IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Taylor R Campbell <campbell+cfrg@mumble.net> Tue, 26 April 2016 19:25 UTC

Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 180F512D102 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 12:25:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntDUpyXy1BWq for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 12:25:20 -0700 (PDT)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) by ietfa.amsl.com (Postfix) with ESMTP id 81C9212B045 for <cfrg@irtf.org>; Tue, 26 Apr 2016 12:25:20 -0700 (PDT)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id 1DD996031B; Tue, 26 Apr 2016 19:23:46 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
In-reply-to: <D3452928.2AFA1%uri@ll.mit.edu>
Date: Tue, 26 Apr 2016 19:25:19 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
User-Agent: IMAIL/1.21; Edwin/3.116; MIT-Scheme/9.1.99
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20160426192346.1DD996031B@jupiter.mumble.net>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9QK_4pK42MivVSOhmNUPMAtBMWY>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, cfrg@irtf.org, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 19:25:22 -0000

   Date: Tue, 26 Apr 2016 18:22:16 +0000
   From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>

   On 4/26/16, 14:07 , "Cfrg on behalf of Mike Hamburg"
   <cfrg-bounces@irtf.org on behalf of mike@shiftleft.org> wrote:

   >While it probably wouldn't lead to an attack, I have some hesitation
   >about encrypting the first packet with (K0,K1) and the second packet with
   >(K1,K0).

   AES seems to have resistance to related key attacks. I find this issue
   (aka [K0, K1] vs [K1, K0]) a far lower risk that having the same key used
   for both messages.

Alex Biryukov and Dmitry Khovratovich, `Related-key Cryptanalysis of
the Full AES-192 and AES-256', <https://eprint.iacr.org/2009/317>.

Maybe the particular attacks discussed in that paper don't work
directly in this scenario (they almost certainly don't, since they
work with four keys), but `AES seems to have resistance to related key
attacks' is hardly the case.

v2.23.0 | Report a Bug | By Email