IETF Logo Mail Archive

[AVTCORE] FW: I-D Action: draft-mattsson-cfrg-aes-gcm-sst-06.txt

John Mattsson <john.mattsson@ericsson.com> Fri, 29 November 2024 18:12 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 923E4C1840E8; Fri, 29 Nov 2024 10:12:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.252
X-Spam-Level:
X-Spam-Status: No, score=-2.252 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bkcDwE42-Iud; Fri, 29 Nov 2024 10:12:19 -0800 (PST)
Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02on2052.outbound.protection.outlook.com [40.107.247.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E795DC15152E; Fri, 29 Nov 2024 10:12:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tyBWsiwE5sgRoU799txKmea7+0ZZTaZ3fqiKlSTKmbVEcVQci8xpeWMRja7gfDh33pq5Gqos5BYI7CYO8yJ2Rp6O8t+AU2CHzn9VGKk4Iiw84ClpSDvBvzN2G8uhWgXslMouuqBASLD/m9Q3yuN+NcFqnSaJA9fAUrOaQ5ps9yls77HJgsq8TK9WbJe/OC9BAnr8mJbRMmQK4l+wUrWFqW224jDvhU5b6fUMt7E1PeCkAYkcWUC2NLcFpUOK9fCz8EDcn/baL+ojyLlTRQ52sm8hKG2K8w2A6xvRSUiqUuhT3o2OU0YAlqicnqtBQK5y+sqmoW3wHrIn/5PFs5rkFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hKaU2swxy8z/LdwA0Lm16vvIQxwzx1L718oX9rNtC10=; b=IitFRG3oBnWu18p/vaZhbHEz8Gsyy9JpVoPV4x4IZh9bx1hDCEEItRIYFc4CdSon4XDzsLtugB+1bfh5BNrQ33OGMuTgllgv20VCglS7UzIbq+DTMzkdf9Oix59mV9uKykJc6SahGcrmuw/NUH5T10eKhUaNPg0tqDDpLcQT7uHBI3rtY15tr4ducc5VZson6OmL9I85WcPdGcu6+QQPc/DH8u9H3XUlPOfToKIrA2l29PJryu1h0tf56HMfdQRBOC0AG0myr5qnOfcIRCCR7z5X6b2AlIb3xURaIdmFUsrCUfMm2Yz9aYQrU5im2qqgkkLqcJ4+P+8wQosKpKtO0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hKaU2swxy8z/LdwA0Lm16vvIQxwzx1L718oX9rNtC10=; b=e705XrNV32KW2suE1pMaAlccxBjMwXHcfHP15f1IzYbHJs7y/AxLhfGoGKhxzCPP61ura41NwaVBknL9GIa6C/QBfT7Jb7sApF+nF12w/ozTw4WpKlILCRukD+Im57wRTvc1/CiHejAR6nBGJZpKMS+8l1Woa8ecsdRlJ5UkgYwnr3b9dx3hZUUByToJsLEjY/0uyF0D7ulLDu61cI+G/GV+8nxb9sBF376+dv6O68+XbrHuFSYsLl7z01UoARD5IvCpW4Zh8/GCqo/CcifepzNGh5P1yaByY6oX6de/JA+7DRB6KbJXUUc2H3enHqgr7BFg/955fpoHV1nuK4HO0g==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB9767.eurprd07.prod.outlook.com (2603:10a6:10:4ce::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8207.13; Fri, 29 Nov 2024 18:12:14 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%5]) with mapi id 15.20.8207.014; Fri, 29 Nov 2024 18:12:13 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: IRTF CFRG <cfrg@irtf.org>, IETF AVTCore WG <avt@ietf.org>, "moq@ietf.org" <moq@ietf.org>, "core@ietf.org" <core@ietf.org>
