Re: [Cfrg] AES-PMAC-SIV
Yehuda Lindell <Yehuda.Lindell@biu.ac.il> Thu, 09 November 2017 08:54 UTC
Return-Path: <Yehuda.Lindell@biu.ac.il>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F3DC12ECB1 for <cfrg@ietfa.amsl.com>; Thu, 9 Nov 2017 00:54:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.909
X-Spam-Level:
X-Spam-Status: No, score=-2.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=biu365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rNFXeN9aNR6v for <cfrg@ietfa.amsl.com>; Thu, 9 Nov 2017 00:54:06 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10139.outbound.protection.outlook.com [40.107.1.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4856A12ECB0 for <cfrg@irtf.org>; Thu, 9 Nov 2017 00:54:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=biu365.onmicrosoft.com; s=selector1-biu-ac-il; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=056ZpQTZ8/jOHAwQq+uVREhPDdYi1wM3rD1hqZbwX18=; b=jzKlPq1+mJ7jsejABn+b9I/zm/sjOBjGFg8LqFLxAIuMJ+Kml/HefqoFYL1u/HaIbNfTTcOrtfV0cy5Aqx7/iSA73B12cHHFTcJUbVVNprGqYDgU50PXDWBhw3NlZRaUtMvNAe01xlafHYSkQJaFpb9gFcv/V3+ekx0h/ykVhhw=
Received: from VI1PR04MB3021.eurprd04.prod.outlook.com (10.170.228.143) by VI1PR04MB3024.eurprd04.prod.outlook.com (10.170.228.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.218.12; Thu, 9 Nov 2017 08:54:01 +0000
Received: from VI1PR04MB3021.eurprd04.prod.outlook.com ([fe80::a142:8cff:3d80:717b]) by VI1PR04MB3021.eurprd04.prod.outlook.com ([fe80::a142:8cff:3d80:717b%13]) with mapi id 15.20.0218.011; Thu, 9 Nov 2017 08:54:01 +0000
From: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>
To: Tony Arcieri <bascule@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] AES-PMAC-SIV
Thread-Index: AQHTWNTrWV+54hA9UE+Txk/NBDiCS6MLQqgAgAB8PoA=
Date: Thu, 09 Nov 2017 08:54:01 +0000
Message-ID: <36353EBA-9639-46C7-96E7-34635E4F37BB@biu.ac.il>
References: <3E54E0CC-AE74-4CDC-A499-17219D9E0987@biu.ac.il> <CAHOTMV+=uXxr-VuwXqO6QcxnE=TZiGzLho_kNA4q=p5F8nfbEg@mail.gmail.com>
In-Reply-To: <CAHOTMV+=uXxr-VuwXqO6QcxnE=TZiGzLho_kNA4q=p5F8nfbEg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Yehuda.Lindell@biu.ac.il;
x-originating-ip: [132.71.147.59]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR04MB3024; 6:mHvysPe6+2wm5SpyJW2lg8dcwZ7xjEro8c4lzvgA2Tkpw7FSS8tiaJKEZiXBbo9PL2ucoCNETyY0FZW14DvVlOIwuwJPB/7k3PMrJhTjbwfkwqGqloMQidQfu8trwbEhQL+HCeebqwXNZKnwBAgEQEa4m0s5KMyWEn/eT+woWwPdx9GUPArqDElT0miscaU0NdeidXBoOp2souLfi1uhCbYNLru7fFBdrAb0Wi9KswoSMJds7oByMpJPXLy0yGnXfiU7Wvr+FXTXfffFlPDNOXazpYPIbXq2T9ckvhTYzFEczetLwyPOXAj6uCnE+Kc1NVikPcvFzScKqA2g0CmcYvrXiuKi9ioUT3/xC/yUc1c=; 5:RuYOOknTc+OIZe64C8Clj49ZLxcQ8CR+nW36zP4QeM/OMZoiCBq+q5jntOeHEIy7MA+bkVr9bzO2DNI9XX/FNgidTjSuP07A8V/AeCVr3gxWQWG+0+9mQs/wAaAQvBkx7yEgMrZtLn5d/2sEK28gAaY1u1ijMEtL+Dzt2t/9+kQ=; 24:q9w/R4uTUqZytsnWGLP4sPeITA35e0Ax+StWylwDgiYLXojcwHvUthOmekzXb0UEZQu53PTOGbzNMqVIQstUgWo25/PjIUqfVDK7bJx3dbo=; 7:3EF9Eg8RxrXEV8oM4ldMK0A4iILMfiRSO2tTdys+bQxWlA50MikYvO0NhBTS8LwIl/W3UDVbUmDP7opFjk4KAmfNFkUkiQ5B9SBNwFAu7vlnLAwFm3CX84tH1MFvFy6+AItShVFIouAgok0KjHe6va2eyUjxp/0Fk6IBuCuq3uYCbHSn9CSPnXp6FVEq+YA5tN1TEikHlkN6121ZqzJt282NcfgMJQhdGeYJi0VFYiaD/BhJfCc5zS2ocMIWgS+q
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: a7d36481-68af-4f02-4ddc-08d5274f6c2f
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(2017052603249)(49563074); SRVR:VI1PR04MB3024;
x-ms-traffictypediagnostic: VI1PR04MB3024:
x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705)(211171220733660);
x-microsoft-antispam-prvs: <VI1PR04MB302481F47435D4634E583E70C3570@VI1PR04MB3024.eurprd04.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(102415395)(6040450)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(3231021)(10201501046)(3002001)(93006095)(93001095)(6041248)(20161123555025)(20161123560025)(20161123564025)(20161123558100)(20161123562025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:VI1PR04MB3024; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:VI1PR04MB3024;
x-forefront-prvs: 0486A0CB86
