Re: [Cfrg] Critique of AES-GCM-SIV

Marko Kreen <markokr@gmail.com> Fri, 17 February 2017 15:05 UTC

Return-Path: <markokr@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABC411294A7 for <cfrg@ietfa.amsl.com>; Fri, 17 Feb 2017 07:05:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UXcor5MsE0c for <cfrg@ietfa.amsl.com>; Fri, 17 Feb 2017 07:05:23 -0800 (PST)
Received: from mail-lf0-x243.google.com (mail-lf0-x243.google.com [IPv6:2a00:1450:4010:c07::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3D16126BF7 for <cfrg@irtf.org>; Fri, 17 Feb 2017 07:05:22 -0800 (PST)
Received: by mail-lf0-x243.google.com with SMTP id z127so1676011lfa.2 for <cfrg@irtf.org>; Fri, 17 Feb 2017 07:05:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=9RiXnDKq9s0WGPhgQdA1kmsQsLzW8JAHdNM1PJSrl7k=; b=iQqi8s3LhuaNJBK5mxe43QtC2WvpNgMHyV6gC7o8BZqwDystIf40PuBP62nnYu6Ljm cruqju5mH95eqouun/uZj1/HgfvlqK3pnvO/gSdwEyH1/QamMoK7YAMQNW0JA+NzwJRX HpasK8Plr8TzBKQ+oO3Nx7ol8dP1VBnrZ5hPoDMpfO+t5aV5gTAH5K+V2eDoSKgAmlGR XTDR5TFTH8AzassfQDKMOWXOnpezJPJ+RXwoH3kb/wNjcrAZ3Cg4tEIJwBvFmzVyxOCF xig56x/ToCAfizhlXQGZ8ZOuAdegUxVB8PE0PRPrLaAHspUAJqJnZrCYlUcPkpaw9FH/ vCkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=9RiXnDKq9s0WGPhgQdA1kmsQsLzW8JAHdNM1PJSrl7k=; b=ciM7lBhHeWrULpyL5JJIyNRbABqKMh7Gmwk0tdeNRonYbcpRlhjIB934p/VB98+hIw +G92L0BOiSZhx4Z1e8sX1asl0IT2oTF1NwD4u80HweXOhz/mXJ8QlDtWLTiZ7zCUCrLU jQCVOs//JDxAUlPTUm/tb+/np1GyY5tjtmHXMDqpt7029v8EdxZNXFywWN0jknIedIn5 yia2VfIEpGQVcvyGuCjBvbh/tY82fJrVwjYOy6R2KgcUwCCIQIgJHFmC8U/Td1KdEvHP ownZ4kB70zHl2Nw4kAE0rGSV1zdajDO85/lvYcO2zX37V3rrNtwx6LlYifrTWt3YjTYv 5k3A==
X-Gm-Message-State: AMke39lvEVrpbSp7eNb6V85nHRLn4nhkw9+06UOcGvE2tDO/FDBNSUzH4wl1KE1S5ow54A==
X-Received: by 10.25.44.21 with SMTP id s21mr2422425lfs.56.1487343921118; Fri, 17 Feb 2017 07:05:21 -0800 (PST)
Received: from gmail.com (138.246.50.84.sta.estpak.ee. [84.50.246.138]) by smtp.gmail.com with ESMTPSA id 187sm2559560ljf.12.2017.02.17.07.05.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Feb 2017 07:05:20 -0800 (PST)
Date: Fri, 17 Feb 2017 17:05:18 +0200
From: Marko Kreen <markokr@gmail.com>
To: Aaron Zauner <azet@azet.org>
Message-ID: <20170217150518.GA23850@gmail.com>
References: <20170217000247.GB23785@gmail.com> <CAPqF7e2xFVqbw0cCi4468_Ag+Lp4QuXPMaR2cNsU4m_F7hFppQ@mail.gmail.com> <20170217125255.GA16732@gmail.com> <D5AC33AD-0FC1-48FD-AB97-27B31730454D@azet.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <D5AC33AD-0FC1-48FD-AB97-27B31730454D@azet.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KLwdyeZ-BZ9SmXwWTm2RM8Tkhs0>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Critique of AES-GCM-SIV
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2017 15:05:24 -0000

On Fri, Feb 17, 2017 at 04:23:16PM +0200, Aaron Zauner wrote:
> 
> > On 17 Feb 2017, at 14:52, Marko Kreen <markokr@gmail.com> wrote:
> > 
> > On Fri, Feb 17, 2017 at 11:00:56AM +0100, Daniel Bleichenbacher wrote:
> >> On Fri, Feb 17, 2017 at 1:02 AM, Marko Kreen <markokr@gmail.com> wrote:
> >>> I have reviewed the AES-GCM-SIV proposal (draft 3).  And while there
> >>> are parts I like - overall direction to higher security and
> >>> getting rid of GCM bitflipping - current design feels "ugly".
> >>> (That's a cryptographic term.)
> > 
> >> I actually don't know what "ugly" means as a cryptographic term.
> > 
> > Well, it was supposed to be a joke...
> > 
> >> My guess would something like difficult to formally analyze.
> > 
> > But I think we are mostly on same page.  My main complaint was that
> > if it's nonce-misuse-resistant mode, then why does nonce misuse
> > have such a big effect on behaviour: on one case message is protected
> > by fresh key and counter, on other case only fresh counter.
> 
> Quick comment: This came up in an earlier thread on that topic
> already, I've also brought it up last spring. I think for this I-D in
> it's current form "nonce misuse resistant" might not be the best term
> (too strong, many people assume you can do what you want with the
> nonce with such a construction -- which certainly isn't the case for
> AES-GCM-SIV as proposed here). "nonce-misuse tolerant" came up and
> other suggestions. I haven't seen an update yet.

I'm not complaining about security level as their goal is to replace
AES-GCM, so anything better is a win.

Although better categorization may be good idea, I still feel current
approach can be categorized as "clumsy":

- AEAD with synthesized key and IV when master key or nonce are unique.
- AEAD with only synthesized IV when master key and nonce repeat.

Clearer would be just one mode which does not change category if nonce
repeats:

- AEAD with just synthesized IV (like AES-SIV), no rekey.
- AEAD with synthesized key and IV.

If there is already decision that rekey is OK, then I think it's better
to take time and synthesize both key and IV properly, thus
achieve full nonce misuse resistance.

-- 
marko