[Cfrg] Updated bounds in AES-GCM-SIV paper
Adam Langley <agl@imperialviolet.org> Mon, 17 July 2017 02:09 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEAA5129A97 for <cfrg@ietfa.amsl.com>; Sun, 16 Jul 2017 19:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f2wIrzMibPYj for <cfrg@ietfa.amsl.com>; Sun, 16 Jul 2017 19:09:21 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE7F9126C0F for <cfrg@ietf.org>; Sun, 16 Jul 2017 19:09:21 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id l132so6847386ita.1 for <cfrg@ietf.org>; Sun, 16 Jul 2017 19:09:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=d02pySssvugb9fqgIE9nOTK6B5eXiUrJdr72L6hhABQ=; b=ueKWhbBZi8N5WunqaBwoy1RBUJizTCaQanqGmeK+FbjldXQVWaVNwHg49C2tL/x71V Ll5VRkRndIJ+XfNi4LGIaGb4hQOkh7ICBCh7HU3JwMymHRe3trtRRoC9Ob16xGkcRPBa wLArOt+Bhf6QUklzphWxXtzXwe1jhU1u9nGPOjQGaf3umH6mLQQxgsrsw+fYHypmQCTI elWeiEcWXWQ+AdfvgxVGxHV+kIOp+JGNd9q+fWyoIYv0GummgSoZasdlg8s2nXQ6CCy9 M0J6Z7YCzC8JWa4RHO9f5txuyAA4kCOq3D/mMn+pnBF63asZrcDl18ZgkkX7ujggnTh8 16MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=d02pySssvugb9fqgIE9nOTK6B5eXiUrJdr72L6hhABQ=; b=bH+mc6uGbBJXyAGgq2CEIdehzwzcL0Ylsx2imhNuaEElhQi8ui29udYbznItJUk4yn uh+qhkGuPMEf1BJQaw7r3Ib0wyaa8xFqTGMSxhZa5RT5FkkFWHvm1QAeSNkT0mtot0xN kAVuCf6XKZBm65I9hT8H8H/uFehozEgdneycsn/VZl+8LqgO3cOZnKg+e+Dlx3gOS7CG BqUFQk2Eu7t7CeNPl63jWiZMv5jaJCpuwIakjBcOJbCwps+kAdlvK4Q0ybNdXaZwxXH2 wAPzlR4Z8sFUu9OT5ZxTtSbzJE4Q7j1CjsocolkuZNPHSKbe9fyjsuB3J+TPsJxiIsb8 ioKQ==
X-Gm-Message-State: AIVw112MUxCg+1r/OK+M8XrrJPjYw4AOmYPlz19wInB13mGaT9Gq5A+H kqMQFegE4EPrHSC9NK4Dih9x1Vhe/zKo7us=
X-Received: by 10.36.55.145 with SMTP id r139mr3794391itr.117.1500257360602; Sun, 16 Jul 2017 19:09:20 -0700 (PDT)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.79.38.216 with HTTP; Sun, 16 Jul 2017 19:09:20 -0700 (PDT)
From: Adam Langley <agl@imperialviolet.org>
Date: Sun, 16 Jul 2017 19:09:20 -0700
X-Google-Sender-Auth: APp13jiHlf4Tvvw9_IPDABIwWwU
Message-ID: <CAMfhd9UOFNfqoEp31r2moVaEfQZoeppP7h2Anrz0BBP518SeYA@mail.gmail.com>
To: cfrg@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/H_nbZXtezA-a4UeRBPDsYdW-N-M>
Subject: [Cfrg] Updated bounds in AES-GCM-SIV paper
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 02:09:24 -0000
Dear CFRG, We would like to thank Yannick Seurin and Tetsu Iwata for alerting us to the fact that we had erroneously assumed that one of the terms in the security bounds of AES-GCM-SIV was negligible when, for indistinguishability, it was not. Thus, while the security proof was correct, the example concrete bounds were over optimistic, most notably for very large messages. This was most evident in Fig 4. We have updated the paper[1] to correct this mistake and we draw the group's attention to the revised figure four (now called Table 1). For typical uses, thankfully, the difference is not material but for we wish to highlight that one cannot encrypt many messages of many-gigabytes using AES-GCM-SIV, in contrast to what the figures previously suggested. However, even in such a case of very long messages, the overall number of blocks encrypted safely is still significantly higher than previous schemes. [1] https://eprint.iacr.org/2017/168 Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- [Cfrg] Updated bounds in AES-GCM-SIV paper Adam Langley
- Re: [Cfrg] Updated bounds in AES-GCM-SIV paper Yannick Seurin
- Re: [Cfrg] Updated bounds in AES-GCM-SIV paper Paterson, Kenny
- Re: [Cfrg] Updated bounds in AES-GCM-SIV paper Adam Langley
- Re: [Cfrg] Updated bounds in AES-GCM-SIV paper Jonathan Trostle