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(376002)(346002)(199003)(24454002)(189002)(66066001)(606006)(54356999)(50986999)(33656002)(99936001)(76176999)(106356001)(786003)(74826001)(53936002)(36756003)(1411001)(83716003)(2950100002)(14454004)(53546010)(316002)(101416001)(2900100001)(105586002)(189998001)(5250100002)(42882006)(5660300001)(6916009)(68736007)(25786009)(7736002)(82746002)(74482002)(230783001)(97736004)(3660700001)(3280700002)(91966014)(229853002)(478600001)(72206003)(2906002)(6306002)(8676002)(966005)(86362001)(81166006)(236005)(54896002)(6512007)(81156014)(8936002)(4326008)(39060400002)(6246003)(6506006)(6486002)(6436002)(99286004)(102836003)(6116002)(3846002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR04MB3024; H:VI1PR04MB3021.eurprd04.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: biu.ac.il does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; boundary="Apple-Mail=_93D35536-3722-4D4D-9E2D-CE6B8D199DAD"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-OriginatorOrg: biu.ac.il
X-MS-Exchange-CrossTenant-Network-Message-Id: a7d36481-68af-4f02-4ddc-08d5274f6c2f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2017 08:54:01.3419 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 61234e14-5b87-4b67-ac19-8feaa8ba8f12
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB3024
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GOfC-tN3RpnqurJsUxVxbp1ZjNY>
Subject: Re: [Cfrg] AES-PMAC-SIV
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2017 08:54:09 -0000
Hi, The intention in the spec text is that if the nonce is fixed then AES-GCM-SIV has a birthday bound on the overall number of blocks (like AES-GCM, AES-CCM, AES-SIV, etc.), even if the adversary is nonce-respecting. This means that you can encrypt up to 2^48 blocks overall with the same nonce in AES-GCM-SIV, with the adversarial advantage of only 2^-32. The detailed analysis of all of these security considerations appear in the series of papers referred to. I suggest looking at https://eprint.iacr.org/2017/168.pdf <https://eprint.iacr.org/2017/168.pdf> and https://eprint.iacr.org/2017/702.pdf <https://eprint.iacr.org/2017/702.pdf>. We have also put up a webpage with information and FAQs. See: http://cyber.biu.ac.il/aes-gcm-siv <http://cyber.biu.ac.il/aes-gcm-siv> Yehuda > On 9 Nov 2017, at 3:29, Tony Arcieri <bascule@gmail.com> wrote: > > On Wed, Nov 8, 2017 at 1:02 PM, Yehuda Lindell <Yehuda.Lindell@biu.ac.il <mailto:Yehuda.Lindell@biu.ac.il>> wrote: > 1) I don’t know how it can be hard to find implementations of AES-GCM-SIV to benchmark against. In addition to reporting measurements in the papers, we have also explicitly referenced both the github AES-NI implementation at https://github.com/Shay-Gueron/AES-GCM-SIV <https://github.com/Shay-Gueron/AES-GCM-SIV>, and the BoringSSL implementation. Note that BoringSSL can be compiled both with AES-NI + CLMUL and without AES-NI (and CLMUL). So, you can compare easily on modern x86 processors and also on ARM v7 (which does not have AES-NI and CLMUL). > > Thank you. I'm not sure how I didn't find this. I assure you I looked! > > 2) The statement about bounds is blatantly false. Indeed, AES-SIV has a birthday limit on the number of blocks. After encrypting 2^64 blocks, the adversary has an advantage of 1/2. Thus, in order to limit the adversary’s advantage to 2^-32, you can encrypt at most 2^48 blocks. In contrast, AES-GCM-SIV comes with BEYOND BIRTHDAY BOUNDS. This is described explicitly in the AES-GCM-SIV papers. In fact, if the same nonce is always used, then AES-GCM-SIV has the same bounds as AES-SIV, but when nonces repeat a bounded amount, AES-GCM-SIV’s bounds are way beyond AES-SIV. > > The specific bounds I am referring to are the ones referred to in section 9 (Security Considerations) of draft-irtf-cfrg-gcmsiv-06: > > If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a random nonce, with the caveat that identical plaintexts will produce identical ciphertexts. However, we feel that the 2^32 limit for AES- GCM is too risky in a multi-key setting. Thus with AES-GCM-SIV we recommend that, for a specific key, a nonce not be repeated more than 2^8 times. > > I apologize if this is a mischaracterization. I actually asked a number of people about this particular bound prior to posting, and at one point was of the opinion I shouldn't even mention it. I would definitely appreciate any clarifications you can provide to these bounds and how these relate to the corresponding ones in AES-SIV. > > -- > Tony Arcieri
- [Cfrg] AES-PMAC-SIV Yehuda Lindell
- Re: [Cfrg] AES-PMAC-SIV Tony Arcieri
- Re: [Cfrg] AES-PMAC-SIV Yehuda Lindell