Re: [Cfrg] document shepherd comments on "AES-GCM-SIV"

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 03 October 2018 10:19 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A20A131084 for <cfrg@ietfa.amsl.com>; Wed, 3 Oct 2018 03:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CncnbV6rRKvV for <cfrg@ietfa.amsl.com>; Wed, 3 Oct 2018 03:18:58 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30081.outbound.protection.outlook.com [40.107.3.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1A1131047 for <cfrg@irtf.org>; Wed, 3 Oct 2018 03:18:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7gv4eWIbkEzW1yhhZvyxIXsaYvLIl8czxobEeTskNsQ=; b=mfK48NTGMTP3F2spFDntyfQDnQ3+pFdVDScljAFd1Ctkw8/uxbN7ysCq3RabWZKN3JQ7VygY3NMQY0XCI/qMED4her9eOxX6zWfiCi4fCGL7iKOJTh9WlDC9XelZedXYHE53rHLQvkcGilCSHi3qQKOQNBoP12WAlj3k83dhO7A=
Received: from DB7PR03MB3561.eurprd03.prod.outlook.com (52.134.98.30) by DB7PR03MB4569.eurprd03.prod.outlook.com (20.176.234.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1185.25; Wed, 3 Oct 2018 10:18:49 +0000
Received: from DB7PR03MB3561.eurprd03.prod.outlook.com ([fe80::b0a6:6e59:ae22:a0a6]) by DB7PR03MB3561.eurprd03.prod.outlook.com ([fe80::b0a6:6e59:ae22:a0a6%4]) with mapi id 15.20.1185.026; Wed, 3 Oct 2018 10:18:49 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Yehuda Lindell <yehuda.lindell@biu.ac.il>, Adam Langley <agl@imperialviolet.org>, Shay Gueron <shay.gueron@gmail.com>
CC: Alexey Melnikov <alexey.melnikov@isode.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: document shepherd comments on "AES-GCM-SIV"
Thread-Index: AQHUWwJ5LjbyTn/aKkGYTfLS0LfgeA==
Date: Wed, 03 Oct 2018 10:18:49 +0000
Message-ID: <750CC999-9E14-41B8-81DD-A45F81A5E5B7@rhul.ac.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-originating-ip: [88.109.205.251]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB7PR03MB4569; 6:EPERpILyq1bgnkZwVedfbPqn3f0kblNLim7L4GON0IYQMuiOn2juZjjx6TodhuwR6r3hehcREXVohI7CNOg2H662oCKx57DtfHUHJhQwNVACAFWGvp47PRyUUCzs4HeDlbYaIBLt2ld5HNcYeidVzixotq3e7yOJqUROoaSEsYVR/ue3wqhzZURbhHb5GC3XOy8U0kAlPXv3/Y2QKhApf3VdWSDkLfDrNkICdgQJSa5aF5ZpLnkgomM/5epcis1xfoDcQzIYFBy7Y1ZW1ZTpeDUwKcQecXRXlYHnTqpcxqhTbr1Vv1UVOPBcw61YvcMGoVuvoaNhem+KuYiQgWHiZc+qe8zTpQ4voxoxmIPjf68IbbFI9VPkdkv0RThDCfKuSFpdBFoyma7cjHRvCoAWuaELSa05xVS4RPAWPQM4wJQBJej/6h0SgPwFxoUmCwJhyPBQ584eb5CNjvAOV+5xdQ==; 5:piVe1ObYJwjNLnOMShcHWMTdXT//0tBc4BNOf5lrBIj33tzF6M13xkPmLq6vNecDq2yfcXpCnDJCL/Q3uJgLvMSFNsQxHPqwTfK/8bDwUCXYVaWFOR/4oDEGUNNFGPYdFYMuvrXV8VCcthZDcGeDTr2YT/5p3N0q+MR5BDtzpHQ=; 7:gBSm7JuUKhHYiVPlkfEg/1BVNFv13V2e0nKeawymjfVgx8lmd3yyiIxDHOYAq2wEcYrKu/QvrrYtU3GeRVM4a839S4J0vYRUOy6RPMD3V1OrKrXnZOwSQ33d/AWWFDp6gskyz6+LYzpjCjrqarcc1B7HoQMnEEfo1/YWmU/TJiT+889AdDJntuYL+t5SXLqDLPu0JWgYt4noRqUNSgz9im+vKN0eQCIZFw2v262GOSZT83xFWsto48MjS2A5fmtD
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 1b86fb6a-214e-499d-2b55-08d629199c5c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:DB7PR03MB4569;
x-ms-traffictypediagnostic: DB7PR03MB4569:
x-microsoft-antispam-prvs: <DB7PR03MB45692C2EED7E27E5410CB4ECBCE90@DB7PR03MB4569.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(149066)(150057)(6041310)(20161123558120)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699051); SRVR:DB7PR03MB4569; BCL:0; PCL:0; RULEID:; SRVR:DB7PR03MB4569;
x-forefront-prvs: 0814A2C7A3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(366004)(39860400002)(376002)(346002)(189003)(199004)(305945005)(6436002)(229853002)(7736002)(6486002)(82746002)(6306002)(33656002)(2906002)(4326008)(6246003)(39060400002)(6512007)(97736004)(14454004)(5660300001)(66066001)(186003)(26005)(413944005)(966005)(72206003)(102836004)(36756003)(74482002)(53936002)(5250100002)(106356001)(105586002)(6116002)(6506007)(2616005)(486006)(478600001)(476003)(316002)(99286004)(3846002)(786003)(54906003)(110136005)(58126008)(8936002)(81156014)(81166006)(8676002)(14444005)(256004)(25786009)(86362001)(2900100001)(71190400001)(71200400001)(68736007)(83716004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR03MB4569; H:DB7PR03MB3561.eurprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 4u1uVm6627x+fBD8lyiExesOM7IiLztDdigBEBGCapAYkRrssnA87AIwWtQB+3Aux9zmcabyLhokQm39jHUre00Fe5pFun677H56rNtQ9YNz4OdJMcd4ajeD99q4iXb+eXcfYm77vULv4HwYtpT4oxQ2Ea2G9Y2asLdQ9gWHF6Q8ihiTr7kq6YlN0vZ0MWQW8SsVshh3vzG1VLNBhGNuIf8nV2xRTshw+GVWMPoBItSvG/HBUf38NcCMIHH9qDHCjwjRb3qbh+PAlVZP0rEaOF3P0ZFrm+vgY32ugQQMp6epts0w7xHoBf0P2LQX3VDbNqRHa+V9x6SaAjkFkrXPcnuPwRcGM+PigTRfDVdUZTc=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <D00D233762E5AA44B5EB08EA0E90C1FB@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b86fb6a-214e-499d-2b55-08d629199c5c
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Oct 2018 10:18:49.3040 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR03MB4569
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4WwP7_rgYTvJUBYt6H_v7cAZ_kA>
Subject: Re: [Cfrg] document shepherd comments on "AES-GCM-SIV"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Oct 2018 10:19:02 -0000

