Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Paul Grubbs <pag225@cornell.edu> Mon, 18 April 2016 18:29 UTC
Return-Path: <pag225@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F14012E517 for <cfrg@ietfa.amsl.com>; Mon, 18 Apr 2016 11:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level:
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1uBZFFOi0UPF for <cfrg@ietfa.amsl.com>; Mon, 18 Apr 2016 11:29:50 -0700 (PDT)
Received: from limerock03.mail.cornell.edu (limerock03.mail.cornell.edu [128.84.13.243]) by ietfa.amsl.com (Postfix) with ESMTP id C06C512E50A for <cfrg@irtf.org>; Mon, 18 Apr 2016 11:29:46 -0700 (PDT)
X-CornellRouted: This message has been Routed already.
Received: from exchange.cornell.edu (sf-e2013-08.exchange.cornell.edu [10.22.40.55]) by limerock03.mail.cornell.edu (8.14.4/8.14.4_cu) with ESMTP id u3IITj3b026986 for <cfrg@irtf.org>; Mon, 18 Apr 2016 14:29:45 -0400
Received: from sf-e2013-03.exchange.cornell.edu (10.22.40.50) by sf-e2013-08.exchange.cornell.edu (10.22.40.55) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Mon, 18 Apr 2016 14:29:45 -0400
Received: from mail-wm0-f72.google.com (74.125.82.72) by exchange.cornell.edu (10.22.40.50) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Mon, 18 Apr 2016 14:29:45 -0400
Received: by mail-wm0-f72.google.com with SMTP id w143so76315588wmw.2 for <cfrg@irtf.org>; Mon, 18 Apr 2016 11:29:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=KxsYb2YBgqHaRbSv7Clef2bc7lM4/IJGidkVoL1bBCA=; b=clvnKECapyaA7hmL9oeHNBUl2Z56karqUwk5C+8J+mhKscokgy5yZVdtzbmrPV+blu mHpccFlrIFSSyAFMskbPUnIIxgErtRDf/3OxKLkM/B1X3pDOVd3yxKEktbG805yqdAIJ RTYGvn1uu6DwZWm9flIMRC3vMtAecglfjrT3l+mTWsGaVosfkcd0s+vyeyVZfY/v5d1h ROSqdbRRQd4xynxs0tODe28Ks2KX+SLzapPA2ffW7bECMTyPOoAxBlgQuHgfxwnIXDiR 3rU8Q+oxgCJe1Jbtobu3YD1c/8P72HeMQkejM8URHMrC7vd9X9pp+aJBQUFu2AIe/K/Y u5zA==
X-Gm-Message-State: AOPr4FWkMe/NLpySqx7ie+hmbf2oSmeLd03Wi3mijgbz9sKh/hi9RwgIPkGmXf6NGq6as5bo3lFAXJfJRt1pmCcKSu7RBKRky7TgIkUPA3ZVxWRf7HBR6MHGOj4UHE+JKAyNfhmc5N2We9B1aQWsLjNj2ZE=
X-Received: by 10.194.186.242 with SMTP id fn18mr40595534wjc.65.1461004122751; Mon, 18 Apr 2016 11:28:42 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.186.242 with SMTP id fn18mr40595518wjc.65.1461004122558; Mon, 18 Apr 2016 11:28:42 -0700 (PDT)
Received: by 10.28.217.149 with HTTP; Mon, 18 Apr 2016 11:28:42 -0700 (PDT)
In-Reply-To: <57148B14.7020507@azet.sk>
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com> <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com> <57118EB7.9080907@nthpermutation.com> <CAMfhd9VPWzqudB9X2ptHpsfD655FB+=5EpQN7Btuf7yU56-VvQ@mail.gmail.com> <57148B14.7020507@azet.sk>
Date: Mon, 18 Apr 2016 14:28:42 -0400
Message-ID: <CAKDPBw_28dT8zEyu=QxLrHMVb0STecvU4ddRS=nEarHw3=+5zA@mail.gmail.com>
From: Paul Grubbs <pag225@cornell.edu>
To: Fedor Brunner <fedor.brunner@azet.sk>
Content-Type: multipart/alternative; boundary="047d7bb04deabdcec50530c687f8"
Received-SPF: Neutral (sf-e2013-08.exchange.cornell.edu: 74.125.82.72 is neither permitted nor denied by domain of pag225@cornell.edu)
X-ORG-HybridRouting: 7d01ca72d992f9ad6ddb93b21fb51d08
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/7XeJbPAkJTsEEQs2m1vuJQljAS8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2016 18:29:52 -0000
In some settings using AES for data encryption is required by law, regulation, or best practices. I doubt the use of AES in Poly1305 would pass muster, since it's only authenticating and not encrypting. On Mon, Apr 18, 2016 at 3:21 AM, Fedor Brunner <fedor.brunner@azet.sk> wrote: > Adam Langley: > > On Fri, Apr 15, 2016 at 6:00 PM, Michael StJohns <msj@nthpermutation.com> > wrote: > >> That's not exactly what I mean/meant. In TLS, the same message (record, > >> etc) sent under the same key and IV/NONCE (as produced by the TLS > PRF/KDF > >> functions or produced randomly) will provide different ciphertext based > on > >> the fact that the record counter changes with each message. That > counter > >> doesn't necessarily have to be part of the authenticated data in an AEAD > >> cipher as the nonce formation is somewhat external to processing (with > the > >> exception of the block counter). > >> > >> To get the equivalent behavior for AES-GCM-SIV, you need to ensure > there is > >> some sort of per-message unique mixin (unique within the association > >> duration at least) that causes the tag to be different which causes the > >> nonce to be different. > > > > That's correct and, in the case of TLS, I'd suggest that the sequence > > number be used as the nonce in order to make sure that equal messages > > don't produce equal ciphertexts. Although, to be clear, I'm not > > suggesting that AES-GCM-SIV be used in TLS or in any situation where a > > counter nonce is easy. Transport security is generally a situation > > where a single sender can just use a counter and, in those cases, > > AES-GCM is better. > > > > But there are situations where nonce management is a problem (i.e. > > where there are multiple machines encrypting with a single key) and, > > for that, I think AES-GCM-SIV is pretty attractive because one can > > reasonably use a random nonce. > > https://cr.yp.to/papers.html#xsalsa > > XSalsa20 is Salsa20 cipher with nonce extended to 192 bits. So there is > no need to manage nonces, they can be generated with RNG. Could you > please describe applications where you would prefer AES-GCM-SIV over > XSalsa20+Poly1305 > > > > > > > Cheers > > > > AGL > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay