IETF Logo Mail Archive

Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms

Neil Madden <neil.e.madden@gmail.com> Thu, 04 October 2018 13:53 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67CF4130E55 for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 06:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tDFlqLwYfhm for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 06:53:06 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C5A130E4F for <cfrg@ietf.org>; Thu, 4 Oct 2018 06:53:06 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id s12-v6so9138108wmc.0 for <cfrg@ietf.org>; Thu, 04 Oct 2018 06:53:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pM2vYi6jNYNjKy5ArrCk0Z/OaPVyGvZj8vGQio9TnVk=; b=gApSz3CTC2KSICARp11SyUJRN0Ux92bYnhzoAw6aawcxYNOE/d8vmvaAu4xTxjlVVF 8FxzXBgWUp/QPv8PaEQWS3X5ltmiWa2KGw34ULwncE97oSXWuUbRVz40hnQiViq9V5IV Pp4lTcb9yX1NWnWFe2Rhbz4yBkAN/E3HWrTBZJLq06F/TFclK8NdaYd5jZ9zpJTZvaaV BDhgo/y45iB3mplNoPO1qykF38XK+Mlv++tEFm0tjXF1biECh8PWF5Zw0P39JSlpM5qH //iPcVtZe6IxOT2wd/pTIq9OhoJE6f7be4z3ShvBA+J9KE/QUTFM1hDV75k8KWLtV2iX i31w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pM2vYi6jNYNjKy5ArrCk0Z/OaPVyGvZj8vGQio9TnVk=; b=HTAhJ07w5LVFGXcR054UiTP63BMLsmf5iHMPk9TGFbhcP8b5JNqWNJR0fL6hsq5qUv wDSwEZp+q+WADLbMHYLITgH56SNzb9h/bI8BNb5qPZY0LE2NvxNzcGqOmdyzt374jNuS G7QUX26KLO7U5OUakf6sHGf7fezLKJdso4CqmVDoEVAcnyUcXMulCfRYe4YjLIzct0ID y3OBTFOW2TCGyOs/6A8RfF9bQfd0UhOGmcyV5suICE4wzSHZG8f5PYUy9ej0nsgwjaL/ esLNZd0f6YvMVZzcZz6ALqp7sk3fBYRroGKbcuUEvecN2wZa5WaRAKPJ3VscMlQHEI7K D/fQ==
X-Gm-Message-State: ABuFfogEVfFg9tpfzRkRBv+axy3dht6hLlLruCCTppTecQsdr/zUwb66 yomFsYJumdE50pcFOlSx82PX7fJC
X-Google-Smtp-Source: ACcGV62C0q8XCnFK1IPIBem3VQ01nsvFx9ltvCCEu2bJHXZLStyc5OYsRVTObaJV5oFLYxS4B6U71g==
X-Received: by 2002:a1c:8b94:: with SMTP id n142-v6mr4998463wmd.38.1538661184652; Thu, 04 Oct 2018 06:53:04 -0700 (PDT)
Received: from [172.16.107.230] (188-39-235-130.static.enta.net. [188.39.235.130]) by smtp.gmail.com with ESMTPSA id s10-v6sm7154313wmd.22.2018.10.04.06.53.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Oct 2018 06:53:03 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Neil Madden <neil.e.madden@gmail.com>
In-Reply-To: <B2D307E5-4FCA-42E9-8CC3-F169ED23E8B9@ericsson.com>
Date: Thu, 04 Oct 2018 14:53:02 +0100
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <14D31D21-1F40-4E8E-838B-B388E50212FB@gmail.com>
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com> <B2D307E5-4FCA-42E9-8CC3-F169ED23E8B9@ericsson.com>
To: John Mattsson <john.mattsson@ericsson.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2WLXupDMdFKplFoYh4xP2btCPqM>
Subject: Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 13:53:08 -0000

On 4 Oct 2018, at 13:00, John Mattsson <john.mattsson@ericsson.com> wrote:
> 
> I think it is hard to recommend encryption algorithms without nonce (e.g. Section 2.6 of RFC 5297) except in specific use cases. While such an algorithm does not fail by allowing an attacker to recover some secret parameter (plaintext, authentication key) if a nonce is repeated, it fails by allowing an attacker to always determine that two messages were equal or that they were not equal. This is not a nice property and should also be mitigated.
> 
> If you make a SIV mode for XChaCha20, I recommend a construction that still uses a nonce (like e.g. draft-irtf-cfrg-gcmsiv). Such a mode gives the expected properties unless both the nonce and message are reused.

Section 3 of RFC 5297 explicitly discusses using a nonce with SIV as the last associated data input. In this mode of operation SIV achieves normal nonce-based authenticated encryption security goals, with the added benefit of being misuse-resistant if you do accidentally reuse a nonce. The concrete instantiations in sections 6.1, 6.2 and 6.3 all require a nonce of at least 1 octet.

Kind regards,

Neil

v2.23.0 | Report a Bug | By Email