Thread-Topic: I-D Action: draft-mattsson-cfrg-aes-gcm-sst-06.txt
Thread-Index: AQHbQonPPbDAjgq5cUGjAF7xTO6hWg==
Message-ID: <GVXPR07MB96786F887DA4A8D32A0BEF42892A2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB9767:EE_
x-ms-office365-filtering-correlation-id: c138a8d2-60f0-47a6-2518-08dd10a159a3
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|8096899003|38070700018;
x-microsoft-antispam-message-info: 2zcRXNYl4oiNXAS9HNPmkgnS/teIKK0sQvwuiKvRGQqgwwNf5Nxy+UCTykOAm6XAOZjNMj7EgXxNR6inR/SYXpAM7U5isvzu2adtCEIcVl+OdsYdn/mqS+feXhWLNMlWDWb9eU9xwEJK/Gzqh/mc4xhmpcOjVz1+rMAmI7wWteCrbG6itYSztIPGtl9wPiMbiNq1vykm/Ik6eL97Hv8aU0YktGGzwxVkB9vNUPcFeT/uo6/dwanF23ZfrQotZfe+NjQVZrfeGFN6STjtMuqWxQhDiTtgJRmb0H9aMdgZbqBWfJTZCwcyFJDs0Puo9tZsLePLxP+ZgZyAiy7wSZ8Xuks4VpdTHGFToHE1iJCaSOLZRBA3iPaC7sz6ANm5CUCIQf5GCWR/nw4UzUBryFM1ygNmAExJK1x4F5MbwI6ENvT39VJq063pLN0zXbAokPAaBBpoCS5dj/t03wVqNof2SplqfNryCuw0iOJkVbRBiPq/vDdvidF2cRWU47MQWGnHvgvpI4ZNw0vHB/Oq7sDSwdtiZMKaa/QDEGmbM2lXSQ4nY2DjMU+teY0lK83WA5BsgKCp86fikKsdrcPKeLoROlbTdN+qSOfbE9vG3wOilbjOd7ITAPbZWg9UcVAbA2dEDKKjBfdFukAKCrCILk7FLxqXMELORwhC5mjvGwFInITGhuNPhudS+r5dqa3oCvuvwjRakXMObC42utIu/wYLj0L5FjbZAKmbHHdLjd5KmWCfgCSufEt7ZcSL3QK2sDNWOe7OPVq5fOJ/Pxh5lL8hI57yFFzb5qlUBZwG70ZyhMiZ5t+VbTFl6wvn5/pcvXs7HquQmvsiKjGYZYGpOM0aGuqrjPLyGdR2iNngFEuil0zezob5NHbF87RS1SGyGblz4w7zmwlUvjaQEXLM8w3le5jEl66rAHhPtBvqpywKd4mYHd/jnE0tNyx3h8qkkTtUePVNdKDXhvbhjTTA9dwtXz3RRrdBhViyotyPNBIukzJi/lU7jfhGDKxw0ntR8y8Tcdct0FAigTrVabPnxuZAqbZfxzZgnOBWvNdJfFT6X/IbmL19A90kTugcA+buJSrW7qp3xq3xnVFD3y/jkCutJWOGi0tkbe7tIsjLBbx2Y1QTq5D+p5JCg0raDD2MElSVH1NHNsbYm024OiWUBtQdsK8qRqXD7/gomY+8niJ7ZBHAYFKpU/ASobT46+y1FoCrMmF96t+0DE05rM8TQJb4AZGaYxJwWFzstcewHkilW7mnGTX+l9aAHe/Z0AK4yke+jzIuc1vjVtK6cTDv/ev92s0eUqCPG1z6UggElZwofUJXEqi7ZZr2+8RjdOz1Sl0YcOSTh+GCnMUhlgRvYiUMK/gmeliPMy5VPDIB/fkxRRc=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bj9N+XnRQKU+5pkjm//t/nyfs2OEimRAwa9TszHHJH7ggoKlqUjJveT/FThOXNTygsui5KsOWKEtO91QjJgPzkvGa4xEwQ4ZNb5fp8wN5dLN6JbgIhmhi/XmpEcjfzSRKxQs39ly3tOSprijiGSNleZtPJHvVuTlidMCQ+1XvKszGbHwUu9FbsltJgilQlpQqOQ/60dW1Uo2v6DCNTIYljEOPthmdfUIOKFrLetlBI3Ft7P5ZNmWr2O4fhb6IyCkAmWe7n2omgF56ntM0DuiezC8Mxk5oIhOaV0akXAa54zNy3T8E+eMBVb+Z5zvzQfLbl0tufLjNWHBtKUVVUcdkNJuWH+Qqqe0a0fHFQTG7HhiNvTZEtTao3u0ZMOSZjY6hOO9HVYfAc4kYwbj0LziAO8aoFYErn708+dB8e3UKqrn3hhjrz/WlNIdcD6J9FIsOrwHwNMJu8WDyV1oohf3IWyeHmRk4SBza8RuKBcKMiUOY3TQh5zMogS/3bzYJn9fKc78mhGxe3pFQCFNHZY2TbDE1N7