Re: [Cfrg] AES GCM SIV analysis

Shay Gueron <> Tue, 31 January 2017 01:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F364129784 for <>; Mon, 30 Jan 2017 17:04:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fQgZWCOhs5Tl for <>; Mon, 30 Jan 2017 17:04:08 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 410B21294AD for <>; Mon, 30 Jan 2017 17:04:08 -0800 (PST)
Received: by with SMTP id o65so20668546ybo.2 for <>; Mon, 30 Jan 2017 17:04:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w/cAzYirsmp1f/owo5GJZgcnbqDJwNCl+8CIEnHf2uQ=; b=Kbt9z6JECm0xG/XAwgn7nTp/VPs94AlOmBspM3nQDp7CXFidSdxGABCyNir5YwQdxZ oYQPF/AE5UnHpgrM/cvVYw1h9PIydkXQThRNWbC4XZPssiXvq2EWuyzZRiIoPnTkDO4I 8DN5jyPK1Vk/c7PJjx/G1VilZlYZ3ENYYUe61Rn+i7ff2vx27GIwoj8hpiZhvljykKj0 u/K+t5wQtMOtWEm9Gab+Odt2MyfGcC0dn6MfYQWTNUnYn0VEP4Em7MQRUWvogmzOce4t uj1mMoarFpNS6W0MLjmy4FOCgZzvR4CHZpOA4mNAVt4yAJrvVOZFKtB1vyF9XVmrDX9y wnow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w/cAzYirsmp1f/owo5GJZgcnbqDJwNCl+8CIEnHf2uQ=; b=ej+8eF/NkZj9+S2bOqzGrSeSd3o25sRr36ZxiU09MvCFBtZAFpNQzl2CPgoAodn9Xe tp3w3ZYeMsf7pqZ922SOZy70xvwCOo/sVAFEE9i97CUgf8HhiGSWWt5heflutxTeSfpT OyWc99j4XEma/nEe7B55UESzhwEQq4F9TdMiY/1F9uG0u93PXDuVwElHoByjcbTz/VA+ h+/OehCSRLNc8z6VxndJm9fkgsJj5FbuSaxqibwyTT8V2YltfhDGZZOGXxpj4RbSNe/p 4n9Tfot0Slnj9MOXoKsZalXfgpZzhbS3ExvJqeqQEkTS6KP2cByCCeijXznM4KCcpYnS mmiQ==
X-Gm-Message-State: AIkVDXKoz2nEX78RJesS2gTalFjhkwfLQ5JyhLHOam9heV0yv5ulIuoPftCym4rcLPFndRmyWs60APuSNPe/nQ==
X-Received: by with SMTP id y1mr13159189ybi.140.1485824647458; Mon, 30 Jan 2017 17:04:07 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 30 Jan 2017 17:04:06 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Shay Gueron <>
Date: Tue, 31 Jan 2017 03:04:06 +0200
Message-ID: <>
To: Alex Cope <>
Content-Type: multipart/alternative; boundary="f403045dc5d24f7b3805475982a5"
Archived-At: <>
Cc: Adam Langley <>, "" <>
Subject: Re: [Cfrg] AES GCM SIV analysis
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Jan 2017 01:04:11 -0000

>>> 1) On X86, no performant implementation of POLYVAL will reduce to
>>> GHASH, as that would result in unnecessarily byte swapping twice
>>> then calling PCLMULQDQ.

I suggest to count the number of byte swaps done with AES-GCM-SIV optimized
implementation on X86 (see the code in my guthub, for example), and the
number of bye swaps done with AES-GCM (take the OpenSSL example).
The answers are: 0 for AES-GCM-SIV and 1 per each block (of the message and
the AAD +1) in OpenSSL.

The identity provided in the spec, relating GHASH and POLYVAL is provided
for convenience, in case someone chooses to re-use software (or hardware).
It is not suggesting that the fastest way to compute POLYVAL is through

The reason is (again) the order of bits inside the bytes. The definition of
AES-GCM which has this order reversed with respect to the order of bits in
the bytes of AES input/output.

In fact, although many would think that AES-GCM operates natively in
GF(2^128) with the reduction polynomial is x^128 + x^7 + x^2 + x + 1, this
is not the case (unless you are reversing the bits in the bytes of each
block). AES-GCM is operating in the field represented by the reduction
polynomial x^128 + x^127 + x^126 + x^121 + 1.

