Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Fedor Brunner <fedor.brunner@azet.sk> Wed, 20 April 2016 07:18 UTC

Return-Path: <prvs=0918187647=fedor.brunner@azet.sk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD2F12EC59 for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 00:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.788
X-Spam-Level:
X-Spam-Status: No, score=-2.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (bad RSA signature)" header.d=azet.sk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R9oiXcXIgGPR for <cfrg@ietfa.amsl.com>; Wed, 20 Apr 2016 00:18:50 -0700 (PDT)
Received: from smtp2.azet.sk (smtp-07-out.s.azet.sk [91.235.53.32]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1FF512DA62 for <cfrg@irtf.org>; Wed, 20 Apr 2016 00:18:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azet.sk; s=azet; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=BrYv+dKWn02ERoZ8o6Ig+glHwVQabko3Pl8cb1PAmV4=; b=YlOPXPTEV4HD7pcAsfTTVKNA4zmpSkBkUTf0vMkXgy+HVKyBy1N5llYC4xgVanQcY26VzlVq4kBSuv/sPsiVqcTu7tTwVyA3irC4L5/FfZxJyApcKU6OYzklrhh6huMfazzobRlxgHPdRDpoPc+2u8kvbspOYe43jYusFMFeenk=;
Received: from smtp-01-auth.e.etech.sk ([10.11.2.100] helo=smtp.azet.sk) by smtp2.azet.sk stage1 with esmtp (Exim MailCleaner) id 1asmPP-0003QX-Ik from <fedor.brunner@azet.sk>; Wed, 20 Apr 2016 09:18:47 +0200
Received: from 127.0.0.1 (unknown [146.0.43.126]) (Authenticated sender: fedor.brunner@azet.sk) by smtp.azet.sk (Postfix) with ESMTPA id 552D387; Wed, 20 Apr 2016 09:18:31 +0200 (CEST)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 smtp.azet.sk 552D387
Authentication-Results: smtp.azet.sk; sender-id=fail (NotPermitted) header.from=fedor.brunner@azet.sk; auth=pass (PLAIN); spf=fail (NotPermitted) smtp.mfrom=fedor.brunner@azet.sk
To: Taylor R Campbell <campbell+cfrg@mumble.net>
References: <20160420021208.5285C6031B@jupiter.mumble.net>
From: Fedor Brunner <fedor.brunner@azet.sk>
X-Enigmail-Draft-Status: N1110
Message-ID: <57172D46.5060505@azet.sk>
Date: Wed, 20 Apr 2016 09:18:30 +0200
MIME-Version: 1.0
In-Reply-To: <20160420021208.5285C6031B@jupiter.mumble.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-MailCleaner-DMARC: quarantine
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/L-CRLMZSC8RbDQZ7iC2QcHIjVgw>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 07:18:53 -0000

Taylor R Campbell:
>    Date: Mon, 18 Apr 2016 09:21:56 +0200
>    From: Fedor Brunner <fedor.brunner@azet.sk>
> 
>    Adam Langley:
>    > But there are situations where nonce management is a problem (i.e.
>    > where there are multiple machines encrypting with a single key) and,
>    > for that, I think AES-GCM-SIV is pretty attractive because one can
>    > reasonably use a random nonce.
> 
>    https://cr.yp.to/papers.html#xsalsa
> 
>    XSalsa20 is Salsa20 cipher with nonce extended to 192 bits. So there is
>    no need to manage nonces, they can be generated with RNG. Could you
>    please describe applications where you would prefer AES-GCM-SIV over
>    XSalsa20+Poly1305
> 
> For NaCl crypto_secretbox_xsalsa20poly1305, nonce reuse -- e.g., due
> to a buggy random number generator -- is catastrophic: an eavesdropper
> learns the xor of two unknown-plaintext messages, or the content of
> one unknown-plaintext message given one known-plaintext message, and
> can forge arbitrarily many future messages.
For most application you want to have forward secrecy. To have forward
secrecy you need to generate ephemeral keys using working random number
generator. So most applications already require correctly working RNG.
> 
> For AES-GCM-SIV, nonce reuse enables the attacker to distinguish
> duplicate messages from distinct messages, but is not otherwise
> harmful.
> 
> Resistance to nonce reuse for AEAD is part of why there is an entire
> AES-style crypto competition dedicated to AEAD schemes, CAESAR
> <https://competitions.cr.yp.to/caesar.html>.  AES-GCM-SIV was not
> submitted because it was put together too recently.
> 
> The creators of AES-GCM-SIV and chairs of the CFRG evidently decided
> that it would be better to sidestep the competition and endorse crypto
> that is, lacking hardware support, either unusably slow or vulnerable
> to timing side channels, recommending it for general-purpose use on
> the internet.
I think a note about side channels should be added to Section 9 Security
Considerations.
> 
> It's easy to say `all the hardware now supports it'.  It's much harder
> to audit all the applications you're using to confirm that they
> actually take advantage of the hardware support across umpteen layers
> of software abstractions and do not render your keys vulnerable to
> extraction by someone over the internet with a watch.
> 
>