Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
Shay Gueron <shay.gueron@gmail.com> Thu, 19 January 2017 13:50 UTC
Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCDE1295BB for <cfrg@ietfa.amsl.com>; Thu, 19 Jan 2017 05:50:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltMsevnSqYiW for <cfrg@ietfa.amsl.com>; Thu, 19 Jan 2017 05:50:08 -0800 (PST)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33F5E1294A1 for <cfrg@ietf.org>; Thu, 19 Jan 2017 05:50:08 -0800 (PST)
Received: by mail-yw0-x232.google.com with SMTP id l19so33556895ywc.2 for <cfrg@ietf.org>; Thu, 19 Jan 2017 05:50:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=h22jKIsb2OuxoRLPDLgl7KmwxAPQucx/5Uc6YcDJZaM=; b=NUr6ej8SFPIhZDbpcqO3rKGi/Ag3ppFNBwbLJ0auvPHsmdPpse6pXFRb8EcfqmSSUo Nys57gSdzrdzbA8cgQQEW/JBGLpEN3M+QA/hRzlEwL1x6oo4uokLpKMkmoWZS6kePEbP ZzxrcLXyonAhsz0/aXm9VYQRTgPyz+5kA1j+WnBAPJSx7sykFRRsxftx56N8/Hoolbui A8dJ0PBiCpwm7yRgse0bGxS//enjHS/bDDwIGv6AHLR11MWBpfASodcaUmJMCvBFBTyx 7vaopA3KoPlcZX39TIOoUiKuwmpMabQGONM1/nemUVd3PxYbvWcbDaBjADu9Ao+a5NCH Ps/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=h22jKIsb2OuxoRLPDLgl7KmwxAPQucx/5Uc6YcDJZaM=; b=XKv7dcrxq3aD9nXvP/eWTvdt+fQCPWCBfLKFjE6tTWUnPhiQL07Fv5vuU9yXTl32Ai XSgyozrUunTKMcHln/zdJFn8b04EfG3NnCurvPHchAqIYSS09ZwYpOAr2H2uSTUj31mx Q1wvzcyHp8TrUHESuN+y2zthavNIVcaXy65vzBEL7T1cH+tcbntyD+N6LtwQ+ekSsoFM AP0RlunKhR+c6OUT4BzRxIAkPfkM9Ng5vooayKT6dKr+ce86ruSRFBDEcHi8S588i8Iy CGnCjb/RZpciIoSQAIKNSAIqVPicsOiMXLcJcGf5Xkdd1zIVXj9bCx9UxUxWOntc/WT8 9ZQg==
X-Gm-Message-State: AIkVDXL75hd7bNpkwKY1ZaQJstjXSAIinG1Le20CDmuaBZ01J4B3zPb2oP0P/Zdkp8hDsp8cBBxGRnmXOVuLuQ==
X-Received: by 10.13.203.202 with SMTP id n193mr6542894ywd.284.1484833807402; Thu, 19 Jan 2017 05:50:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.141 with HTTP; Thu, 19 Jan 2017 05:50:06 -0800 (PST)
In-Reply-To: <D4A63083.582EB%john.mattsson@ericsson.com>
References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> <D4A59386.5822C%john.mattsson@ericsson.com> <CAMfhd9XQSi17mLKE1AFUa2ZG8nJq4MfccMomFm+0ctsKm_Ab9w@mail.gmail.com> <CAHP81y-6j9uE6t+axwej=Rd8cGxthcVHQ1jqALNAP30za2VKYw@mail.gmail.com> <D4A63083.582EB%john.mattsson@ericsson.com>
From: Shay Gueron <shay.gueron@gmail.com>
Date: Thu, 19 Jan 2017 05:50:06 -0800
Message-ID: <CAHP81y-wYHmVyGtrtkoW9nYWtpub=UOE-TzU89B8TeJZZopF-g@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Content-Type: multipart/alternative; boundary="001a114e72b2a40c34054672cf88"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/INxlURu_myiJAIsUCCqqj6QYs54>
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2017 13:50:10 -0000
Dear John, The bounds in the reference that I pointed to (re. the KDF) bound with the max between the quadratic and linear term (and 1). I agree with your comment about q=3. If a usage is supposed to send q=3 messages (i.e., q=3 different nonces) with one key, it makes no point to have a KDF before GCM-SIV (regardless of its design). Better use GCM-SIV directly (the one described in the CCS15 paper). In fact, even for a usage that has only very short messages (e.g., key wrapping), GCM-SIV can be used directly (no KDF) and with a fixed nonce. However, AES-GCM-SIV is constructed by a KDF step before the GCM-SIV processing, with the intention to extend the lifetime of a given key, beyond 2^{32}, (as it is with GCM-SIV, as explained in the text). In such cases, it is useful to have a KDF with a small bound on the distinguishing advantage. We chose the one that is described in the spec. Thanks, Shay 2017-01-19 0:22 GMT-08:00 John Mattsson <john.mattsson@ericsson.com>: > Thanks Shay, > > See reply inline. > > Cheers, > John > > > From: Shay Gueron <shay.gueron@gmail.com> > Date: Thursday, 19 January 2017 at 02:05 > To: Adam Langley <agl@imperialviolet.org> > Cc: John Mattsson2 <john.mattsson@ericsson.com>, "cfrg@ietf.org" < > cfrg@ietf.org>, Shay Gueron <shay.gueron@gmail.com> > Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt > > Hello everyone, > > > I will try to address, really briefly, two of the points raised here and > deferred to me. > > The definition of POLYVAL: there is an inherent discrepancy in the > definition of AES-GCM. 128-bit blocks need to be viewed as polynomials, and > also as 16 bytes for input/output for AES (AES is defined over bytes). The > way that the polynomials are defined leads to bytes that have the reverse > order of bits, compared to how AES views a bytes. I will publish a > detailed paper on this issue. For now, there is some explanation in my > talk at RWC 2011 [1]. > POLYVAL is defined in a way that is consistent with AES. > > > The other topic is why truncate the AES (throw away half of the bits) when > generating per-nonce keys. The idea is to get indistinguishabilityle bounds > that do not have a term that is quadratic in the number of queries (like > the ones we would get if we used all of the bits). Roughly speaking the > truncation gets us a term that looks like q/2^(96) instead of q^2/2^{129}. > The bounds and discussion can be seen at [2]. > > > Asymptotically yes, but in this case we have q=2 and q=3 and any > disadvantage of using a PRP should be negligible. > In fact, if the above terms were true for small q (which they are likely > not) the the then quadratic term is preferable as 2^2/2^{129} = 1/2^{127} > << 2/2^{96} = 1/2^{95} > Feels like doubling the amount of AES operations may be overkill and not > worth the negligible security increase. GCM is popular for its performance, > not for high security bounds. > > > > Anyway an organized paper with a statement on the security bounds, is > going to come out in a paper that we are working on these very days. We > will post it soon. > > Thank you, Shay > > [1] https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf > > [2] S. Gilboa, S. Gueron, “The Advantage of Truncated Permutations”, > https://arxiv.org/abs/1610.02518 (submitted on 8 Oct 2016). > > 2017-01-18 16:13 GMT-08:00 Adam Langley <agl@imperialviolet.org>: > >> On Wed, Jan 18, 2017 at 1:05 PM, John Mattsson >> <john.mattsson@ericsson.com> wrote: >> > - In addition to listing the performance penalty compared to GCM. The >> > draft should also mention that compared to GCM, some nice properties >> > disappear: >> > - Neither Encryption nor Decryption is online as encryption/decryption >> > cannot start before the whole plaintext/ciphertext is known. >> >> I agree that this is true for encryption, but I don't believe that >> AES-GCM should be *de*crypted in a streaming fashion, but rather that >> records should be sized so that this isn't a problem. (At which point >> the benefit for streaming encryption becomes small or moot.) >> >> I've a long spiel about the dangers of processing unauthenticated >> ciphertext which I'll spare you :) But, even for small machines, the >> memory needed to safely buffer the decrypted plaintext to avoid >> releasing it before it's authenticated is equal to the memory to >> buffer the ciphertext followed by decrypting in-place. >> >> So I actually quite like that the tag is at the end of the message >> with AES-GCM-SIV because it makes it harder to do what I think is the >> "wrong" thing. >> >> > - GCM-SIV removes the possibility to preprocess static headers (AAD). >> >> Indeed. >> >> (I wasn't sure where to put these points in the spec so, for the >> moment, I've added an appendix for "Additional comparisons with >> AES-GCM". I'm collecting changes in GitHub before making a new >> version. For this message, see >> https://github.com/agl/gcmsiv/commit/c6c7fd388dd122251264222 >> b7491c6212e818319.) >> >> > - “The result of the encryption is the resulting ciphertext (truncated >> > to the length of the plaintext) followed by the tag." >> > >> > I suggest that the tag is placed first instead of last in the >> > ciphertext. This makes decryption online, which makes a large >> > difference. Suggestion: >> > >> > “The result of the encryption is the tag followed by the ciphertext >> > (truncated to the length of the plaintext)" >> >> (See above.) >> >> > >> > >> > - "within 5% of the speed of AES-GCM." >> > Should state when this is the case, e.g. long plaintext/aad. >> >> Done. >> >> > >> > - I think the draft should give performance data also for short >> > plaintexts/aad or even better list the performance in number of >> > operations: >> > >> > GCM: >> > Block Cipher Operations = p + 1 >> > GF(2^128) Multiplications = p + a + 1 >> > >> > GCM-SIV-128 >> > Block Cipher Operations = p + 5 >> > GF(2^128) Multiplications = p + a + 1 >> > >> > GCM-SIV-256 >> > Block Cipher Operations = p + 7 >> > GF(2^128) Multiplications = p + a + 1 >> > >> > (if I got it right...) >> >> I think that's correct and I've added that to the new appendix. >> >> > Where p is the block length of the plaintext and a is the block length >> > of the additional authenticated data, >> > >> > I doubt that encryption of short messages are anywhere near 5% of GCM. >> > >> > - The "++" and "[:8]" operation should probably be defined. >> >> Done. >> >> > >> > - What it the security/performance tradeoff with truncation in the key >> > derivation? What would the security properties be if "[:8]" was >> > removed? >> >> I'll have to let Shay answer this, but the rough idea is that, since >> AES is a permutation, not two ciphertexts can be equal given that >> we're encrypting different plaintexts using the KDF phase. However, >> ideally we would want a PRF where outputs can be the same. By taking >> only the first eight bytes of each ciphertext block, we better >> approximate a PRF. >> >> > - The definition of U32LE seems unnecessary and only adds complexity. >> > I suggest: >> > OLD "U32LE(3) ++ nonce" >> > NEW "03 ++ 000000 ++ nonce >> >> Good point. >> >> > >> > - The term K1 is only used in Test Vectors. I guess it is an old term >> > that should be removed. >> >> Done. >> >> > Some editorials: >> >> Thank you for all these. They should be taken care of. >> >> > - OLD "The record-authentication key is 128-bit and the >> > record-authentication key" >> > NEW "The record-authentication key is 128-bit and the >> > record-encryption key" >> > >> > - "} else if bytelen(key-generating-key) == 32 { >> > record-encryption-key = AES128(key = key-generating-key," >> > >> > Should be AES256 >> >> Indeed, and record-authentication-key is wrong too! >> >> > - Spacing around "+" and "*" are not consistent. >> > >> > - "the the" >> > >> > - yeilds >> > >> > - remainding >> > >> > - RFC7322 says "A comma is used before the last item of a series" >> >> I think I've leave this one to the RFC Editor! >> >> >> >> Cheers >> >> AGL >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > >
- [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Brian Smith
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Shay Gueron
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Richard Outerbridge
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Shay Gueron
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Dang, Quynh (Fed)
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Dang, Quynh (Fed)