Re: [Cfrg] AES-GCM-SIV security of the additional data

"Blumenthal, Uri - 0553 - MITLL" <> Fri, 24 June 2016 22:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE96112D1DE for <>; Fri, 24 Jun 2016 15:52:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.624
X-Spam-Status: No, score=-5.624 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZtOKdHegyqdI for <>; Fri, 24 Jun 2016 15:52:19 -0700 (PDT)
Received: from (LLMX2.LL.MIT.EDU []) by (Postfix) with ESMTP id DD026127078 for <>; Fri, 24 Jun 2016 15:52:18 -0700 (PDT)
Received: from ( by (unknown) with ESMTP id u5OMlO3G029492; Fri, 24 Jun 2016 18:47:24 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Jim Schaad <>, 'Daniel Bleichenbacher' <>, "'Paterson, Kenny'" <>
Thread-Topic: [Cfrg] AES-GCM-SIV security of the additional data
Thread-Index: AdHOargWqD25y0zmskKltSj3U+rSKQ==
Date: Fri, 24 Jun 2016 22:49:52 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============1311863122=="
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-06-24_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1606240242
Archived-At: <>
Resent-To: <>
Cc: "" <>
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jun 2016 22:52:23 -0000

I don't think I understand this entire thread, starting with the perceived threat.

What sense does it make to ‎pass something confidential as Authenticated (but NOT encrypted) Data? What sense does it make for the sender to deliberately send Authenticated Data that cannot be authenticated (especially within symmetric encryption setting, where non-repudiation doesn't apply anyway)? Etc.

Regardless, the latest proposal by Shay seems to eliminate this threat, however artificial it may be.

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
From: Jim Schaad
Sent: Friday, June 24, 2016 17:40
To: 'Daniel Bleichenbacher'; 'Paterson, Kenny'
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data

From: Cfrg [] On Behalf Of Daniel Bleichenbacher
Sent: Friday, June 24, 2016 7:15 AM
To: Paterson, Kenny <>
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data
On Fri, Jun 24, 2016 at 3:53 PM, Paterson, Kenny <> wrote:
Hi Antonio,

On 24/06/2016 14:40, "Antonio Sanso" <> wrote:

>hi Kenny
>On Jun 24, 2016, at 3:24 PM, Paterson, Kenny <>
>> In your scenario it looks like you are trying to use the shared secret S
>> to provide authentication of the sender to the receiver, along with
>> confidentiality for the message being delivered
>to me this seems a pretty common scenario.
>If I am not completely wrong in my understanding is for example what JWE
>does [0] and [1] for example

Key transport via PKE using, for example RSA-OAEP, is a certainly an
option in JWE. But what Daniel describes has an additional symmetric key
("S") for the purposes of authentication, I think, and does not strictly
match anything I've seen in the JSON RFCs. But let's allow Daniel to
answer on that one...


I'm not familiar with JWE so I can't comment on this protocol.
A typical scenario where S can't be used directly as key are low entropy secrets
such as passwords.
One motivation for me  to look into this is the question whether AES-GCM-SIV
could be used as a drop-in replacement for AES-GCM without doing an additional
security review of the resulting protocol.
So far, I'm not convinced that this can be done in all cases.
[JLS] This is probably not a good example for doing this.  I would agree that having separate keys for this is not a good way to approach this situation.  Just not having AD is a better way even if you have to generate the key.
JWE is a poor example of this because it is difficult to generate situations where there is not additional data generated by JWE itself for encrypting the content.  Also, if one is interested in doing a degree of origination one would either directly generate the key, in which case generating the authentication key would be part of the process or one would want to use the value in the KDF step rather than having an indirection involved.  Doing the indirection almost guarantees that you need to have additional steps in the process to guarantee that origination is going to be part of the process.
>> . In this scenario, it's
>> not clear to me why the sender and receiver would not just use S as an
>> AES-GCM-SIV key to transport a session key K, and then use K in another
>> instance of AES-GCM-SIV to transport the desired messages. Of course,
>> construction would not prevent replay attacks; for that you'd need
>> additional mechanisms, like incorporating a counter into the AD of the
>> key-transporting AEAD.
>> But perhaps one should not underestimate the ingenuity of implementers
>> wanting to use public key encryption. Is this where you are coming from?
>> On a related point, my view is that it is a disbenefit that the
>> AES-GCM-SIV proposal has two separate keys (one for encryption, the
>> for authentication) as inputs. That's not the AEAD interface that we
>> raised our implementers on. I raised this point at the CFRG meeting in
>> Vienna back in May. Simply concatenating the two keys in the current
>> proposal into one would address this issue, but not the one you raise
>> I understand it correctly).
>> (The minutes of the meeting can be found here:
>> im-2016-cfrg-1)
>> Regards
>> Kenny
>> On 24/06/2016 12:35, "Cfrg on behalf of Daniel Bleichenbacher"
>> < on behalf of> wrote:
>>> I'm wondering what can or should be expected about the security of the
>>> additional data.
>>> In particular, I'm considering the following scenario:
>>> Sender and receiver share a secret S.
>>> The sender knows the public key of the receiver and the receiver of
>>> course knows the private key.
>>> They use a hybrid encryption as follows:
>>> The sender chooses a new AES-GCM-SIV key, encrypts his message
>>> and includes S as additional data. The AES-GCM-SIV key is wrapped with
>>> the receivers public key and the wrapped key and ciphertext are sent to
>>> the receiver.
>>> Here an attacker can use that AES-GCM-SIV allows to select a key such
>>> that the
>>> element H used for POLYVAL is 0. In this case it would not be necessary
>>> for the sender
>>> to know S to construct a ciphertext that validates.
>>> A similar attack using AES-GCM seems much harder since the value H for
>>> the GHASH
>>> is obtained by encrypting 0 and thus I'm not aware of a way to do the
>>> same thing here.
>>> The attack does of course not violate any of the guarantees claimed.
>>> However, in the industry lots of ad hoc protocols are designed without
>>> proper security reductions and hence it seems a bit scary to me to
>>> this kind of "weak" keys. And since abuse resistance is
>>> one of the goals it might be a good idea to avoid such type of abuses.
>> _______________________________________________
>> Cfrg mailing list