Dear Adam, Shay and Yehuda,

My apologies to you all for the long delay in producing a document shepherd review on the "AES-GCM-SIV" draft. 

My review is below.

Best wishes,

Kenny

----

Document shepherd review of draft-irtf-cfrg-gcmsiv-08.txt

Overall, the document would benefit from one more pass to discuss a number of minor issues identified below.

IANA: The document has IANA considerations: IANA is requested to add two entries to the registry of AEAD algorithms: AEAD_AES_128_GCM_SIV and AEAD_AES_256_GCM_SIV, both referencing this document as their specification..


Detailed comments (by page):

Page 1:

"that is easier to use correctly" - easier than what?
"most AEADs" --> "some AEADs including AES-GCM"
"when two distinct messages are encrypted with the same nonce" --> "when two distinct messages are encrypted with the same key and nonce"

Page 2:

"2/3rds" --> "2/3" or "two-thirds"
"POLYVAL like GHASH..." - this is the first mention of GHASH in the document, so add a reference or a parenthetical remark for the reader, e.g. "(the authenticator in AES-GCM)"

Page 3:

"for j = 0..s" -- should this be "for j = 1..s"? The first X_j is X_1.
"record-authentication and record-encryption keys" -- why use the word "record" here and throughout? The use is not restricted to TLS records, say.

