IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 26 April 2016 18:22 UTC

Return-Path: <prvs=39249cba86=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F99612D570 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 11:22:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.195
X-Spam-Level:
X-Spam-Status: No, score=-5.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AA9_uMw8UmsL for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 11:22:21 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 876FF12D55F for <cfrg@irtf.org>; Tue, 26 Apr 2016 11:22:21 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id u3QIKhFh012238; Tue, 26 Apr 2016 14:20:43 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Hamburg <mike@shiftleft.org>, Adam Langley <agl@imperialviolet.org>
Thread-Topic: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Thread-Index: AQHRn+CxX1PwsvPXs0SXgFK4SyR0eZ+c0EOA///BEwA=
Date: Tue, 26 Apr 2016 18:22:16 +0000
Message-ID: <D3452928.2AFA1%uri@ll.mit.edu>
References: <D33EAB85.2AC03%uri@ll.mit.edu> <emd177ba4d-0be1-4293-afb1-fc0b1a9c54f9@sgueron-mobl3> <CALCETrWnuuhQGP7zLO9kh+EEsOXaDZycQVSge_=8R38cQj1-vQ@mail.gmail.com> <CAMfhd9Xex0JLW8UWrUAjQb-bTizCp7XKCsgPB3R1k2eM3Pzuwg@mail.gmail.com> <88D2AC3F-93B9-4357-816F-520D970180E2@shiftleft.org>
In-Reply-To: <88D2AC3F-93B9-4357-816F-520D970180E2@shiftleft.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.2.160219
x-originating-ip: [172.25.177.156]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha384"; boundary="B_3544525330_26780790"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-04-26_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1604260298
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/DiQ7Rie4W_laAheX1074rNKmyZw>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 18:22:24 -0000

On 4/26/16, 14:07 , "Cfrg on behalf of Mike Hamburg"
<cfrg-bounces@irtf.org on behalf of mike@shiftleft.org> wrote:

>> On Apr 26, 2016, at 10:25 AM, Adam Langley <agl@imperialviolet.org>
>>wrote:
>> 
>>Although the record encryption key may be the same for pairs of
>> messages in AES-256 mode, that doesn't lead to identical plaintexts
>> having identical ciphertexts because the nonce is xored into S_s,
>> which ends up controlling the tag and thus the initial counter.
>> 
>> Still, Shay and I chatted and the idea to XOR the nonce with 1 for the
>> second half seems like it might be cleaner. I believe that Shay and
>> Yehuda are working on updating the analysis and may incorporate this
>> change.

>While it probably wouldn’t lead to an attack, I have some hesitation
>about encrypting the first packet with (K0,K1) and the second packet with
>(K1,K0).

AES seems to have resistance to related key attacks. I find this issue
(aka [K0, K1] vs [K1, K0]) a far lower risk that having the same key used
for both messages.

Of course I still think that OFB for record key generation is better than
either this or the original method. ;)

>Too bad AES predates tweakable ciphers.  Then the solution would be easy.

:-)

But it doesn’t, and it isn’t. ;)

v2.23.0 | Report a Bug | By Email