There will be explained in detail in a paper that I will post soon. But
perhaps the slides in my RWC talk could explain this for now (

Regards, Shay

2017-01-30 23:58 GMT+02:00 Alex Cope <>:

> I'm also unconvinced that defining POLYVAL as modulo x^128 + x^127 + x^126
> + x^121 + 1 is better than defining it modulo x^128 + x^7 + x^2 + x + 1.
> My reasons for thinking that  x^128 + x^7 + x^2 + x + 1 is a better
> reducing polynomial are:
> 1) On X86, no performant implementation of POLYVAL will reduce to GHASH,
> as that would result in unnecessarily byte swapping twice then calling
> PCLMULQDQ. The same seems true for any implementation in a little-endian
> machine.
> 2) If the concern is making a less performance sensitive implantation of
> GCM-SIV easier to write given a GCM implantation, the relationship between
> POLYVAL as currently defined and GHASH does help slightly. However,
> implementing finite field multiplication with POLYVAL'S byte ordering
> modulo x^128 + x^7 + x^2 + x + 1 given a reference GHASH implementation is
> quite easy*, and most accidental errors in such implementation will be
> detected by test vectors.  Thus I don't think the current design choice
> makes GCM-SIV substantially easier to implement correctly.
> 3) x^128 + x^7 + x^2 + x + 1 is more 'natural' as as the lexicography
> first irreducible polynomial.  It seems likely that future work that relies
> on finite field multiplication will opt to use the byte ordering of POLYVAL
> because it makes the most sense on little endian machines, and will also
> reduce modulo  x^128 + x^7 + x^2 + x + 1.  I doubt anyone else will want to
> use GHASH as currently defined, but if it were defined modulo x^128 + x^7 +
> x^2 + x + 1, the implementation could be nicely reused. I think that in the
> long term this will lead to more code reuse than having POLYVAL as a one
> off finite field representation.
> If you are strongly concerned reusing dedicated hardware or big-endian
> implementations of GHASH then the current design makes some sense as a
> compromise, but I'm unaware of such requirements.
> Regards
> -Alex
> *I did it recently for a table-based implementation. You can look at the
> patch here:
> On Fri, Jan 27, 2017 at 12:21 PM, Adam Langley <>
> wrote:
>> On Thu, Jan 26, 2017 at 6:26 PM, Dan Harkins <> wrote:
>> >   But that is the definition used in the seminal work on the matter,
>> [1].
>> > If you want to have a different notion concerning a lesser restriction
>> on
>> > nonce reuse then you should use a different term.
>> That paper formalises an advantage that an attacker might have over an
>> ideal scheme. In the same way that block ciphers aren't ideal PRFs,
>> nonce-misuse-resistant schemes aren't hitting that ideal either. RFC
>> 5297 doesn't hit it, at minimum because it'll run out of counter-space
>> after enough messages. AES-GCM-SIV isn't hitting it either.
>> But that doesn't mean that they aren't practically useful.
>> I'm not sure what an ideal NMR AEAD would look like, but it's probably
>> quite different to both RFC 5297 and AES-GCM-SIV and probably looks
>> like a wide-block construction. If someone can point at something they
>> think does hit it, that would be interesting to me at least. (Although
>> perhaps it's well trodden ground for those who are more familiar with
>> the literature than I.)
>> >   Which brings up a question I've resisted asking: Why are you doing
>> this?
>> >
>> >   If you want to have an AEAD scheme that is nonce-misuse resistant that
>> > can use a fast(er) authentication scheme then why not just do RFC 5297
>> > with GHASH instead of AES-CMAC?
>> AES-GCM has lead to a state of the world where our large machines,
>> which need to encrypt and decrypt lots of data, end up having hardware
>> support for AES and GF(128) operations. We would like to take
>> advantage of that because it's hard to beat the speed and power
>> efficiency of dedicated hardware, but sometimes we want not to have to
>> worry about nonces.
>> > You're defining a new irreducible
>> > polynomial that, to my knowledge, is not in existing hardware the way
>> > that PCLMULQDQ using x^128 + x^7 + x^2 + x + 1, is in Intel chips.
>> PCLMULQDQ (and other hardware implementations, to my knowledge) is not
>> specific to that polynomial. Also, the polynomial in AES-GCM-SIV is
>> that polynomial, just with some ordering oddities addressed. See
>> > You're defining a(nother) KDF /inside/ the cipher mode itself instead of
>> > just letting a KDF, which all users of AES-GCM-SIV will use, generate a
>> > double-wide key. And I don't see the reason for either.
>> Our KDF is per-nonce; it's not the same as having a double-width key
>> and partitioning it internally. We do this in order to get better
>> bounds when encrypting very large numbers of messages.
>> Cheers
>> AGL
>> _______________________________________________
>> Cfrg mailing list
> _______________________________________________
> Cfrg mailing list