ccyDcd41WFRvrV6l97gaATlhmQ2rBxIO47jBRarU4bLLamh/rFmtVf9l1f9wk9EUhep4xXBSl0P6t6HkFDpGShrVMwE4xUGrydndCRO9z16iST0URBFTJRsfQOzj/BXxUTv1unmnJ+6qssIhyUCk8pf2oetILvF4woiouIONeQ+WkPEHaxL/+gUixuyHs5QbTKbOr1KfEkHmODA2fmUmipZu/kxMOkF9nKs8zI/5J6Zm4ZtMquhZlpHXyOBTnBmVVTnRPWuebbLOG4dQIOhXPm1iyog4hvphCJaE6eL5uc2EMLWIVurbodD+YIojcoRSk7l633IVx0gAyskBbJSz8JQnwfHXvcMuRaWks5lY3eocLc/1A5PEXXHsiiOjvHzBqgCB4yCEBDhSGDU9rpprJYa+4IRaC+BLx5zRvJehVi+mpRHXshC/Zryvh/IDcaPu7vRsVRh1RS4Adv/OKd1+jBozqRMBXdM1RkgQHJGecaPpDsypmlsrc6E7Bkj/DkO4QbGLOTezx0ahmNZX5JAp3Gi3zi5Jq4O5qELrQsWRth2mHO1/spkN1q6xDt8EUOK1jLMziWvqmR22fET8kL97oRyW6sfCwxuV/Xm5a66CieLlquSMOrJf3U7pn1aPu/wTcap2LJ4VHhHGtgKkKHiIjb5kzcVRxvBebGQIwh8zOCMWk3OCpQ44TXvIBhY8vXMvRZReqFOzD0cQH3JOS6dwjrBm+WgaxZ1KC6R9Z3f3qkUPeS3EK5QxGyiyQ1+sSKSAD4/bmZlW1uVzxHtl8ziaKDZuQ36BywS/GeLi2h+auJ66pW5v2TMNeFBlRQd6wWc4IZODNAImd/40P1M24FEi2jAjjD/6BNcwHFY1oJsco/ycAFKKa31Ys9TQpuH16g5pobE6/h7TprVGj6L66D9K0cKaWhZ7TjY8CUlxzrN9ItMTatE1YHYd56fLVjeE0oySOZFH1deQ2FS2wP7HTGZlHep/46z38ZZJwlmylZNuk9/mQM7+9s2wCbRUZyH1TxRRIbTYmOUp2BJVonbo3oJAlZ4wOMFRZ8DBPUPQkGUp5C/Q9NfbvgJvMMJxiI+l4nnSJJxB78lYc6wIDcls=
Content-Type: multipart/related; boundary="_004_GVXPR07MB96786F887DA4A8D32A0BEF42892A2GVXPR07MB9678eurp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c138a8d2-60f0-47a6-2518-08dd10a159a3
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2024 18:12:13.5841 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CWgCv+Pz5mcODZroTzRvGrEAHEhFKfUJIpyFhbNNJ2SLdpjdhbvVQhNBrLLDOUNDmp8agLo1tlOjVkKjbPollhMGcr6cZ+EWcDrF4v3PZCk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB9767
X-MailFrom: john.mattsson@ericsson.com
X-Mailman-Rule-Hits: max-size
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-avt.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: PJ4YFULGPROQCVPSMACDSCL4Q2WQXR4I
X-Message-ID-Hash: PJ4YFULGPROQCVPSMACDSCL4Q2WQXR4I
X-Mailman-Approved-At: Mon, 02 Dec 2024 08:43:54 -0800
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [AVTCORE] FW: I-D Action: draft-mattsson-cfrg-aes-gcm-sst-06.txt
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/osBlF8QlMQcSt--vOuNRb3Tijuo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Owner: <mailto:avt-owner@ietf.org>
List-Post: <mailto:avt@ietf.org>
List-Subscribe: <mailto:avt-join@ietf.org>
List-Unsubscribe: <mailto:avt-leave@ietf.org>
Date: Fri, 29 Nov 2024 18:12:24 -0000
X-Original-Date: Fri, 29 Nov 2024 18:12:13 +0000

