Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Gueron, Shay" <shay.gueron@gmail.com> Fri, 15 April 2016 16:07 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1850C12DD53 for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7O1PLkGFrxR for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:07:27 -0700 (PDT)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4EFB12D9A4 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:07:27 -0700 (PDT)
Received: by mail-pa0-x235.google.com with SMTP id zm5so56623400pac.0 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:07:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version; bh=lbffyT4R6hL36iCm39Froj12xjDdRglzs1pRxPoVciA=; b=xW+fYby0u7nnIIqxDs/tnMUgEQC6kXWUrte3B45Yu1wNa5Gteao0CDF4q8ut1VNkt4 PTpUFmsaWG4GGFZtndcOf5wmh0uMy3j1eDxC+S6EUmUwiTLpHNrEAjVFnx4wd4HkjgF5 1sgravsOvNNBswGAcI9FSG3WkP2XrbZRyso1bdfHWjUibwZEe14kZP4BylsuYowizfTn q6E7Jeqn8Fph8f6Fo0AuI6v92NOq9sbgC8ULjC3v0WUNEDvaU3R4ZCLGjZPvfklo8RN/ txsEO96Pc4XjJtoOiY2Xmo/UNgOJ30KwPDoWnfGgPY5fK5eiuZCoTYQoB000Ry6VZTyo zYNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version; bh=lbffyT4R6hL36iCm39Froj12xjDdRglzs1pRxPoVciA=; b=BR5WunWXWHZ2RKOJx34bPhQD4coobR3TvfC5bft58leDwR0KgwiDMr6qjvMAG/qEG8 ooJQ9wpz+qkqduN79P02gy5Em9b/W9+TCLj6STrHQdZDSVH2WOHaUnDe8tvuI8I7++Sr DquNHtd7UUhlSItCuf25xiefXN3XDSDSSalpbNjgpOqsqCjNL/5o4w41uI9o+WEqVJYw tZjj7DIPm38pIRe8j3apRmuJ7dCztekuoBsWybN7/WfRizYoWVN0qt0w82wUJY9DSQhq nvEuj3E3HsmFdqjd8mWgCDxzVALqpYXqzmGuGgUXR04n7SAUJ7MWcLH/K83buIcvuDwh 7pSQ==
X-Gm-Message-State: AOPr4FUweK89V9IZOsQujlhbZpoh3tUTg923cpbnorvBtozPKf3z/S2keNMbpGVJC8w3fw==
X-Received: by 10.66.235.9 with SMTP id ui9mr30563664pac.135.1460736447336; Fri, 15 Apr 2016 09:07:27 -0700 (PDT)
Received: from [10.21.154.252] ([68.65.169.12]) by smtp.gmail.com with ESMTPSA id s197sm65702133pfs.62.2016.04.15.09.07.26 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 15 Apr 2016 09:07:26 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: Aaron Zauner <azet@azet.org>
Date: Fri, 15 Apr 2016 16:06:23 +0000
Message-Id: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3>
In-Reply-To: <3654AD02-4508-48BB-A8AE-A125AFA6D1E3@azet.org>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB647053A6-386A-4866-B4D9-87CDA73074CE"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/4gquSwA3tKO56EAmNqIyQ01HFDc>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 16:07:30 -0000

Hi Aaron,

Thanks for the comment, but I believe your conclusion is wrong..

AES-GCM-SIV (128/256 bit key) which is proposed for CFRG is a fully 
nonce misuse resistant authenticated encryption scheme. This means that 
repeating a nonce will not leak any information except if the same nonce 
and the same message is encrypted. In that case, an adversary could only 
know that the two identical message were encrypted (this cannot be 
avoided in any deterministic scheme).

The security margins of the CCS2015 paper (original scheme) were proven 
there.

The CFRG submission extends the number of times that a single key 
(either 128 or 256 bits) can be used - and gets better bounds - at the 
cost of extra key expansion, as specified (we will publish the improved 
bounds).

However, if a user chooses to send many (e.g., 2^48) messages and always 
repeat the same nonce, then AES-GCM-SIV simply reduces to the GCM-SIV of 
the CCS2015 paper. Basically, it would behave similarly to AES-GCM with 
a random 96-bit nonce (this is also inevitable under such a "nonce 
abuse" scenario in a SIV construction).

I hope this clarifies the situation.

Thanks, Shay


------ Original Message ------
From: "Aaron Zauner" <azet@azet.org>
To:
Cc: "Yehuda Lindell" <yehuda.lindell@biu.ac.il>; "cfrg@irtf.org" 
<cfrg@irtf.org>; "Adam Langley" <agl@google.com>
Sent: 4/15/2016 8:48:07 AM
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant 
Authenticated Encryption" as a CFRG document ---- Some clarifications

>Hi,
>
>Went through past discussion on the proposal, the draft and (also) 
>noticed the security considerations section and Adam's reply over here: 
>https://www.ietf.org/mail-archive/web/cfrg/current/msg08030.html
>
>So I think it's worth noting in the document that this proposal isn't 
>"as" nonce misuse resistant to the extent that some people may assume 
>it is by the title/abstract. i.e. GCM-SIV speaks of "Fully nonce misuse 
>resistance" while AES-GCM-SIV uses the term "Nonce misuse resistance" - 
>it may be well worth going into more detail in the draft on the matter 
>and clarifying. Please correct me if I'm completely off-course here.
>
>Aaron