Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
"Gueron, Shay" <shay.gueron@gmail.com> Fri, 15 April 2016 16:13 UTC
Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6027512DBF3 for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:13:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Td1QtfV6hr4l for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:13:42 -0700 (PDT)
Received: from mail-pf0-x22b.google.com (mail-pf0-x22b.google.com [IPv6:2607:f8b0:400e:c00::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6864B12DAE1 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:13:42 -0700 (PDT)
Received: by mail-pf0-x22b.google.com with SMTP id 184so58420489pff.0 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:13:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:reply-to:user-agent:mime-version; bh=p+Jfvzxlm+tvoCB9Ve4W7BLL/Ff6SKIcZPtgx6n8mCg=; b=JPc3SZr3SXBPy25EETGPRi7Jgu8ds/IGvhpN7OtGrf6+OjT4Vt1H6iav/g7O0hIrHx x9i1f1dnN+liHth+6Avomtn2HD5jUfhPYUFN6hyk36x3N8k5J/J2FMWqB+gOP2lwfTT5 gBMnU5Jhv59ixaFH7pDVSTfoeHgrn3Wra9zn4hzpu/NScaDSAKdk7OQSneth6CmLtm/v qLT6/Ir4J4an+y1Ngab+mfFIYhT380UKZRSK9yb5CRjIrwrsCDTai5/uB9wRhqyW14fZ zI9slZgDNw8p1E8bJJ401/ODNqJt2GUIq1QUnhH0UrpqrHq/uO5VJl6EQA8Ra5fm5EzR 0qHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:reply-to :user-agent:mime-version; bh=p+Jfvzxlm+tvoCB9Ve4W7BLL/Ff6SKIcZPtgx6n8mCg=; b=TDmoxFOB8j7arYtCwUMoOUVrDZsroxrU3vyHhL3pcFpTtxSrTv6bNea9Q76Vf7AbKB JruD8jYTmmN7ifncvylvT2wArcoon+n74wIZvJpqmrFodbqnMixVJu9eGCoGBvzjVbWV U5/9w+w6AZ4+UCiMhoEGBIj611nzumv998Uity/wxSSSKhZH4WFDc7KTvl3XPN6NGVMh 2Zsx+kBTV5vjykhtxCj1UJ3uqBFUkdX4tSlVIoBKGyj3goxawxIhZ3/uvTY/XU5Mr2Yf q+Wx6Ad8J5q0G4YZzA0dSfAHeXjyTlrsPXg234Lxa74YQlj/j58Fre6lRnixtJoW2ZjZ 9RLg==
X-Gm-Message-State: AOPr4FW3UPbuH5vRgJnPqALNncUV/w8GINbUsg9yzlBs4Huc1xwXNRUR+T01u+F5pdH5ww==
X-Received: by 10.98.36.25 with SMTP id r25mr28982251pfj.5.1460736821785; Fri, 15 Apr 2016 09:13:41 -0700 (PDT)
Received: from [10.21.154.252] ([68.65.169.12]) by smtp.gmail.com with ESMTPSA id h5sm65897861pat.0.2016.04.15.09.13.40 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 15 Apr 2016 09:13:41 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: Aaron Zauner <azet@azet.org>
Date: Fri, 15 Apr 2016 16:13:22 +0000
Message-Id: <emf2010780-3b17-4624-9138-2e9af03f589a@sgueron-mobl3>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB1E3448CF-2CBE-4528-A1C9-E70FB36A39B6"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/0K934T8tA7s5-42QKfkTu7AwKKI>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 16:13:44 -0000
Hi Aaron, Thanks for the comment, but I believe your conclusion is not correct. AES-GCM-SIV (128/256 bit key) which is proposed for CFRG is a fully nonce misuse resistant authenticated encryption scheme. This means the following: repeating a nonce will not leak any information except if the same nonce and the same message is encrypted. In that case, an adversary could only know that the two identical message were encrypted (this cannot be avoided in any deterministic scheme). Of course, there are limits to the number of times messaged can be encrypted with the same key. The security margins of the CCS2015 paper (original scheme) were proven there. The CFRG submission extends the number of times that a single key (either 128 or 256 bits) can be used - and gets better bounds - at the cost of extra key expansion, as specified (we will publish the improved bounds). However, if a user chooses to use the scheme to send many (e.g., ~2^48) messages while always repeating the same nonce, then AES-GCM-SIV simply reduces to the GCM-SIV of the CCS2015 paper (and the synthetic IV's will, at high probability, collide). This is inevitable under such a "nonce abuse" scenario. Basically, this case would behave similarly to AES-GCM with a random 96-bit nonce, used ~2^48 with the same key. What else can be expected? I hope this clarifies the situation. Thanks, Shay ------ Original Message ------ From: "Aaron Zauner" <azet@azet.org> To: Cc: "Yehuda Lindell" <yehuda.lindell@biu.ac.il>; "cfrg@irtf.org" <cfrg@irtf.org>; "Adam Langley" <agl@google.com> Sent: 4/15/2016 8:48:07 AM Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications >Hi, > >Went through past discussion on the proposal, the draft and (also) >noticed the security considerations section and Adam's reply over here: >https://www.ietf.org/mail-archive/web/cfrg/current/msg08030.html > >So I think it's worth noting in the document that this proposal isn't >"as" nonce misuse resistant to the extent that some people may assume >it is by the title/abstract. i.e. GCM-SIV speaks of "Fully nonce misuse >resistance" while AES-GCM-SIV uses the term "Nonce misuse resistance" - >it may be well worth going into more detail in the draft on the matter >and clarifying. Please correct me if I'm completely off-course here. > >Aaron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL