Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt

Shay Gueron <shay.gueron@gmail.com> Thu, 19 January 2017 13:50 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCDE1295BB for <cfrg@ietfa.amsl.com>; Thu, 19 Jan 2017 05:50:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltMsevnSqYiW for <cfrg@ietfa.amsl.com>; Thu, 19 Jan 2017 05:50:08 -0800 (PST)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33F5E1294A1 for <cfrg@ietf.org>; Thu, 19 Jan 2017 05:50:08 -0800 (PST)
Received: by mail-yw0-x232.google.com with SMTP id l19so33556895ywc.2 for <cfrg@ietf.org>; Thu, 19 Jan 2017 05:50:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=h22jKIsb2OuxoRLPDLgl7KmwxAPQucx/5Uc6YcDJZaM=; b=NUr6ej8SFPIhZDbpcqO3rKGi/Ag3ppFNBwbLJ0auvPHsmdPpse6pXFRb8EcfqmSSUo Nys57gSdzrdzbA8cgQQEW/JBGLpEN3M+QA/hRzlEwL1x6oo4uokLpKMkmoWZS6kePEbP ZzxrcLXyonAhsz0/aXm9VYQRTgPyz+5kA1j+WnBAPJSx7sykFRRsxftx56N8/Hoolbui A8dJ0PBiCpwm7yRgse0bGxS//enjHS/bDDwIGv6AHLR11MWBpfASodcaUmJMCvBFBTyx 7vaopA3KoPlcZX39TIOoUiKuwmpMabQGONM1/nemUVd3PxYbvWcbDaBjADu9Ao+a5NCH Ps/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=h22jKIsb2OuxoRLPDLgl7KmwxAPQucx/5Uc6YcDJZaM=; b=XKv7dcrxq3aD9nXvP/eWTvdt+fQCPWCBfLKFjE6tTWUnPhiQL07Fv5vuU9yXTl32Ai XSgyozrUunTKMcHln/zdJFn8b04EfG3NnCurvPHchAqIYSS09ZwYpOAr2H2uSTUj31mx Q1wvzcyHp8TrUHESuN+y2zthavNIVcaXy65vzBEL7T1cH+tcbntyD+N6LtwQ+ekSsoFM AP0RlunKhR+c6OUT4BzRxIAkPfkM9Ng5vooayKT6dKr+ce86ruSRFBDEcHi8S588i8Iy CGnCjb/RZpciIoSQAIKNSAIqVPicsOiMXLcJcGf5Xkdd1zIVXj9bCx9UxUxWOntc/WT8 9ZQg==
X-Gm-Message-State: AIkVDXL75hd7bNpkwKY1ZaQJstjXSAIinG1Le20CDmuaBZ01J4B3zPb2oP0P/Zdkp8hDsp8cBBxGRnmXOVuLuQ==
X-Received: by 10.13.203.202 with SMTP id n193mr6542894ywd.284.1484833807402; Thu, 19 Jan 2017 05:50:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.141 with HTTP; Thu, 19 Jan 2017 05:50:06 -0800 (PST)
In-Reply-To: <D4A63083.582EB%john.mattsson@ericsson.com>
References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> <D4A59386.5822C%john.mattsson@ericsson.com> <CAMfhd9XQSi17mLKE1AFUa2ZG8nJq4MfccMomFm+0ctsKm_Ab9w@mail.gmail.com> <CAHP81y-6j9uE6t+axwej=Rd8cGxthcVHQ1jqALNAP30za2VKYw@mail.gmail.com> <D4A63083.582EB%john.mattsson@ericsson.com>
From: Shay Gueron <shay.gueron@gmail.com>
Date: Thu, 19 Jan 2017 05:50:06 -0800
Message-ID: <CAHP81y-wYHmVyGtrtkoW9nYWtpub=UOE-TzU89B8TeJZZopF-g@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: multipart/alternative; boundary=001a114e72b2a40c34054672cf88
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/INxlURu_myiJAIsUCCqqj6QYs54>
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2017 13:50:10 -0000

Dear John,

The bounds in the reference that I pointed to (re. the KDF) bound with the
max between the quadratic and linear term (and 1).

I agree with your comment about q=3. If a usage is supposed to send q=3
messages (i.e., q=3 different nonces) with one key, it makes no point to
have a KDF before GCM-SIV (regardless of its design). Better use GCM-SIV
directly (the one described in the CCS15 paper).

In fact, even for a usage that has only very short messages (e.g., key
wrapping), GCM-SIV can be used directly (no KDF) and with a fixed nonce.

However, AES-GCM-SIV is constructed by a KDF step before the GCM-SIV
processing, with the intention to extend the lifetime of a given key,
beyond 2^{32}, (as it is with GCM-SIV, as explained in the text). In such
cases, it is useful to have a KDF with a small bound on the distinguishing
advantage. We chose the one that is described in the spec.

Thanks, Shay


2017-01-19 0:22 GMT-08:00 John Mattsson <john.mattsson@ericsson.com>om>:

> Thanks Shay,
>
> See reply inline.
>
> Cheers,
> John
>
>
> From: Shay Gueron <shay.gueron@gmail.com>
> Date: Thursday, 19 January 2017 at 02:05
> To: Adam Langley <agl@imperialviolet.org>
> Cc: John Mattsson2 <john.mattsson@ericsson.com>om>, "cfrg@ietf.org" <
> cfrg@ietf.org>gt;, Shay Gueron <shay.gueron@gmail.com>
> Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
>
> Hello everyone,
>
>
> I will try to address, really briefly, two of the points raised here and
> deferred to me.
>
> The definition of POLYVAL: there is an inherent discrepancy in the
> definition of AES-GCM. 128-bit blocks need to be viewed as polynomials, and
> also as 16 bytes for input/output for AES (AES is defined over bytes). The
> way that the polynomials are defined leads to bytes that have the reverse
> order of bits, compared to how AES views a bytes. I will publish a
>  detailed paper on this issue. For now, there is some explanation in my
> talk at RWC 2011 [1].
> POLYVAL is defined in a way that is consistent with AES.
>
>
> The other topic is why truncate the AES (throw away half of the bits) when
> generating per-nonce keys. The idea is to get indistinguishabilityle bounds
> that do not have a term that is quadratic in the number of queries (like
> the ones we would get if we used all of the bits). Roughly speaking the
> truncation gets us a term that looks like q/2^(96) instead of q^2/2^{129}.
> The bounds and discussion can be seen at  [2].
>
>
> Asymptotically yes, but in this case we have q=2 and q=3 and any
> disadvantage of using a PRP should be negligible.
> In fact, if the above terms were true for small q (which they are likely
> not) the the then quadratic term is preferable as  2^2/2^{129} = 1/2^{127}
> << 2/2^{96} = 1/2^{95}
> Feels like doubling the amount of AES operations may be overkill and not
> worth the negligible security increase. GCM is popular for its performance,
> not for high security bounds.
>
>
>
> Anyway an organized paper with a statement on the security bounds, is
> going to come out in a paper that we are working on these very days. We
> will post it soon.
>
> Thank you, Shay
>
> [1] https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf
>
> [2] S. Gilboa, S. Gueron, “The Advantage of Truncated Permutations”,
> https://arxiv.org/abs/1610.02518   (submitted on 8 Oct 2016).
>
> 2017-01-18 16:13 GMT-08:00 Adam Langley <agl@imperialviolet.org>rg>:
>
>> On Wed, Jan 18, 2017 at 1:05 PM, John Mattsson
>> <john.mattsson@ericsson.com> wrote:
>> > - In addition to listing the performance penalty compared to GCM. The
>> >   draft should also mention that compared to GCM, some nice properties
>> >   disappear:
>> >   - Neither Encryption nor Decryption is online as encryption/decryption
>> >     cannot start before the whole plaintext/ciphertext is known.
>>
>> I agree that this is true for encryption, but I don't believe that
>> AES-GCM should be *de*crypted in a streaming fashion, but rather that
>> records should be sized so that this isn't a problem. (At which point
>> the benefit for streaming encryption becomes small or moot.)
>>
>> I've a long spiel about the dangers of processing unauthenticated
>> ciphertext which I'll spare you :) But, even for small machines, the
>> memory needed to safely buffer the decrypted plaintext to avoid
>> releasing it before it's authenticated is equal to the memory to
>> buffer the ciphertext followed by decrypting in-place.
>>
>> So I actually quite like that the tag is at the end of the message
>> with AES-GCM-SIV because it makes it harder to do what I think is the
>> "wrong" thing.
>>
>> >   - GCM-SIV removes the possibility to preprocess static headers (AAD).
>>
>> Indeed.
>>
>> (I wasn't sure where to put these points in the spec so, for the
>> moment, I've added an appendix for "Additional comparisons with
>> AES-GCM". I'm collecting changes in GitHub before making a new
>> version. For this message, see
>> https://github.com/agl/gcmsiv/commit/c6c7fd388dd122251264222
>> b7491c6212e818319.)
>>
>> > - “The result of the encryption is the resulting ciphertext (truncated
>> >    to the length of the plaintext) followed by the tag."
>> >
>> >   I suggest that the tag is placed first instead of last in the
>> >   ciphertext. This makes decryption online, which makes a large
>> >   difference. Suggestion:
>> >
>> >   “The result of the encryption is the tag followed by the ciphertext
>> >    (truncated to the length of the plaintext)"
>>
>> (See above.)
>>
>> >
>> >
>> > - "within 5% of the speed of AES-GCM."
>> >   Should state when this is the case, e.g. long plaintext/aad.
>>
>> Done.
>>
>> >
>> > - I think the draft should give performance data also for short
>> >   plaintexts/aad or even better list the performance in number of
>> >   operations:
>> >
>> >   GCM:
>> >     Block Cipher Operations = p + 1
>> >     GF(2^128) Multiplications = p + a + 1
>> >
>> >   GCM-SIV-128
>> >     Block Cipher Operations = p + 5
>> >     GF(2^128) Multiplications = p + a + 1
>> >
>> >   GCM-SIV-256
>> >     Block Cipher Operations = p + 7
>> >     GF(2^128) Multiplications = p + a + 1
>> >
>> >   (if I got it right...)
>>
>> I think that's correct and I've added that to the new appendix.
>>
>> >   Where p is the block length of the plaintext and a is the block length
>> >   of the additional authenticated data,
>> >
>> >   I doubt that encryption of short messages are anywhere near 5% of GCM.
>> >
>> > - The "++" and "[:8]" operation should probably be defined.
>>
>> Done.
>>
>> >
>> > - What it the security/performance tradeoff with truncation in the key
>> >   derivation? What would the security properties be if "[:8]" was
>> >   removed?
>>
>> I'll have to let Shay answer this, but the rough idea is that, since
>> AES is a permutation, not two ciphertexts can be equal given that
>> we're encrypting different plaintexts using the KDF phase. However,
>> ideally we would want a PRF where outputs can be the same. By taking
>> only the first eight bytes of each ciphertext block, we better
>> approximate a PRF.
>>
>> > - The definition of U32LE seems unnecessary and only adds complexity.
>> >   I suggest:
>> >     OLD "U32LE(3) ++ nonce"
>> >     NEW "03 ++ 000000 ++ nonce
>>
>> Good point.
>>
>> >
>> > - The term K1 is only used in Test Vectors. I guess it is an old term
>> >   that should be removed.
>>
>> Done.
>>
>> > Some editorials:
>>
>> Thank you for all these. They should be taken care of.
>>
>> > - OLD "The record-authentication key is 128-bit and the
>> >        record-authentication key"
>> >   NEW "The record-authentication key is 128-bit and the
>> >        record-encryption key"
>> >
>> > - "} else if bytelen(key-generating-key) == 32 {
>> >      record-encryption-key = AES128(key = key-generating-key,"
>> >
>> >   Should be AES256
>>
>> Indeed, and record-authentication-key is wrong too!
>>
>> > - Spacing around "+" and "*" are not consistent.
>> >
>> > - "the the"
>> >
>> > - yeilds
>> >
>> > - remainding
>> >
>> > - RFC7322 says "A comma is used before the last item of a series"
>>
>> I think I've leave this one to the RFC Editor!
>>
>>
>>
>> Cheers
>>
>> AGL
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
>