Page 4:

After describing encryption, it might be helpful to add a note to say that POLYVAL is applied to an encoded version of the additional data and PLAINTEXT, in contrast to AES-GCM, where it is applied to an encoded version of the additional data and CIPHERTEXT.

"the first twelve bytes of S_s" - I'm not an expert on endianness issues, but is it clear which bytes these are (the pseudocode on page 5 clarifies, but the text should be unambiguous in its own right)?

"The counter advances by incrementing the first 32 bits interpreted as an unsigned, little-endian integer, with overflow." - the pseudocode on page 5 could be read as having no overflow, because there's an implicit cast to a 32-bit type in this snippet:

	block[0:4] = little_endian_uint32(
           read_little_endian_uint32(block[0:4]) + 1)

Please resolve!

"The result of the encryption is the encrypted plaintext (truncated to the length of the plaintext) followed by the tag" - counter mode as defined in NIST SP 800-38A, Section 6.5 includes truncation automatically as part of counter mode, so the parenthetical remark is strictly unnecessary. On the other hand, I didn't see a specific reference for counter mode in the document. 

Page 6:

In describing decryption, a mix of passive and active voice is used: "key are dervived", "then fail", "split the input". Please adopt a consistent voice. 

There is a significant implementation pitfall waiting in the decryption description: because the MAC is only checked after decryption, there is a risk that an implementation could release unverified plaintext to the calling application. Arguably, EtM constructions like AES-GCM do not suffer from this problem to the same extent. The security considerations section should explicitly mention this pitfall and the importance of avoiding it.

Page 9:

"Encrypting with the record-encryption key gives the tag, which is 4fbcdeb7e4793f4a1d7e4faa70100af1."

"Encrypting this with the record key gives the first block of the keystream: 1551f2c1787e81deac9a99f139540ab5."

- in both cases, for clarity, add "using AES".

- "AES-SIV" - is this what is specified in https://tools.ietf.org/html/rfc5297? If so, add a reference, likewise for AES-CCM?

- "the adversary has an advantage of 1/2" - here you should make it clear what kind of adversary you are talking about, e.g. "a distinguishing adversary trying to break the confidentiality of the scheme".

Page 10:

"when nonces repetition is low" --> "when nonce repetition rates are low"

"it is RECOMMENDED that nonces be randomly generated." -- add something like "for use in AES-GCM-SIV", as you are not making a general recommendation for all of cryptography here!

"(for these bounds, the adversary's advantage is always below 2^-32)" - same above, text needs to be more precise about which kind of adversary we are concerned with here - is it a general AEAD adversary from the all-in-one security notion of Rogaway-Ristenpart, or one focussed on breaking confidentiality via a distinguishing attack?

"For up to 256 repeats of a nonce" -- >  "For up to 256 uses of a nonce with the same key"

"this assumes a short AAD" -- how short? Please be more specific. Also, this is the first use of the acronym in the document; please introduce it properly.

"In fact, nonces repeat far less than 256 times when randomly chosen." -- well, that depends on how many nonces you generate - if you generate enough, then they certainly will repeat this often! Please be more precise here, or just remove this sentence and the following "Thus,".

Page 11:

"Theorem Seven in the paper" --> "Theorem 7 in [ref]" and complete the reference.

Again how short is the AAD here?

"We also wish to note that the probability of successful forgery increases with the number of attempts that an attacker is permitted." --  integrity is treated relatively cursorily here. Please consider adding further detail, e.g. provide some concrete numbers like you did previously (this text also hints that the previous numbers were all for an adversary against confidentiality, reinforcing the point that a bit more discussion/definition is need when first introducing adversaries).

Page 15:

"Some, non-security, properties" --> remove commas. Maybe just say "functional" instead of "non-security"?

"2/3's" --> "two-thirds of"

Appendix C: I have not checked the test vectors.