Hi,

The -06 draft of “Galois Counter Mode with Secure Short Tags (GCM-SST)” includes references to the paper “Generic Security of GCM-SST” by Akiko Inoue, Ashwin Jha, Bart Mennink, and Kazuhiko Minematsu, which has been accepted to ACNS 2025 and was published on the IACR ePrint archive today. https://eprint.iacr.org/2024/1928.

Key contributions of Inoue et al. include:


  *   The authors prove that GCM-SST achieves security within the nonce-misuse resilience model of Ashur et al. (CRYPTO 2017). This ensures that even if nonces are reused, evaluations of GCM-SST for fresh nonces remain secure.
  *   They show that masking in GCM-SST can be replaced by non-zero injecting padding of the ciphertext. This optimization reduces the number of AES invocations for approximately 94% of plaintext lengths, improving performance.
  *   The paper describes a universal forgery attack that improves the complexity of Lindell's attack. However, note that this attack is only relevant if GCM-SST is used without replay protection—a scenario explicitly prohibited since version -04.
  *   Provides nice drawings comparing the bounds of GCM and GCM-SST, which demonstrate that GCM-SST has significantly

reduced the security degradation for truncated tags (the dominating authentication portion improves from 2^t/ℓ to 2^t). The drawings are included below.


[cid:image001.png@01DB4292.42FD8150]

We will evaluate and consider the non-zero injecting padding optimization for a later version of the draft.

Cheers,
John

On 2024-11-29, 19:08, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote:
Internet-Draft draft-mattsson-cfrg-aes-gcm-sst-06.txt is now available.

   Title:   Galois Counter Mode with Secure Short Tags (GCM-SST)
   Authors: Matthew Campagna
            Alexander Maximov
            John Preuß Mattsson
   Name:    draft-mattsson-cfrg-aes-gcm-sst-06.txt
   Pages:   23
   Dates:   2024-11-29

Abstract:

   This document defines the Galois Counter Mode with Secure Short Tags
   (GCM-SST) Authenticated Encryption with Associated Data (AEAD)
   algorithm.  GCM-SST can be used with any keystream generator, not
   just 128-bit block ciphers.  The main differences from GCM are the
   use of an additional subkey Q, the derivation of fresh subkeys H and
   Q for each nonce, and the replacement of the GHASH function with the
   POLYVAL function from AES-GCM-SIV.  This enables truncated tags with
   near-ideal forgery probabilities and significantly decreases the
   probability of multiple forgeries.  GCM-SST is designed for unicast
   security protocols with replay protection and addresses the strong
   industry demand for fast encryption with secure short tags.  This
   document registers several instances of GCM-SST using Advanced
   Encryption Standard (AES) and Rijndael-256-256.

The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-mattsson-cfrg-aes-gcm-sst/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-06.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-mattsson-cfrg-aes-gcm-sst-06

Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts

v2.29.0 | Report a Bug | By Email | System Status