Re: [Cfrg] AES GCM SIV analysis

Watson Ladd <> Tue, 31 January 2017 00:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A4BD9129771 for <>; Mon, 30 Jan 2017 16:39:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ePwdpaamMSSc for <>; Mon, 30 Jan 2017 16:39:15 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8563412973D for <>; Mon, 30 Jan 2017 16:39:15 -0800 (PST)
Received: by with SMTP id b65so57657626wmf.0 for <>; Mon, 30 Jan 2017 16:39:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6jJINCK+nuHRq5EiF2dchE7I3ii8QCJ/px3WPLfKY54=; b=P8tiXqYMT6YTlG764T73RyWYG8LGrpvUITF3M6drWUNXUN8YufMbqw1HNDuPRlD7Zi 5i1FmnPXfD1QGSd8/9dN1yRm6JgNleM2PVLatc+NjRilfUbSbajJFqjYwLGxPMjoVhxS PcL3kNh7gGjYamYsqsHufw3ncDXTDXHNtZTGSNgoNpkrK3igjFYHGwFlMKCadlQrfSk3 9dNH6ifK65h3Uuwo4OUU4WbSj4CblKQ1YFxseyeH1Dzow3pxDBduxlJWsRKJB/yrh8t/ Q2yk9ctpxZMafidOQWMmNA9En+hSvFBXeD6M1YfrBa7aImd2k5ZBJw5aLpJpshMkYHIV Shcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6jJINCK+nuHRq5EiF2dchE7I3ii8QCJ/px3WPLfKY54=; b=QgJ47gB4SKBB5Z0LZw0+/O2v46fROeZ3EZGd5Hj5mtr0xgSrS36521D/RHMgLbGZpP lFReXEZ6ZqrfwRdl2qKrIlxBsk2qT3dujF7738yMOILaMw/W0xgHx4W0w21suhbUOb3x fBErCYnS194hjnybNcMLaKHlSojoqa4xpOx48FoTu4yrXCKWrj0wbt2krnPQ9i4ts8UE uN1KAjYu0CZikfUcRM6XdnL22NaUnF+EHHEO3KWCXx1cE7DRxld/pMHa4+NsxZweAQvN RROBCU8wRhgCWmev8HWVl6GwUTW0dp+XKnxtau96afLdoa7kkDdaRcM7vebUfXt/ASRT isAg==
X-Gm-Message-State: AIkVDXLIEztbiuox66M6SS+BIxoFX7k+ZGN4L3u7kPn7QvHzMic+xCWi3E8nUChL5LLdxPtfEbWBqh8MNJrNDA==
X-Received: by with SMTP id m9mr15670009wmf.79.1485823153812; Mon, 30 Jan 2017 16:39:13 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 30 Jan 2017 16:39:13 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Watson Ladd <>
Date: Mon, 30 Jan 2017 16:39:13 -0800
Message-ID: <>
To: Alex Cope <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: Adam Langley <>, "" <>
Subject: Re: [Cfrg] AES GCM SIV analysis
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 31 Jan 2017 00:39:17 -0000

On Mon, Jan 30, 2017 at 1:58 PM, Alex Cope <> wrote:
> I'm also unconvinced that defining POLYVAL as modulo x^128 + x^127 + x^126 +
> x^121 + 1 is better than defining it modulo x^128 + x^7 + x^2 + x + 1.
> My reasons for thinking that  x^128 + x^7 + x^2 + x + 1 is a better reducing
> polynomial are:
> 1) On X86, no performant implementation of POLYVAL will reduce to GHASH, as
> that would result in unnecessarily byte swapping twice then calling
> PCLMULQDQ. The same seems true for any implementation in a little-endian
> machine.

I think it is important to look at how endianness matters in
polynomial arithmetic. GHASH takes the least
significant bit of a byte to be x^7, then takes a sequence of bytes
(a_0, a_1, \ldots a_15) to represent
a_0+a_1*x^8+a_2*x^16+\ldots+a_15*x^120. This is "little-endian": the
least significant byte is lowest. However,
it is an independent choice from the representation and layout of
words in memory.

Intel's implementation of GHASH does not reflect bytes, nor is byte
reflection sufficient in a naive implementation. For
details see:

It's true that the specified polynomial doesn't have a Barret friendly
form. But the division by 128 naturally falls out of a Montgomery
based approach: precompute H*x^-8, then perform a multiplication add a
multiple of p(x) to clear out from x^0 to x^120, then shift down by a
whole number of bytes. The
multiplication by p(x) can be written as (x^8+x^7+x^6+x^1)*x^120+1 to
show that we don't need that many invocations of multiply. (Also, the
operations are linear: there are many ways to reduce the number of

> 2) If the concern is making a less performance sensitive implantation of
> GCM-SIV easier to write given a GCM implantation, the relationship between
> POLYVAL as currently defined and GHASH does help slightly. However,
> implementing finite field multiplication with POLYVAL'S byte ordering modulo
> x^128 + x^7 + x^2 + x + 1 given a reference GHASH implementation is quite
> easy*, and most accidental errors in such implementation will be detected by
> test vectors.  Thus I don't think the current design choice makes GCM-SIV
> substantially easier to implement correctly.
> 3) x^128 + x^7 + x^2 + x + 1 is more 'natural' as as the lexicography first
> irreducible polynomial.  It seems likely that future work that relies on
> finite field multiplication will opt to use the byte ordering of POLYVAL
> because it makes the most sense on little endian machines, and will also
> reduce modulo  x^128 + x^7 + x^2 + x + 1.  I doubt anyone else will want to
> use GHASH as currently defined, but if it were defined modulo x^128 + x^7 +
> x^2 + x + 1, the implementation could be nicely reused. I think that in the
> long term this will lead to more code reuse than having POLYVAL as a one off
> finite field representation.
> If you are strongly concerned reusing dedicated hardware or big-endian
> implementations of GHASH then the current design makes some sense as a
> compromise, but I'm unaware of such requirements.

I don't know what "big-endian" is supposed to mean here. But yes,
reusing polynomial and field specific hardware is important on devices
which aren't Intel chips, many of which will want to use hardcoded
keys and may not be able to generate nonces effectively.

> Regards
> -Alex
> *I did it recently for a table-based implementation. You can look at the
> patch here:
> On Fri, Jan 27, 2017 at 12:21 PM, Adam Langley <>
> wrote:
>> On Thu, Jan 26, 2017 at 6:26 PM, Dan Harkins <> wrote:
>> >   But that is the definition used in the seminal work on the matter,
>> > [1].
>> > If you want to have a different notion concerning a lesser restriction
>> > on
>> > nonce reuse then you should use a different term.
>> That paper formalises an advantage that an attacker might have over an
>> ideal scheme. In the same way that block ciphers aren't ideal PRFs,
>> nonce-misuse-resistant schemes aren't hitting that ideal either. RFC
>> 5297 doesn't hit it, at minimum because it'll run out of counter-space
>> after enough messages. AES-GCM-SIV isn't hitting it either.
>> But that doesn't mean that they aren't practically useful.
>> I'm not sure what an ideal NMR AEAD would look like, but it's probably
>> quite different to both RFC 5297 and AES-GCM-SIV and probably looks
>> like a wide-block construction. If someone can point at something they
>> think does hit it, that would be interesting to me at least. (Although
>> perhaps it's well trodden ground for those who are more familiar with
>> the literature than I.)
>> >   Which brings up a question I've resisted asking: Why are you doing
>> > this?
>> >
>> >   If you want to have an AEAD scheme that is nonce-misuse resistant that
>> > can use a fast(er) authentication scheme then why not just do RFC 5297
>> > with GHASH instead of AES-CMAC?
>> AES-GCM has lead to a state of the world where our large machines,
>> which need to encrypt and decrypt lots of data, end up having hardware
>> support for AES and GF(128) operations. We would like to take
>> advantage of that because it's hard to beat the speed and power
>> efficiency of dedicated hardware, but sometimes we want not to have to
>> worry about nonces.
>> > You're defining a new irreducible
>> > polynomial that, to my knowledge, is not in existing hardware the way
>> > that PCLMULQDQ using x^128 + x^7 + x^2 + x + 1, is in Intel chips.
>> PCLMULQDQ (and other hardware implementations, to my knowledge) is not
>> specific to that polynomial. Also, the polynomial in AES-GCM-SIV is
>> that polynomial, just with some ordering oddities addressed. See
>> > You're defining a(nother) KDF /inside/ the cipher mode itself instead of
>> > just letting a KDF, which all users of AES-GCM-SIV will use, generate a
>> > double-wide key. And I don't see the reason for either.
>> Our KDF is per-nonce; it's not the same as having a double-width key
>> and partitioning it internally. We do this in order to get better
>> bounds when encrypting very large numbers of messages.
>> Cheers
>> AGL
>> _______________________________________________
>> Cfrg mailing list
> _______________________________________________
> Cfrg mailing list

"Man is born free, but everywhere he is in chains".