Re: [Cfrg] Critique of AES-GCM-SIV
Marko Kreen <markokr@gmail.com> Fri, 17 February 2017 12:53 UTC
Return-Path: <markokr@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 184F01299D9 for <cfrg@ietfa.amsl.com>; Fri, 17 Feb 2017 04:53:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOU3tG2JP052 for <cfrg@ietfa.amsl.com>; Fri, 17 Feb 2017 04:53:00 -0800 (PST)
Received: from mail-lf0-x244.google.com (mail-lf0-x244.google.com [IPv6:2a00:1450:4010:c07::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF7A1299D6 for <cfrg@irtf.org>; Fri, 17 Feb 2017 04:53:00 -0800 (PST)
Received: by mail-lf0-x244.google.com with SMTP id q89so3778892lfi.1 for <cfrg@irtf.org>; Fri, 17 Feb 2017 04:53:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=gxq7BeN2t5XP32Qco0S2n54IdrHiUws5hEaZoiGuuD0=; b=pzfm2n8Zw34Mjky1xCwLhVL4NtayYNZch7q6GRvJMptcLoaHxOE0WZwcfOo4Ki/02K hQt7R5UUvqd6djCaBkimrFUdSNLIAiw3VcT2GffzwltEkLHscjcuCSX19jJ2WAukMZIl EpHn2wN49kFut6VlvfxyGWTf9G1CpsZWntIEz8v7dkPV0XIa8rmczviDJE/lNg7ruCBt Hk3cmq93Qjohc2qwdHP1o+7wBpboW/l66FD+1pzBcdo23X1oN9gPCR8Q1zramgUlrLYa WBo5K/xcFMbMiDljjf28hhsz0nFE3tAixifGEwcpFrYcauhv3w+JBcQj6IM05Hjr3pNf dhfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=gxq7BeN2t5XP32Qco0S2n54IdrHiUws5hEaZoiGuuD0=; b=eCMOXhV56MEOSEhNIiY5kLw8881v4DV9eLSAbaQQ+jbz4tcwisl8AJG/uRTwM+Vwea DGGiqGnVOhsPx71u5FrFQcQ70Qi25H2a9P045jIA9x6LtdEj2VaK1DmZKKYP43UV+7+u OJ5rUBM+RarRi1FvnzMwOHvyrzeOPUq8BbuFetvvw8IokT/W3/TeASOeLl1+sd6lTCXP 5K/iCcJEZXsLUiGxohkCLMhwEEhsKRgvgZ8GwfI3H58wTht9A7OalXycZdiJThRoTA9c CPFTRzon218HAsBCpq94QNM8dhE7xTcIuqDvju4MMfOarNWrz1G4d+VpJyC92jqIn48z 6WxA==
X-Gm-Message-State: AMke39mKhZtM46q4/JHfYg/JZhpKoGf09uVVr6L+CjYmDZcrUkHmsQ0vIXPK6HamjBpZ7A==
X-Received: by 10.25.196.146 with SMTP id u140mr1832384lff.21.1487335978499; Fri, 17 Feb 2017 04:52:58 -0800 (PST)
Received: from gmail.com (138.246.50.84.sta.estpak.ee. [84.50.246.138]) by smtp.gmail.com with ESMTPSA id 12sm2506604lju.16.2017.02.17.04.52.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 04:52:57 -0800 (PST)
Date: Fri, 17 Feb 2017 14:52:55 +0200
From: Marko Kreen <markokr@gmail.com>
To: Daniel Bleichenbacher <bleichen@google.com>
Message-ID: <20170217125255.GA16732@gmail.com>
References: <20170217000247.GB23785@gmail.com> <CAPqF7e2xFVqbw0cCi4468_Ag+Lp4QuXPMaR2cNsU4m_F7hFppQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAPqF7e2xFVqbw0cCi4468_Ag+Lp4QuXPMaR2cNsU4m_F7hFppQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/D2omEoDbiNM-IHrCtYROa9RxuD8>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Critique of AES-GCM-SIV
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 12:53:02 -0000
On Fri, Feb 17, 2017 at 11:00:56AM +0100, Daniel Bleichenbacher wrote: > On Fri, Feb 17, 2017 at 1:02 AM, Marko Kreen <markokr@gmail.com> wrote: > > I have reviewed the AES-GCM-SIV proposal (draft 3). And while there > > are parts I like - overall direction to higher security and > > getting rid of GCM bitflipping - current design feels "ugly". > > (That's a cryptographic term.) > I actually don't know what "ugly" means as a cryptographic term. Well, it was supposed to be a joke... > My guess would something like difficult to formally analyze. But I think we are mostly on