IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Adam Langley <agl@imperialviolet.org> Fri, 15 April 2016 17:13 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2575D12DA81 for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 10:13:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWOgaAGoqTUe for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 10:13:43 -0700 (PDT)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68BE512D9D7 for <cfrg@irtf.org>; Fri, 15 Apr 2016 10:13:43 -0700 (PDT)
Received: by mail-io0-x236.google.com with SMTP id 2so141087062ioy.1 for <cfrg@irtf.org>; Fri, 15 Apr 2016 10:13:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-transfer-encoding; bh=MxORDeVztTu8/L3k5JfJgzO1zrpoe/mInSDIubKlX8U=; b=hXOTWg7Le5JhF0JRP9RObJI1rJtcsHWw4EdTbVp8uY74DezsbF3L7Ag76AVLFHiGHz rjha3tAj7kiJOpwM3EW4p4GJbBZIS2NJx+7jdI/rS33cgCdQpmwYO+rF6mc9fTWjjo9D jvioB7VOSrf7/jVI/4ZZE3j7REsXSg9U6tzzPnNZ+a+v+P0pYEwtRUcqeYAPjyHoHoLP iT8xn/Iaf8FrU+jGs6qjYsMvfQk1Yb8BoUMUbsl6pGs+UbE2BGgb7a8UHrpC9VWRar4h tDs7pkfQq7zAcuWcrJLEU4KjAymGpCepaTVCgO0KSPKk2h/19n97jnta4e3bK6su34xM JVJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-transfer-encoding; bh=MxORDeVztTu8/L3k5JfJgzO1zrpoe/mInSDIubKlX8U=; b=fsGth7K517OrEg3CxqMn9hmHDgy4f8WugegTOvCe5OUXyXYrUwIJJ5MLuBkhFCrFxD c47CWQdpk+aiNI8IifdpByQwVZRQWwHJjHI8YzT9u5YIdrfzdqcoTMdn9fuhK+i4/Dxq 83PB7dtYiPoRSbhXz1ol4nLD7B1aZxDTTICz2IpHbLzDJQSTxSnKMey3zplQT4BIGpoH lyJWzTS/G9EDSYnpSKPuGpgkPbBRfF+q8iwXGHLlM9ewSnNhUka9vFWk7nSlLmLCjLkl U8riYsMneul2g92n3X522syucd0wyLEW/2e/UkENPzJXOaD+dkNMmrHtFqOoGCPiLvPH Hn0Q==
X-Gm-Message-State: AOPr4FWg5APdgV83WKGOlM9kiuKx6siaBjXQiBhbEVLNwTSrw5RZoFZuYhTo8xZtuDXEh2SuklMKcLQoaWKi2g==
MIME-Version: 1.0
X-Received: by 10.107.151.8 with SMTP id z8mr23026064iod.191.1460740422738; Fri, 15 Apr 2016 10:13:42 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.79.117.133 with HTTP; Fri, 15 Apr 2016 10:13:42 -0700 (PDT)
In-Reply-To: <571116B0.4050204@nthpermutation.com>
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com>
Date: Fri, 15 Apr 2016 10:13:42 -0700
X-Google-Sender-Auth: MmcawHykaVZfZ8SvUXTkMooZJhQ
Message-ID: <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Michael StJohns <msj@nthpermutation.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2hKuA2gNLNAJrFH7MSs0zKePgw0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 17:13:45 -0000

On Fri, Apr 15, 2016 at 9:28 AM, Michael StJohns <msj@nthpermutation.com> wrote:
> Is there any other scheme currently in use in our protocols (TLS, IPSEC,
> etc) that has the property that identical messages under the same key/nonce
> (or key IV) are encrypted identically?

I think all encryption schemes have this property if I understand you.

Given a fixed (key, nonce, message), all AEADs should be
deterministic, i.e. will produce a fixed ciphertext. That includes
AES-GCM, ChaCha20-Poly1305, AES-CCM etc

For CBC modes, some people consider them to be functions of (key,
message)→ciphertext, in which case the random IV makes them
non-deterministic in that model. But if considered to be a function of
(key, message, IV)→ciphertext then they, too, are deterministic too.


Cheers

AGL

-- 
Adam Langley agl@imperialviolet.org https://www.imperialviolet.org

v2.23.0 | Report a Bug | By Email