrg-aes-gcm-sst-06.txt is now available. Title: Galois Counter Mode with Secure Short Tags (GCM-SST) Authors: Matthew Campagna Alexander Maximov John Preuß Mattsson Name: draft-mattsson-cfrg-aes-gcm-sst-06.txt Pages: 23 Dates: 2024-11-29 Abstract: This document defines the Galois Counter Mode with Secure Short Tags (GCM-SST) Authenticated Encryption with Associated Data (AEAD) algorithm. GCM-SST can be used with any keystream generator, not just 128-bit block ciphers. The main differences from GCM are the use of an additional subkey Q, the derivation of fresh subkeys H and Q for each nonce, and the replacement of the GHASH function with the POLYVAL function from AES-GCM-SIV. This enables truncated tags with near-ideal forgery probabilities and significantly decreases the probability of multiple forgeries. GCM-SST is designed for unicast security protocols with replay protection and addresses the strong industry demand for fast encryption with secure short tags. This document registers several instances of GCM-SST using Advanced Encryption Standard (AES) and Rijndael-256-256. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/ There is also an HTML version available at: https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-06.html A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-mattsson-cfrg-aes-gcm-sst-06 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts
- [AVTCORE] FW: I-D Action: draft-mattsson-cfrg-aes… John Mattsson