same page. My main complaint was that if it's nonce-misuse-resistant mode, then why does nonce misuse have such a big effect on behaviour: on one case message is protected by fresh key and counter, on other case only fresh counter. So nonce misuse makes it behave as different mode that needs to be analyzed separately. > E.g. in the proposal above if N and N xor 1 are both used as nonces then > AuthKey and SubKey1 change their role and that seems to add a lot of > complexity > to a potential analysis. But they are used for completely different algorithms? If such cross-algorithm usage is exploitable, it seems to mean both algorithms are unexpectedly weak and should not be used? Still, it should be simple to fix it. > > Comments? > I have problems to see how this proposal is safe. > I.e. Cooley used that POLYVAL returns 0 if A and P are empty in the > AES-GCM-SIV cryptanalysis. > In the proposal above using A="" and P = "" results in > Tag = AES(K,N) > Therefore an attacker can use the proposal above as an oracle to for > encrypting single blocks with K. > This is all that is needed to break the proposal. > Hence it seems to me that even a nonce respecting adversary can break this > proposal. Thank you for your review. Funny thing is that I was rather unsure about xor N part when encrypting RawTag, but then I simply copied what current AES-GCM-SIV does. But main thing I take from your comment is that encrypting with K does need domain separation between public and private values. Here is draft 2 of AES-GCM-SAFE with following changes: - remove xor 1, instead use recursive encryption - remove xor N when encrypting RawTag - spent 1 bit to separate public and private encryptions with K. - add xor N to SubKey2 to keep all nonce bits in play. - add AuthIV to get rid of special cases of zero-len and zero-filled data for POLYVAL. AES-GCM-SAFE (draft 2) ====================== Cipher mode that uses key, nonce and MAC(message) to synthesize both counter and encryption key. Input: K = 128/256-bit key N = 128-bit Nonce P = plaintext A = additional data Process: AuthKey = AES(K, SetBit(N, 0)) SubKey1 = AES(K, SetBit(AuthKey, 0)) AuthIV = AES(K, SetBit(SubKey1, 0)) RawTag = POLYVAL(AuthKey, AuthIV || PAD(A) || PAD(P) || LEN(A) || LEN(P)) Tag = AES(K, SetBit(RawTag, 1)) SubKey2 = AES(K, SetBit(Tag, 0)) xor N Counter = AES(K, SetBit(SubKey2, 0)) EncKey/128 = SubKey1 xor SubKey2 EncKey/256 = SubKey1 || SubKey2 CipherText = AES-CTR(EncKey, Counter, P) || Tag Where: || - concat SetBit(v, bit) - set low bit value LEN(V) - number of bits in V in 64-bit little-endian format PAD(V) - zero-pad to full block AES(K, V) - Encrypt V with key K AES-CTR(K, C, V) - Encrypt V with key K and counter C I don't see the need to separate internal encryptions, but than means any of (AuthKey, AuthIV, SubKey1, SubKey2, Counter) may be equal. It seems like a good thing - less constrants for attacker to expoit. Your thoughts? -- marko
- [Cfrg] Critique of AES-GCM-SIV Marko Kreen
- Re: [Cfrg] Critique of AES-GCM-SIV Daniel Bleichenbacher
- Re: [Cfrg] Critique of AES-GCM-SIV Marko Kreen
- Re: [Cfrg] Critique of AES-GCM-SIV Aaron Zauner
- Re: [Cfrg] Critique of AES-GCM-SIV Marko Kreen