Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Paul Grubbs <pag225@cornell.edu> Mon, 18 April 2016 18:29 UTC

Return-Path: <pag225@cornell.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F14012E517 for <cfrg@ietfa.amsl.com>; Mon, 18 Apr 2016 11:29:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level:
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1uBZFFOi0UPF for <cfrg@ietfa.amsl.com>; Mon, 18 Apr 2016 11:29:50 -0700 (PDT)
Received: from limerock03.mail.cornell.edu (limerock03.mail.cornell.edu [128.84.13.243]) by ietfa.amsl.com (Postfix) with ESMTP id C06C512E50A for <cfrg@irtf.org>; Mon, 18 Apr 2016 11:29:46 -0700 (PDT)
X-CornellRouted: This message has been Routed already.
Received: from exchange.cornell.edu (sf-e2013-08.exchange.cornell.edu [10.22.40.55]) by limerock03.mail.cornell.edu (8.14.4/8.14.4_cu) with ESMTP id u3IITj3b026986 for <cfrg@irtf.org>; Mon, 18 Apr 2016 14:29:45 -0400
Received: from sf-e2013-03.exchange.cornell.edu (10.22.40.50) by sf-e2013-08.exchange.cornell.edu (10.22.40.55) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Mon, 18 Apr 2016 14:29:45 -0400
Received: from mail-wm0-f72.google.com (74.125.82.72) by exchange.cornell.edu (10.22.40.50) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Mon, 18 Apr 2016 14:29:45 -0400
Received: by mail-wm0-f72.google.com with SMTP id w143so76315588wmw.2 for <cfrg@irtf.org>; Mon, 18 Apr 2016 11:29:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=KxsYb2YBgqHaRbSv7Clef2bc7lM4/IJGidkVoL1bBCA=; b=clvnKECapyaA7hmL9oeHNBUl2Z56karqUwk5C+8J+mhKscokgy5yZVdtzbmrPV+blu mHpccFlrIFSSyAFMskbPUnIIxgErtRDf/3OxKLkM/B1X3pDOVd3yxKEktbG805yqdAIJ RTYGvn1uu6DwZWm9flIMRC3vMtAecglfjrT3l+mTWsGaVosfkcd0s+vyeyVZfY/v5d1h ROSqdbRRQd4xynxs0tODe28Ks2KX+SLzapPA2ffW7bECMTyPOoAxBlgQuHgfxwnIXDiR 3rU8Q+oxgCJe1Jbtobu3YD1c/8P72HeMQkejM8URHMrC7vd9X9pp+aJBQUFu2AIe/K/Y u5zA==
X-Gm-Message-State: AOPr4FWkMe/NLpySqx7ie+hmbf2oSmeLd03Wi3mijgbz9sKh/hi9RwgIPkGmXf6NGq6as5bo3lFAXJfJRt1pmCcKSu7RBKRky7TgIkUPA3ZVxWRf7HBR6MHGOj4UHE+JKAyNfhmc5N2We9B1aQWsLjNj2ZE=
X-Received: by 10.194.186.242 with SMTP id fn18mr40595534wjc.65.1461004122751; Mon, 18 Apr 2016 11:28:42 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.186.242 with SMTP id fn18mr40595518wjc.65.1461004122558; Mon, 18 Apr 2016 11:28:42 -0700 (PDT)
Received: by 10.28.217.149 with HTTP; Mon, 18 Apr 2016 11:28:42 -0700 (PDT)
In-Reply-To: <57148B14.7020507@azet.sk>
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com> <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com> <57118EB7.9080907@nthpermutation.com> <CAMfhd9VPWzqudB9X2ptHpsfD655FB+=5EpQN7Btuf7yU56-VvQ@mail.gmail.com> <57148B14.7020507@azet.sk>
Date: Mon, 18 Apr 2016 14:28:42 -0400
Message-ID: <CAKDPBw_28dT8zEyu=QxLrHMVb0STecvU4ddRS=nEarHw3=+5zA@mail.gmail.com>
From: Paul Grubbs <pag225@cornell.edu>
To: Fedor Brunner <fedor.brunner@azet.sk>
Content-Type: multipart/alternative; boundary="047d7bb04deabdcec50530c687f8"
Received-SPF: Neutral (sf-e2013-08.exchange.cornell.edu: 74.125.82.72 is neither permitted nor denied by domain of pag225@cornell.edu)
X-ORG-HybridRouting: 7d01ca72d992f9ad6ddb93b21fb51d08
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/7XeJbPAkJTsEEQs2m1vuJQljAS8>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Apr 2016 18:29:52 -0000

In some settings using AES for data encryption is required by law,
regulation, or best practices. I doubt the use of AES in Poly1305 would
pass muster, since it's only authenticating and not encrypting.

On Mon, Apr 18, 2016 at 3:21 AM, Fedor Brunner <fedor.brunner@azet.sk>
wrote:

> Adam Langley:
> > On Fri, Apr 15, 2016 at 6:00 PM, Michael StJohns <msj@nthpermutation.com>
> wrote:
> >> That's not exactly what I mean/meant.  In TLS, the same message (record,
> >> etc) sent under the same key and IV/NONCE (as produced by the TLS
> PRF/KDF
> >> functions or produced randomly) will provide different ciphertext based
> on
> >> the fact that the record counter changes with each message.  That
> counter
> >> doesn't necessarily have to be part of the authenticated data in an AEAD
> >> cipher as the nonce formation is somewhat external to processing (with
> the
> >> exception of the block counter).
> >>
> >> To get the equivalent behavior for AES-GCM-SIV, you need to ensure
> there is
> >> some sort of per-message unique mixin (unique within the association
> >> duration at least) that causes the tag to be different which causes the
> >> nonce to be different.
> >
> > That's correct and, in the case of TLS, I'd suggest that the sequence
> > number be used as the nonce in order to make sure that equal messages
> > don't produce equal ciphertexts. Although, to be clear, I'm not
> > suggesting that AES-GCM-SIV be used in TLS or in any situation where a
> > counter nonce is easy. Transport security is generally a situation
> > where a single sender can just use a counter and, in those cases,
> > AES-GCM is better.
> >
> > But there are situations where nonce management is a problem (i.e.
> > where there are multiple machines encrypting with a single key) and,
> > for that, I think AES-GCM-SIV is pretty attractive because one can
> > reasonably use a random nonce.
>
> https://cr.yp.to/papers.html#xsalsa
>
> XSalsa20 is Salsa20 cipher with nonce extended to 192 bits. So there is
> no need to manage nonces, they can be generated with RNG. Could you
> please describe applications where you would prefer AES-GCM-SIV over
> XSalsa20+Poly1305
>
> >
> >
> > Cheers
> >
> > AGL
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
> >
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>