Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Andy Lutomirski <luto@amacapital.net> Thu, 21 April 2016 19:46 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA57212E627 for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 12:46:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6JmwkRo-jjb for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 12:46:01 -0700 (PDT)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8ED912DD31 for <cfrg@irtf.org>; Thu, 21 Apr 2016 12:46:00 -0700 (PDT)
Received: by mail-ob0-x233.google.com with SMTP id bg3so38046043obb.1 for <cfrg@irtf.org>; Thu, 21 Apr 2016 12:46:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=sfiwdFy6ugmRnOd5U+/y/MX7j1lJYtrLgRSLmB1vBHw=; b=XDGJPhyCSTZIiLaVmg4FVTvO5j+IAX2yYUkHc+1i1D9lAP0v+YDz2e0cHahd9Y7mrW lOh3gUaHo2172odCaBNJ8oeRNirNzxzRQOxonU2VHkgD7wd5pq2yDKRDgTZEWz/JTS8b XXUz8kud95WE57LzJ4vZMd4jiylIQBHaqtDPUeBIJJhZJmvP1y4Rh5H19wa7T833838H 5YSUASkAauEIODu4uqgT1hzhAEjvLspE4R8eijMh//rTeBCQUP+vxMHJWY86H8XENCPP y+Luti4ako3I8gnYX1I+ewCu6cW9UyNToukYZnJqwmoRkNFSSrVT2c2vvR5P2DnMCpjP LFIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=sfiwdFy6ugmRnOd5U+/y/MX7j1lJYtrLgRSLmB1vBHw=; b=T21J1WvIcS33qXo0taV3U56dFSkqZN3oMSvm/aQW+KyzQ5x8B6sNA8O+Vt7JRDVgOg +cgBfONmAighfrMdx+K0g9f/16qKKh2mqCThVC3JnjcEt/lQ0n+L0ETLMQ32DWMp+C2Z eAwCPFYGCUFZOXAIhdFZgma5vDu9r2wWp2EKJxv/uZNb7x0r2cKFPKXCevW5gKV84NtE HvJ/4T/SONGkINCctnrteWErXuS6w42KuU4iYSbWwN4vz2USjbUrgdWIHJPUNBfv55hv N4F45cuY1Kk8nBzzzs1KjAcdYSNn8AibGhoUdLJvhidmfu0Jk3wK4S17y9k5cYAPfmlr 4oVQ==
X-Gm-Message-State: AOPr4FXZe8CtAzS49TX2MqXa+rZZYXrXw5+fcEFgx/GITSD8UQLOmLN+jlQQ1fu2WF/qtlL+ZY1EzTCYf9Ay9Vxm
X-Received: by 10.182.233.131 with SMTP id tw3mr7319671obc.80.1461267960047; Thu, 21 Apr 2016 12:46:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.80.135 with HTTP; Thu, 21 Apr 2016 12:45:40 -0700 (PDT)
In-Reply-To: <CAMfhd9VEMs1TikiGFgifGdQha_t5B_CaGxC3=gsoPzUZe1TurA@mail.gmail.com>
References: <CALCETrVP_Op+-jpoP0JBFWZZQkvo0JYuLNtAS=itSPTb4Ptkuw@mail.gmail.com> <em615f096a-5286-4b23-b267-26099193d002@sgueron-mobl3> <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com> <CAMfhd9UrK2kBL9J-_y=fDGKMLXt02=aO2UM2LyPkEwvj+wi7Zw@mail.gmail.com> <CAMfhd9VEMs1TikiGFgifGdQha_t5B_CaGxC3=gsoPzUZe1TurA@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 21 Apr 2016 12:45:40 -0700
Message-ID: <CALCETrWNEDVpkG5EOOkLBSwFb0ggMHEo1-SAwAAD83aN235pCA@mail.gmail.com>
To: Adam Langley <agl@imperialviolet.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/GyhRVRu2vvNLc_AWLAbDrcTlYpg>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 19:46:03 -0000

On Thu, Apr 14, 2016 at 2:12 PM, Adam Langley <agl@imperialviolet.org> wrote:
> On Thu, Apr 7, 2016 at 4:55 PM, Adam Langley <agl@imperialviolet.org> wrote:
>> Will do as soon as I'm able (which should be next week).
>
> -03 is hopefully clearer on this point:
> https://tools.ietf.org/html/draft-gueron-gcmsiv-03#section-4

This is much clearer to me.

However:

   This record-encryption
   key is defined as the concatenation of the result of encrypting,
   using the AES key, the nonce with the least-significant bit of the
   first byte set to zero and then to one.

Why is it designed this way?  This has the odd property that the
record encryption key is the same for two messages with nonces that
differ only in the LSB of the first byte.

Alternative designs include:

a) Concatenate the results of encrypting the nonce and the none with
the LSB of the first byte flipped.

b) Concatenate the results of encrypting the nonce and the nonce + 1.

Both of these will have related nonces generate related keys, but at
least they won't generate the *same* key.

It still seems to be that performance for short block sizes may be
rather poor given the key setup needed.

--Andy