[CFRG] Comment on AES-GCM-SST
Yehuda Lindell <yehuda.lindell@gmail.com> Sun, 05 May 2024 13:55 UTC
Return-Path: <yehuda.lindell@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 216B2C14F68D for <cfrg@ietfa.amsl.com>; Sun, 5 May 2024 06:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ffKQOaw6N7W for <cfrg@ietfa.amsl.com>; Sun, 5 May 2024 06:55:40 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B636C14F5FF for <cfrg@irtf.org>; Sun, 5 May 2024 06:55:40 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-34dc9065606so549434f8f.1 for <cfrg@irtf.org>; Sun, 05 May 2024 06:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714917338; x=1715522138; darn=irtf.org; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:from:to:cc:subject:date:message-id:reply-to; bh=0Mui8bGCuDcyPxksQRTXTghd9am/WxpdgGvPj9shg9E=; b=FlIiRXQPKJumEDaPClOe8uxkMVPEqAme45KNtlZcobs2g0A4GPPTqsTkagZU5HtrJQ 5Qhu5Zk3A7W+xCZPfFI7/M9U+VwjlGoecvyfj1fCyYBdzyhQ0KOQXKP70ZCTFwGXYPjl VgEi21tdFCS0OCM305ZNiRh/bot6P+ujco572Lp7i2R9tJQqTVoG50dHiU1DVjdU5oZ7 50In3uKG+ZB1q2XUl7lg9Y/kCZO9VNGo1FaydpltB+NNppdKV+hVCCovTSLkQ8X9Qlid LKoD8UNQj8fADlF6Zw5WRyO+npUtibRFlV55pFHTs51vF5EDwlWJeZbvC7q+6FYgFLHl iZRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714917338; x=1715522138; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0Mui8bGCuDcyPxksQRTXTghd9am/WxpdgGvPj9shg9E=; b=ODpm2WbO9G5XIHAAzrTB9cY4U5LJ7x5jmQ/JkX9ru0ahfXUagVFjzmDM1isldsJEnT gvS1DNPFSd60SAIHbNdOcxYNHZnEgbVdu/Y4ZGuPvbUCMW1NHaUSDyejG/8t3Fn0J6/E T3eelYdQPfKm7OddwuTMnU3ZUY5MQDx5aUVEtSLMS04ddsXnuAqd7yQeu3yZIsiE8J78 q73A7z1k5MfWhKwk/rH38LL0ieXX1pRjW0VBx89feoNJGN8cUUc1WGeO5fiNRHGp0h50 3wMrHBkkFHqVTUKVG+oioyEz5G+dwzgEDi/19uR9k9x2P/rs8tU71SJDQLe7D8oC8wdk lg3w==
X-Gm-Message-State: AOJu0YwzPKABgQoCuXUAtTMaf7hnqSQGQXpJ37aWxnjWPAkFGI9eaa5D MPrQJLorVhugWYk4DjdbFIu2W/7mCMjz4+LoR6FOErL5EdfjGVFKobL16g==
X-Google-Smtp-Source: AGHT+IHTowefF+ENo/to7PXlfhd3VIKWFSqRUrhAVVeue+8sCpZhNtJtP5GvW7TEvSaa/ai2f1dCVQ==
X-Received: by 2002:adf:9b98:0:b0:34d:b42d:cef3 with SMTP id d24-20020adf9b98000000b0034db42dcef3mr10222690wrc.15.1714917338042; Sun, 05 May 2024 06:55:38 -0700 (PDT)
Received: from smtpclient.apple ([2a06:c701:4232:800:bdba:3654:a750:3875]) by smtp.gmail.com with ESMTPSA id z8-20020a5d6548000000b0034dbb122af4sm8303462wrv.113.2024.05.05.06.55.37 for <cfrg@irtf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 05 May 2024 06:55:37 -0700 (PDT)
From: Yehuda Lindell <yehuda.lindell@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
Message-Id: <85926AD9-298F-47BB-93F5-0B6D8D180D80@gmail.com>
Date: Sun, 05 May 2024 16:55:23 +0300
To: cfrg@irtf.org
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/51ZYKcZQDKF2RkzRFtMcH4xCy6E>
Subject: [CFRG] Comment on AES-GCM-SST
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 May 2024 13:55:41 -0000
I've taken a look at AES-GCM-SST, and have a couple of comments. First, I think that I have found another attack that doesn't require nonce-reuse. It has a higher complexity but as stated works without nonce reuse, and provides key extraction and thus a universal forgery. By the standard, X = POLYVAL(H, S[0], S[1], ..., S[m + n - 1]) T = POLYVAL(Q, X XOR S[m + n]) XOR M The POLYVAL in computing T is a single multiplication, and so we have T = Q * (X XOR S[m+n]) XOR M = Q * X + Q * S[m+n] + M For the same nonce (and the attacker can always use the same nonce) and same-length messages, it follows that Q * S[m+n] + M is constant, and therefore it remains to learn Q * X. This is a quadratic equation with 128 variables and so can be rewritten as a linear equation with 128-choose-2 ~ 2^13 new variables. Consider a 32-bit tag. In each equation with tag=0 we obtain 32=2^5 linear equations. Therefore we need 2^8 such equations. Each equation takes expected 2^32 queries, and therefore with expected 2^40 queries we can learn the key, and from then on forge any message desired. Therefore the standard doesn't meet its stated goal which is to achieve forgery probabilities close to ideal. Specifically, although it should be possible to forge a single message with 2^32 queries, it should not be possible to obtain a universal forgery in time 2^40. As a second comment, in general, I believe that a proposal for a mode of operation that aims to achieve something like the above needs to have a full proof of security with concrete bounds. Otherwise we can expect to cat-and-mouse finding and fixing attacks, like the one described by Scott Fluhrer and the one above. Best, Yehuda
- [CFRG] Comment on AES-GCM-SST Yehuda Lindell
- Re: [CFRG] Comment on AES-GCM-SST Scott Fluhrer (sfluhrer)
- Re: [CFRG] Comment on AES-GCM-SST Natanael
- Re: [CFRG] Comment on AES-GCM-SST John Mattsson
- Re: [CFRG] Comment on AES-GCM-SST Bellebaum, Thomas
- [CFRG] Re: Comment on AES-GCM-SST Scott Fluhrer (sfluhrer)
- [CFRG] Re: Comment on AES-GCM-SST Yehuda Lindell
- [CFRG] Re: Comment on AES-GCM-SST Yehuda Lindell
- [CFRG] Re: Comment on AES-GCM-SST Yehuda Lindell
- [CFRG] Re: Comment on AES-GCM-SST Wang Guilin
- [CFRG] Re: Comment on AES-GCM-SST Natanael