IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Gueron, Shay" <shay.gueron@gmail.com> Thu, 21 April 2016 20:38 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09C3712E04C for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 13:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.929
X-Spam-Level:
X-Spam-Status: No, score=-1.929 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gb7T_dgqjeLz for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 13:38:41 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EFFC12D92C for <cfrg@irtf.org>; Thu, 21 Apr 2016 13:38:41 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id n3so151427862wmn.0 for <cfrg@irtf.org>; Thu, 21 Apr 2016 13:38:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version; bh=sdMTEOKRvK1FQnTm6XC5VFE2x4Madw4NA+b2So0ZoXc=; b=NWERuSv5I7XX3ftDsZjR54VtNvv9V787biHHICne1hDhjlgJwlImQO3BRfVBYOzaGF tY+r/KdliwNTrcbuVfpIVmFbllpfHiOQ2A+E833d1cdoH8KeY8yAEOoa11kKthF3PTCg Gl8uEyTdVKKEwX9f+WTxfLlv3MRT60Vx67JA/8IXRit9rpHMcOMn1nU8gVm/M6UliU4j yaCP79BNIKANiZqXWTw+dEBPYfEQVSIebYpiccWnFdomiGri2e92JAnC23GYTYUMyYSR 6sTwkAk2X9HkM+AeIPVPa+dBpsIRqbgasuZdePw6OZFcK0kKpaVDt+ZepZNmG6xJ9x3B EfUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version; bh=sdMTEOKRvK1FQnTm6XC5VFE2x4Madw4NA+b2So0ZoXc=; b=dXssdnMOvxzOwH+ROVoEo9t59sNMEw4YtwTEoath/RrttngVmvmV9vK/Pt2fVRVM+i wjbHoGb19JZvEIKMSJCfbndqPHU3wYJsgfCmMXScVmBKb/ENmk+s2te3lsWvKElEAE5u 29cF1rsC3oNd6k9TBefn09ykG0F+7ZgF7FjLHP4F6HErka79ITGrmBnM38jmZEZTfYRV AmByBnz9/2Bc/c82/nPV04TvAD8DkVI78ugEBYDiux0hNvjqapuGKco28LlGGJQ/sivb g56DyOgb0h4SyAk/G/qWtxdXFmXHV1ILYAK+dZeq5TywGxZVfoQ4aGjoaQYaS/bkpQKh PTZQ==
X-Gm-Message-State: AOPr4FVsf9d/9CzeyLiRUfjv53Wamqs+Xz/NiqsIN1X4xzgMLrggNSkA4++gCY5Q/aZLtw==
X-Received: by 10.194.105.42 with SMTP id gj10mr16702325wjb.49.1461271119976; Thu, 21 Apr 2016 13:38:39 -0700 (PDT)
Received: from [10.0.0.8] (bzq-79-176-18-212.red.bezeqint.net. [79.176.18.212]) by smtp.gmail.com with ESMTPSA id g78sm16664723wme.21.2016.04.21.13.38.36 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Apr 2016 13:38:38 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Andy Lutomirski <luto@amacapital.net>
Date: Thu, 21 Apr 2016 20:38:33 +0000
Message-Id: <emd177ba4d-0be1-4293-afb1-fc0b1a9c54f9@sgueron-mobl3>
In-Reply-To: <D33EAB85.2AC03%uri@ll.mit.edu>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBE2A97618-334F-4B4D-96E8-D9D266BA8CDF"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6zKJCheNCpJ2lwvIyCicA7JtAis>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 20:38:44 -0000

OK, I did not understand what Andy meant...

Indeed, for deriving the encryption in the 256-bit key case, the nonce 
has effectively 127 bits.

Repeating this (127-bit) nonce degenerates the encryption to using the 
same 256-bit key.

Still, the CTR mode encryption that follows, is not going to leak 
information unless the same message (with the same 127-bit IV) is 
encrypted. In such, the equality of the message is revelaed. But this is 
the nature of the deterministic processing, and this is what the nonce 
misuse resistance provides.

Of course, there is another consideration: if on top of all this, there 
is a collision in the 96 bits of the CTR mode IV, which is derived from 
the POLYAVAL universal hash (and the nonce). This is addressed in the 
security considerations section.
(as promised, exact bounds will follow in a paper that we will soon 
release)

Regards, Shay


------ Original Message ------
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "Shay Gueron" <shay.gueron@gmail.com>; "Andy Lutomirski" 
<luto@amacapital.net>
Cc: "Adam Langley" <agl@imperialviolet.org>; "Yehuda Lindell" 
<yehuda.lindell@biu.ac.il>; "cfrg@irtf.org" <cfrg@irtf.org>; "Adam 
Langley" <agl@google.com>
Sent: 4/21/2016 11:11:33 PM
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant 
Authenticated Encryption" as a CFRG document ---- Some clarifications

>I’m afraid Andy is correct. Say one record has its nonce xxxx…xxxx0 
>(127 bits plus 0), and another record has its nonce xxx…xxx1. The 
>record key produced for both records will be the same, because it 
>clobbers/ignores the LSB.
>
>Again, why don’t you just use AES256-OFB to produce 256-bit record key?
>--
>Regards,
>Uri Blumenthal
>
>From: Cfrg <cfrg-bounces@irtf.org> on behalf of Shay Gueron 
><shay.gueron@gmail.com>
>Date: Thursday, April 21, 2016 at 16:06
>To: Andy Lutomirski <luto@amacapital.net>
>Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell 
><yehuda.lindell@biu.ac.il>, CFRG <cfrg@irtf.org>, Adam Langley 
><agl@google.com>
>Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant 
>Authenticated Encryption" as a CFRG document ---- Some clarifications
>
>>Andy,
>>
>>Addressing your concern:
>> >>> This has the odd property that the
>> >>> record encryption key is the same for two messages with nonces 
>>that
>> >>> differ only in the LSB of the first byte.
>>This is not the case. What the spec states means the following:
>>The record encryption key is derived by
>>
>>AES256 (NONCE[127:1] || 0) || AES256 (NONCE[127:1] || 1)
>>
>>I hope this helps clarifying.
>>Regards, Shay

v2.23.0 | Report a Bug | By Email