IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Adam Langley <agl@imperialviolet.org> Sun, 17 April 2016 17:25 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9587712D1D1 for <cfrg@ietfa.amsl.com>; Sun, 17 Apr 2016 10:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pFQM7J7U756T for <cfrg@ietfa.amsl.com>; Sun, 17 Apr 2016 10:25:33 -0700 (PDT)
Received: from mail-ig0-x242.google.com (mail-ig0-x242.google.com [IPv6:2607:f8b0:4001:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3B7012D1D8 for <cfrg@irtf.org>; Sun, 17 Apr 2016 10:25:32 -0700 (PDT)
Received: by mail-ig0-x242.google.com with SMTP id kb1so8418843igb.3 for <cfrg@irtf.org>; Sun, 17 Apr 2016 10:25:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=AYV6xX+m2X6NHTnChXiOCgO7Oyv74moKURUaZGItgWk=; b=IEwpiIoHusaxQNBei809QUkHVLv3DbXW5CYH0MFm7DSvgYu3a5Sb1tvSI1VbbUkEtC zUqd+GZGQ0U9J6mG+Rib38V6/T3RaUcJj3TVGUcqQUveQCm7FF4lzVRmMFi4Mdm1ifqZ 3bYAunE3ttr6kBwYTgTiHhR9OT+wBPTvktPS1v8lL465V9/QTQRzeq3Y425Yxv8jJggN V7AhYqq08rdhAygnb57p5eFIBlR+4LjU+nNm7Wk0WDFTeSd4TEzbkBhIEOOczI1eJrn7 S69AtqV7qwLozAJ7IJ4MUS09U6Joerf2QC24EdfCbDUidaZ7m8E6JGAW3VNGPbKJhi7I Qrzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=AYV6xX+m2X6NHTnChXiOCgO7Oyv74moKURUaZGItgWk=; b=NYnLtsiYmGSt/Q8UPu9mjuLvEXxO6zuRIqtuX1ANdyhKI5U3KDGV0j9XuFWbzrimkf 74VAoZ+7d5mm3mefc8TpQGj13HFFtDysgVXaoIy9OsqH4Plc2KSfD9ti4fBuEf+LbSCH oecepjymgrPxztkdJCUttwOOcE+pW7dI8ADrovwUl4CYn8YUAmRf/AYTeGV/rTxUoE04 ODTUfRjwokQtsWrZLicVCj4Y+TlBHa9nlEW0a9WJyzIG+DythX/X2L4Yj36n+rHJC7Ui Dv1ACAQaCFkJPfb8kR58m0nc3L5GaOlvOJF/I52uqxO+IgdfNg6viXDmGzUiC3xYut+6 AMEw==
X-Gm-Message-State: AOPr4FV6q8Ua5+1EWso+r7V7kSwagtU7KNeAheDnwKR39xlzrZs5od8ZN5Mechc3IuQWCr6Ge5sOcXxOswrkbA==
MIME-Version: 1.0
X-Received: by 10.50.8.97 with SMTP id q1mr15294071iga.26.1460913932306; Sun, 17 Apr 2016 10:25:32 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.79.117.133 with HTTP; Sun, 17 Apr 2016 10:25:32 -0700 (PDT)
In-Reply-To: <57118EB7.9080907@nthpermutation.com>
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com> <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com> <57118EB7.9080907@nthpermutation.com>
Date: Sun, 17 Apr 2016 10:25:32 -0700
X-Google-Sender-Auth: aDGFlt23OizyDrId6fZV2K6RgLw
Message-ID: <CAMfhd9VPWzqudB9X2ptHpsfD655FB+=5EpQN7Btuf7yU56-VvQ@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/1U5Fdizx_sucsuD-VbRu8I7xU38>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Apr 2016 17:25:34 -0000

On Fri, Apr 15, 2016 at 6:00 PM, Michael StJohns <msj@nthpermutation.com> wrote:
> That's not exactly what I mean/meant.  In TLS, the same message (record,
> etc) sent under the same key and IV/NONCE (as produced by the TLS PRF/KDF
> functions or produced randomly) will provide different ciphertext based on
> the fact that the record counter changes with each message.  That counter
> doesn't necessarily have to be part of the authenticated data in an AEAD
> cipher as the nonce formation is somewhat external to processing (with the
> exception of the block counter).
>
> To get the equivalent behavior for AES-GCM-SIV, you need to ensure there is
> some sort of per-message unique mixin (unique within the association
> duration at least) that causes the tag to be different which causes the
> nonce to be different.

That's correct and, in the case of TLS, I'd suggest that the sequence
number be used as the nonce in order to make sure that equal messages
don't produce equal ciphertexts. Although, to be clear, I'm not
suggesting that AES-GCM-SIV be used in TLS or in any situation where a
counter nonce is easy. Transport security is generally a situation
where a single sender can just use a counter and, in those cases,
AES-GCM is better.

But there are situations where nonce management is a problem (i.e.
where there are multiple machines encrypting with a single key) and,
for that, I think AES-GCM-SIV is pretty attractive because one can
reasonably use a random nonce.


Cheers

AGL

v2.23.0 | Report a Bug | By Email