IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

Andy Lutomirski <luto@amacapital.net> Thu, 31 March 2016 02:23 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9A7C12D549 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 19:23:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dsX3DD70ePtf for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 19:23:15 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0BE12D193 for <cfrg@irtf.org>; Wed, 30 Mar 2016 19:23:15 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id r187so41756866oih.3 for <cfrg@irtf.org>; Wed, 30 Mar 2016 19:23:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=/ZSupBzUYAusmuCoboEl2GOMVmxRgRsqVEbZ3z8eHlI=; b=QK6FN6uqhf6dlj8UHmy8gV/sQl6GMEBFE9AlVO32afQ0SuA4fZSI0qhHXNkV8lDenu 3HCkKhczhug8fPnSJPHdIM5eT3pvOpY3kBMY5Rgle62t2CiW8M2gMM30Qn2EVeusgRpz sHD6ZyXIC1tx8myFZ8I6KXw4mH3G5y+rsUNGkCbEYKCAEoFqAMH1RxAGor47LAkBioKf R7Cu61+nV77aNJBgAoNf6RJ14ExMP18bv6Nz2C8fltpyov7JOhlv1Xg/D5OOvzHkuCvj bP+fBVHGAEMeMRMH7j+X+Xq8mupbqGnQdxum/VMAr69rW2Zo39S/8d32G7haRRLCgI5r FBHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=/ZSupBzUYAusmuCoboEl2GOMVmxRgRsqVEbZ3z8eHlI=; b=UfzSJwQji9E91OrJWKKWo78/S6htSJYHpcnucCIWynWswPDriRpNiwOGlpRlt/CPrL 8Lg9pwFsPJo3tqBfLDXRVNNaJ5UsqmugJOgAUiT7IR8epEkJtjLR1AS8NukpjzRHA9te P0SxGsTFTyGoF4134xSSl1kvdiJ6YXdXFqyTUIIleyFpJrEHs44/sKepwWMBl3SamknX s+CcIzrjFNi8ZX/mR3mTmit8uSnMv7OlkdMRkLoXFbgqcQWD7GcBdT96tFy+bewR1Z1g iPEfvtAemeyZDc7746K+a+32Mb3X35KXbT5nxKcjf+0ED58wrdTG+bO1sX5tPVNI2YCu gYeQ==
X-Gm-Message-State: AD7BkJKH2A0tZwjSRaNaQCKp33pAMGmvdfWK2RLOS5Z5cLkC8foIC6Cf8+qC6oTURliMiNJDj0X8hPt4bxQe2Urf
MIME-Version: 1.0
X-Received: by 10.157.4.39 with SMTP id 36mr344315otc.195.1459390994604; Wed, 30 Mar 2016 19:23:14 -0700 (PDT)
Received: by 10.202.202.209 with HTTP; Wed, 30 Mar 2016 19:23:13 -0700 (PDT)
Received: by 10.202.202.209 with HTTP; Wed, 30 Mar 2016 19:23:13 -0700 (PDT)
In-Reply-To: <1893951588-3704@skroderider.denisbider.com>
References: <1893951588-3704@skroderider.denisbider.com>
Date: Wed, 30 Mar 2016 19:23:13 -0700
Message-ID: <CALCETrW7ew_inZdFDxSgcDER-4wcgAoN_8Tr9-ZgBy+cwLb8HA@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
To: denis bider <ietf-cfrg@denisbider.com>
Content-Type: multipart/alternative; boundary="001a11370e5ed2ab53052f4ef15e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/L-TXZ4MEqCP68B1F7UbDIu7HdeQ>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, cfrg@irtf.org, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 02:23:18 -0000

On Mar 30, 2016 9:56 PM, "denis bider" <ietf-cfrg@denisbider.com> wrote:
>
> I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to
derive the final encryption key.
>
> Regardless of the original input key size, the encryption key is derived
in a way that, at some point, is reduced to 128 bits of entropy.
>
> I find this to be a good point, and indeed, a plausible concern.
>

If true, it may even be a fairly large concern.  If each message uses a
separate 128-bit key, then this could plausibly be subject to the type of
parallel attack djb loves talking about where each *message* is a target.
That would make collecting 2^64 or so potentially interesting ciphertexts
considerably easier than with most modes.

But it looks like the key is just a normal key.

--Andy

>
>
> ----- Original Message -----
> From: Tony Arcieri
> Sent: Wednesday, March 30, 2016 19:11
> To: Dan Harkins
> Cc: Yehuda Lindell ; cfrg@irtf.org ; Adam Langley
> Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant
Authenticated Encryption" as a CFRG document
>
> On Wed, Mar 30, 2016 at 12:22 PM, Dan Harkins <dharkins@lounge.org> wrote:
> Would you agree that AEAD_AES_256_GCM_SIV provides no more
> security than AEAD_AES_128_GCM_SIV? I say this because the
> authentication key is 128-bits regardless
>
> I disagree with this. 128-bits of symmetric security is fine today. The
threats where you might want 256-bit encryption are things like
hypothetical future quantum computers which are able to use Grover's
algorithm.
>
> Encryption needs to stand the test of time. Authentication has less
burdensome demands. If it's possible to pull off an online chosen
ciphertext attack after the advent of quantum computers which can use
Grover's algorithm to break 128-bit crypto (10+ years in the future
maybe?), the story might be different, but for long-term confidentiality of
ciphertexts I think a larger key size for a symmetric cipher is more
important.
>
> The same argument can be applied to digital signatures and quantum
cryptography: they matter less than encryption, because we can resign data
if a quantum attack seems imminent, but if a quantum attacker already has
access to ciphertexts there's nothing we can do.
>
> --
>
> Tony Arcieri
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email