Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Gueron, Shay" <shay.gueron@gmail.com> Sun, 10 April 2016 13:46 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9CB12D59E for <cfrg@ietfa.amsl.com>; Sun, 10 Apr 2016 06:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tc7gE5br6ogl for <cfrg@ietfa.amsl.com>; Sun, 10 Apr 2016 06:46:20 -0700 (PDT)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C65112B01A for <cfrg@irtf.org>; Sun, 10 Apr 2016 06:46:20 -0700 (PDT)
Received: by mail-pa0-x22f.google.com with SMTP id td3so104320649pab.2 for <cfrg@irtf.org>; Sun, 10 Apr 2016 06:46:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version; bh=MB+WEd3nj18PvpmiEx7OBGy3Bb32u86deZIcOBj6BdM=; b=JunPMihRnxgcItEbYuF6jWSqzgLhEKcesW6ioSG+u9PrYgvZpHmiiEhYOKnMFXeO1N HjlBewByIqILPDrSY+n9m4ZH6Ic9J1bH0vNkD7ej8M2VVLfIG+LIYeMbJ6PncDcgb73w cu4ZPWfoexdyi7YN4lfLTNSzsGvcxffVSgfPglJHAZUoQoPPiuNkSFWSi/JxjylBu6hy 4ol/A2ITsZ36JrJqv5VYtRhP97ZfqfpW4TbXTpfKLKmfDxkUygVAG86lschtw8I5miuR CrvEXjjmm17b9xEzZ7ik0tY4Um41OHEtwX4YYcl8YiO+hgz8D/gi/e9c4T6/HmNmZbpt A0Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version; bh=MB+WEd3nj18PvpmiEx7OBGy3Bb32u86deZIcOBj6BdM=; b=EQBxwqZoJEWjK8A/KwY+501nJyJ3AyBC8fe+hKxiXk3V8jQRLPFtV9spNSH9fc+P7R E/4aLuMF4d0sVatfCxpuejStyf5YvahCIBoI2v1gtO1QqqU86hMg9Kc0vDuuD2l0/yil RJ69DpEJozlmuGqosR8jXSVqtFnv5i0kT4PTzse8U58hRKujOgJqcNBK5oUejQ08Z4DB yUPs6LBEorxUtmxrz2xbAkUmDLWQ+IPXPfqmOyLyVm8tmr72KnZ8q2xsVbo6UapeJsYE rFYIsmpCF20zOUfh4umlWc6ZmEG0yfet6NVvbgXOYuAM9QBhxmhxvitjUmqizilzKj0A +kHA==
X-Gm-Message-State: AD7BkJJF7Auxyc6EJK7cRB9MGMUi25NbBwBiqqAfGE+n6caPz8KCqD+yNDBa1PkXCHugGw==
X-Received: by 10.66.66.46 with SMTP id c14mr26172745pat.79.1460295979662; Sun, 10 Apr 2016 06:46:19 -0700 (PDT)
Received: from [10.10.48.19] (wsip-24-120-55-149.lv.lv.cox.net. [24.120.55.149]) by smtp.gmail.com with ESMTPSA id l81sm30003021pfj.21.2016.04.10.06.46.18 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 10 Apr 2016 06:46:18 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "cfrg@irtf.org" <cfrg@irtf.org>
Date: Sun, 10 Apr 2016 13:45:47 +0000
Message-Id: <em73db7135-5741-4c2d-bdfb-020e9b71a470@sgueron-mobl3>
In-Reply-To: <D32D2E63.2A069%uri@ll.mit.edu>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB075A6B1E-12D2-4C95-80A2-F6959938E579"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2OMrIPsyrKNHA3f8UEhdkIt3HFw>
Cc: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Apr 2016 13:46:21 -0000

Hi Uri,



You are definitely right.

I just tried to answer about the actual flow, rather than the intended 
cryptographic property (i.e., how the 256-bit case operates).

The details on how the nonce is used, show that AES256 is applied to 2 
different blocks. But again – your description grasps the intention.



A comment (that was asked / addressed in previous threads): AES256 used 
here is a permutation invoked over 2 different blocks. So, a key search 
can ignore 256-bit keys of the form “x || x” (i.e., there are only 
2^{256}-2^{128} options). This is negligible.



Thanks, Shay


------ Original Message ------
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Sent: 4/8/2016 6:49:22 AM
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant 
Authenticated Encryption" as a CFRG document ---- Some clarifications

>>OK, let me explain:
>>. . . . . .
>>The "256-bit" case, is covered in my previous explanation, basically:
>>
>>AES256 (NONCE[127:1] || 0) || AES256 (NONCE[127:1] || 1)  (using the 
>>256-bit key, and producing 256 bits altogether).
>
>Another way to explain it – you run AES256 as a PRF to generate 256 
>pseudo-random bits with it, and take those 256 bits as a record key for 
>AES256.
>
>(Sounds solid to me.)
>
>