[Cfrg] AES-PMAC-SIV

Yehuda Lindell <Yehuda.Lindell@biu.ac.il> Wed, 08 November 2017 21:02 UTC

Return-Path: <Yehuda.Lindell@biu.ac.il>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81426129BE9 for <cfrg@ietfa.amsl.com>; Wed, 8 Nov 2017 13:02:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.7
X-Spam-Level:
X-Spam-Status: No, score=-4.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=biu365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6HaPQhGzIKJ for <cfrg@ietfa.amsl.com>; Wed, 8 Nov 2017 13:02:46 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0117.outbound.protection.outlook.com [104.47.1.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 592001271DF for <cfrg@irtf.org>; Wed, 8 Nov 2017 13:02:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=biu365.onmicrosoft.com; s=selector1-biu-ac-il; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uE6f1pet0oDTHzOLJCSl/6lnpFmItUgs9jqo4G/C+JQ=; b=ON3ZYarI/S13dw1m7B+DMsNIsnbZEtHxq4Lwjhlhy0dq3BgSykaRho+KVjtz5LwhZf74EoiqoIXUM2j7fDBGWcuEZwhb594y1X80jh15/tH7OCxEbfshXa1W6VG4J4z5z4duKFO9gOs2SqPnU+gAu3szpmEPzXygrB8BIxn0HxY=
Received: from VI1PR04MB3021.eurprd04.prod.outlook.com (10.170.228.143) by VI1PR04MB3021.eurprd04.prod.outlook.com (10.170.228.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.197.13; Wed, 8 Nov 2017 21:02:43 +0000
Received: from VI1PR04MB3021.eurprd04.prod.outlook.com ([fe80::a142:8cff:3d80:717b]) by VI1PR04MB3021.eurprd04.prod.outlook.com ([fe80::a142:8cff:3d80:717b%13]) with mapi id 15.20.0197.022; Wed, 8 Nov 2017 21:02:43 +0000
From: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] AES-PMAC-SIV
Thread-Index: AQHTWNTr1HIrj/yEZk6KtiskCsF1pQ==
Date: Wed, 08 Nov 2017 21:02:43 +0000
Message-ID: <3E54E0CC-AE74-4CDC-A499-17219D9E0987@biu.ac.il>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [2a01:6500:a049:624e:45f3:c8f2:81ca:560c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR04MB3021; 6:j/h/+d8cJTj+mvmanpJUBcOKx20koua5PETQ2Iyd2map/9DuSmhUCgPVTYuzntSRRul6cZAQJWQFfPa/2rp/wXN4tq4pb17jzNxHg4iOkQNadEwcsDNdJDDb8KnzxVNu7En4dEfOLOk70gn/CpTt3JVQv0Szm9kTL9UCPVPQckxjHIZCS3bs4O3jMOZLY48QyhfVGPcApuj9SbJ59LyQOfRwPDcp3ewVczm1YUau6mB33+wMADTSkt2fvIdl7iWaQQ/82KDda/wJcdsZekvvnbtfX26v7ao3J9lPAi23bUeYKDFrc9kVdbTovsMPOpDxg+SInmAiee/y1jNxq3XFceniQhOIYBqshsJTqYwwcJA=; 5:/k5+e7OQRkBPws3ULIUGr8UnA4dq40EbF8tlZF9nPuoIXEdB/MieNbqAE7g+wShu+xTUNmZtpmjaTWbwkzLmxyc1UWad4x581kQ3nSfnfO6IjxRUThH4cVEdKcLxdQwNXXA0bCdk3yj0HKjrdYLnNGutPBu1y2iwj1OYbJ07w18=; 24:tvpm0Y0G6PlcEm9rwW+JlU5SqoZLPL2rmVG1fc1A+G7i0JKrh6UevSj0rSHUQ5JTl0ftml8/8PxhrBEHjwphvp58jZZwpMCvwdQUtf2ou0o=; 7:cxb+DazrgXC50+8MRiV7Mp883ew+i7GaJBl55rEnO6gEMxsHBs3MlJau4PSDGrseFGd/TsavzxCz2ImE3e/urgfL/M+JD/aFjqaQkJ0hYJvlqq+MjAvslgqj5cLt8vuNEvx3/xI0WjQchPkm/oTIJZb38HPHn5yxk80fU+RTlsY9SOy8hGIxU3kzu2yxMkeDvDKxH4aCmed0kmWby1ldfXXWli0q93zUp92/GSdy5iE4UGAsEQEk+hMeYQN1yyw1
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 5a515dd6-92c5-4257-0281-08d526ec0e08
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603249)(49563074); SRVR:VI1PR04MB3021;
x-ms-traffictypediagnostic: VI1PR04MB3021:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Yehuda.Lindell@biu.ac.il;
x-exchange-antispam-report-test: UriScan:(166708455590820)(211171220733660);
x-microsoft-antispam-prvs: <VI1PR04MB3021F15B00C83CB3B446282EC3560@VI1PR04MB3021.eurprd04.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(102415395)(6040450)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(3231021)(3002001)(10201501046)(6041248)(20161123562025)(20161123564025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:VI1PR04MB3021; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:VI1PR04MB3021;
x-forefront-prvs: 0485417665
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(199003)(189002)(36756003)(2900100001)(74482002)(50986999)(54356999)(99936001)(7736002)(5660300001)(2906002)(230783001)(966005)(3280700002)(3660700001)(42882006)(101416001)(6916009)(74826001)(102836003)(6116002)(14454004)(1730700003)(81166006)(25786009)(8676002)(81156014)(316002)(478600001)(33656002)(68736007)(786003)(2351001)(105586002)(83716003)(8936002)(82746002)(106356001)(72206003)(53936002)(5250100002)(54896002)(236005)(86362001)(6512007)(6306002)(99286004)(6486002)(6506006)(189998001)(5640700003)(2501003)(97736004)(6436002)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR04MB3021; H:VI1PR04MB3021.eurprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: biu.ac.il does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_6B7AD210-1087-4B84-9DD3-82C3C02A1603"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-OriginatorOrg: biu.ac.il
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a515dd6-92c5-4257-0281-08d526ec0e08
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2017 21:02:43.1242 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 61234e14-5b87-4b67-ac19-8feaa8ba8f12
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB3021
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Du9QoBfVAovpkbiwwFKlwWuFMrc>
Subject: [Cfrg] AES-PMAC-SIV
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 21:02:49 -0000

