IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 April 2016 20:00 UTC

Return-Path: <prvs=39194c8253=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91ECF12E1B3 for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 13:00:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.194
X-Spam-Level:
X-Spam-Status: No, score=-5.194 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXgMRBkTAzhJ for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 13:00:29 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id CA50912E0F1 for <cfrg@irtf.org>; Thu, 21 Apr 2016 13:00:28 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id u3LJwtKC035369; Thu, 21 Apr 2016 15:58:55 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Andy Lutomirski <luto@amacapital.net>, Adam Langley <agl@imperialviolet.org>
Thread-Topic: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Thread-Index: AQHRjz1rcBDJFfpWREmYbD5sdatNi59/a4CAgAAK8YCACtLeAIAK6AgA///BA4A=
Date: Thu, 21 Apr 2016 20:00:23 +0000
Message-ID: <D33EA818.2ABFE%uri@ll.mit.edu>
References: <CALCETrVP_Op+-jpoP0JBFWZZQkvo0JYuLNtAS=itSPTb4Ptkuw@mail.gmail.com> <em615f096a-5286-4b23-b267-26099193d002@sgueron-mobl3> <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com> <CAMfhd9UrK2kBL9J-_y=fDGKMLXt02=aO2UM2LyPkEwvj+wi7Zw@mail.gmail.com> <CAMfhd9VEMs1TikiGFgifGdQha_t5B_CaGxC3=gsoPzUZe1TurA@mail.gmail.com> <CALCETrWNEDVpkG5EOOkLBSwFb0ggMHEo1-SAwAAD83aN235pCA@mail.gmail.com>
In-Reply-To: <CALCETrWNEDVpkG5EOOkLBSwFb0ggMHEo1-SAwAAD83aN235pCA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.2.160219
x-originating-ip: [172.25.177.156]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha384"; boundary="B_3544099213_1175752"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-04-21_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1604210313
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/5qzRdHNBJROqJ6DoyX2gTbFjLq0>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 20:00:30 -0000

>>-03 is hopefully clearer on this point:
>> https://tools.ietf.org/html/draft-gueron-gcmsiv-03#section-4
>
>This is much clearer to me.
>
>However:
>
>   This record-encryption
>   key is defined as the concatenation of the result of encrypting,
>   using the AES key, the nonce with the least-significant bit of the
>   first byte set to zero and then to one.
>
>Why is it designed this way?  This has the odd property that the
>record encryption key is the same for two messages with nonces that
>differ only in the LSB of the first byte.

You’re right!

>Alternative designs include:
>
>a) Concatenate the results of encrypting the nonce and the none with
>the LSB of the first byte flipped.
>
>b) Concatenate the results of encrypting the nonce and the nonce + 1.

Have we all forgot the good ol’ OFB mode? This seems a perfect use case
for it. Take the 128-bit nonce as the seed and crank AES-256 engine twice
to get two 128-bit pseudorandom blocks. Concatenate them and use as the
record key. Same performance as what you’re getting, better security - and
the advantage of staying with standardized block cipher modes :).

>It still seems to be that performance for short block sizes may be
>rather poor given the key setup needed.

Can’t comment, but frankly don’t care much.

v2.23.0 | Report a Bug | By Email