Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Fedor Brunner <fedor.brunner@azet.sk> Mon, 18 April 2016 07:22 UTC

Return-Path: <prvs=09169a1ee2=fedor.brunner@azet.sk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7AD12DB2B for <cfrg@ietfa.amsl.com>; Mon, 18 Apr 2016 00:22:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.788
X-Spam-Level:
X-Spam-Status: No, score=-2.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=azet.sk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6HlgOoAZBZlk for <cfrg@ietfa.amsl.com>; Mon, 18 Apr 2016 00:22:08 -0700 (PDT)
Received: from smtp2.azet.sk (smtp-07-out.s.azet.sk [91.235.53.32]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA97D12DB29 for <cfrg@irtf.org>; Mon, 18 Apr 2016 00:22:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azet.sk; s=azet; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=xVA2WrA5Ox/96KPPfPHien5t1bIh51e82yFERSDsV/8=; b=aift1ik1MwhgN9AUmwCBfXnjt5oc7fGjqagjDzu7b0vIh/+CrFRgT665hnWzL1O8Z4A43/KlBAasa8+9y2cmLbW1zPVkANwVwWUXHi5JqanuqHTb2HiWlCY3Fda6VnjpoU960u9nC78QZmfafdsHpbbQSVu4kkCDi7lO91iyHWw=;
Received: from smtp-02-auth.e.etech.sk ([10.11.2.101] helo=smtp.azet.sk) by smtp2.azet.sk stage1 with esmtp (Exim MailCleaner) id 1as3VV-0005qc-QD for <cfrg@irtf.org> from <fedor.brunner@azet.sk>; Mon, 18 Apr 2016 09:22:05 +0200
Received: from 127.0.0.1 (unknown [80.255.3.122]) (Authenticated sender: fedor.brunner@azet.sk) by smtp.azet.sk (Postfix) with ESMTPA id F405988 for <cfrg@irtf.org>; Mon, 18 Apr 2016 09:21:57 +0200 (CEST)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 smtp.azet.sk F405988
Authentication-Results: smtp.azet.sk; sender-id=fail (NotPermitted) header.from=fedor.brunner@azet.sk; auth=pass (PLAIN); spf=fail (NotPermitted) smtp.mfrom=fedor.brunner@azet.sk
To: cfrg@irtf.org
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com> <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com> <57118EB7.9080907@nthpermutation.com> <CAMfhd9VPWzqudB9X2ptHpsfD655FB+=5EpQN7Btuf7yU56-VvQ@mail.gmail.com>
From: Fedor Brunner <fedor.brunner@azet.sk>
X-Enigmail-Draft-Status: N1110
Message-ID: <57148B14.7020507@azet.sk>
Date: Mon, 18 Apr 2016 09:21:56 +0200
MIME-Version: 1.0
In-Reply-To: <CAMfhd9VPWzqudB9X2ptHpsfD655FB+=5EpQN7Btuf7yU56-VvQ@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-MailCleaner-DMARC: quarantine
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/4Ava9CMSNEOHUaKuJrAd16O_Jbk>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2016 07:22:10 -0000

Adam Langley:
> On Fri, Apr 15, 2016 at 6:00 PM, Michael StJohns <msj@nthpermutation.com> wrote:
>> That's not exactly what I mean/meant.  In TLS, the same message (record,
>> etc) sent under the same key and IV/NONCE (as produced by the TLS PRF/KDF
>> functions or produced randomly) will provide different ciphertext based on
>> the fact that the record counter changes with each message.  That counter
>> doesn't necessarily have to be part of the authenticated data in an AEAD
>> cipher as the nonce formation is somewhat external to processing (with the
>> exception of the block counter).
>>
>> To get the equivalent behavior for AES-GCM-SIV, you need to ensure there is
>> some sort of per-message unique mixin (unique within the association
>> duration at least) that causes the tag to be different which causes the
>> nonce to be different.
> 
> That's correct and, in the case of TLS, I'd suggest that the sequence
> number be used as the nonce in order to make sure that equal messages
> don't produce equal ciphertexts. Although, to be clear, I'm not
> suggesting that AES-GCM-SIV be used in TLS or in any situation where a
> counter nonce is easy. Transport security is generally a situation
> where a single sender can just use a counter and, in those cases,
> AES-GCM is better.
> 
> But there are situations where nonce management is a problem (i.e.
> where there are multiple machines encrypting with a single key) and,
> for that, I think AES-GCM-SIV is pretty attractive because one can
> reasonably use a random nonce.

https://cr.yp.to/papers.html#xsalsa

XSalsa20 is Salsa20 cipher with nonce extended to 192 bits. So there is
no need to manage nonces, they can be generated with RNG. Could you
please describe applications where you would prefer AES-GCM-SIV over
XSalsa20+Poly1305

> 
> 
> Cheers
> 
> AGL
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
> 
>