Regarding PMAC-SIV versus AES-GCM-SIV: it may be the case that some people do not want to implement GMAC based modes on embedded devices; I’m not sure, and there is some psychology here.

In any case, I do not want to relate to the question of standardizing PMAC-SIV. But, I feel I must respond to some comments made regarding AES-GCM-SIV, since there are some significant inaccuracies.

1) I don’t know how it can be hard to find implementations of AES-GCM-SIV to benchmark against. In addition to reporting measurements in the papers, we have also explicitly referenced both the github AES-NI implementation at https://github.com/Shay-Gueron/AES-GCM-SIV <https://github.com/Shay-Gueron/AES-GCM-SIV>, and the BoringSSL implementation. Note that BoringSSL can be compiled both with AES-NI + CLMUL and without AES-NI (and CLMUL). So, you can compare easily on modern x86 processors and also on ARM v7 (which does not have AES-NI and CLMUL).

2) The statement about bounds is blatantly false. Indeed, AES-SIV has a birthday limit on the number of blocks. After encrypting 2^64 blocks, the adversary has an advantage of 1/2. Thus, in order to limit the adversary’s advantage to 2^-32, you can encrypt at most 2^48 blocks. In contrast, AES-GCM-SIV comes with BEYOND BIRTHDAY BOUNDS. This is described explicitly in the AES-GCM-SIV papers. In fact, if the same nonce is always used, then AES-GCM-SIV has the same bounds as AES-SIV, but when nonces repeat a bounded amount, AES-GCM-SIV’s bounds are way beyond AES-SIV.

(GCM indeed has a 2^32 bound on the NUMBER OF MESSAGES when using a random IV, in order to keep the adversary advantage below 2^-32. However, in the setting with random nonces, AES-GCM-SIV can encrypt 2^48 messages of length 2^21 each, or 2^64 messages of length 2^13 each, and still have an adversarial advantage of only 2^-32.)