Re: [Cfrg] RFC 5297 and absent vs. zero-length nonces

"David McGrew (mcgrew)" <> Fri, 24 February 2017 12:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 18FA5129D65 for <>; Fri, 24 Feb 2017 04:26:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KxLF_nSc4CyE for <>; Fri, 24 Feb 2017 04:26:38 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5D3671296D1 for <>; Fri, 24 Feb 2017 04:26:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=5798; q=dns/txt; s=iport; t=1487939198; x=1489148798; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=VSePYKds/J+Ff/jxjOAnRIV5+0l+UEGUg4nwWEqhlls=; b=ULBsOGAsORip9ftqYifTa0Mws4MyFXPbG0U8Oq0vpVIRBrLmZ1h+CjKf JdTaMnJYdLy5Mh6fCM3evNTaBbi1a6+o6fMPtFoEm4rPax2hpbBp50DPg tKKeRMMHKDbftMxWjaIpVIBlSmj3D1dM0bFjQbJnJdBE6yiyO0Hq5JFo9 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.35,200,1484006400"; d="scan'208";a="202192637"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Feb 2017 12:26:37 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id v1OCQbmM027015 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 24 Feb 2017 12:26:37 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 24 Feb 2017 06:26:36 -0600
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Fri, 24 Feb 2017 06:26:36 -0600
From: "David McGrew (mcgrew)" <>
To: Dan Harkins <>, "" <>
Thread-Topic: [Cfrg] RFC 5297 and absent vs. zero-length nonces
Thread-Index: AQHSjipTl+Ef8WslxECa2966+7UoSqF3zimAgABYwAA=
Date: Fri, 24 Feb 2017 12:26:36 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] RFC 5297 and absent vs. zero-length nonces
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Feb 2017 12:26:40 -0000

Hi Dan,

RFC 5116 does allow zero-length nonces and provide guidance around their use.   From that doc:

      A nonce N.  Each nonce provided to distinct invocations of the
      Authenticated Encryption operation MUST be distinct, for any
      particular value of the key, unless each and every nonce is zero-
      length.  Applications that can generate distinct nonces SHOULD use
      the nonce formation method defined in Section 3.2, and MAY use any
      other method that meets the uniqueness requirement.  Other
      applications SHOULD use zero-length nonces.

   Each AEAD algorithm MUST accept any nonce with a length between N_MIN
   and N_MAX octets, inclusive, where the values of N_MIN and N_MAX are
   specific to that algorithm.  The values of N_MAX and N_MIN MAY be
   equal.  Each algorithm SHOULD accept a nonce with a length of twelve
   (12) octets.  Randomized or stateful algorithms, which are described
   below, MAY have an N_MAX value of zero.

Clearly SIV modes can and should set N_MIN to zero.  I guess the N_MIN=1 got missed during the review of RFC 5297.  (I recall discussing the N_MAX guidance during the review process, but I think N_MIN went unnoticed.)

If N_MIN can be changed in RFC 5297 from 1 to 0 with an Errata, that would be the best way to go.   Otherwise, I suggest creating new IANA entries for the existing SIV modes that reference that RFC, but change N_MIN to zero.    



On 2/23/17, 9:08 PM, "Cfrg on behalf of Dan Harkins" < on behalf of> wrote:

>   Hi Daniel,
>On 2/23/17 3:12 PM, Daniel Franke wrote:
>> The IANA considerations section of RFC 5297 (Synthetic Initialization
>> Vector (SIV) Authenticated Encryption Using the Advanced Encryption
>> Standard (AES)) gives N_MIN as 1. However, S2V is perfectly capable of
>> accepting zero-length arguments. Furthermore, passing a zero-length
>> argument to S2V is distinct from not passing that argument at all (as
>> done in the case deterministic encryption). How should an
>> implementation behave when provided with a zero-length nonce?
>The registry that RFC 5297 updated with its IANA Considerations was
>created by RFC 5116 to specify parameters for nonce-based AEAD modes. So
>when using RFC 5297 through that interface you're saying you want to
>use a nonce. RFC 5297 places the most minimal of requirements on such
>use: N_MIN of 1 octet.
>   The registry does not say what to do if someone tries to use the
>mode in a way that is not defined for the registry so officially I
>don't know what the answer is. We can evaluate your suggestions though.
>(As an example, AES-GCM can take a nonce of 16 octets but the registry
>makes N_MIN = N_MAX = 12. What do you do if you send 16 octets to
>AES-GCM through this interface? Got me.)
>> Should it return an error, since its length is under N_MIN?
>   That would seem like the prudent thing to do since it is in violation
>of the registry parameters.
>> Should it pass it along to S2V just like any other nonce input?
>   Since the registry mandates N_MIN as 1 then passing a zero length
>nonce "just like any other nonce input" seems wrong. So I'd say don't
>do that.
>> Or should it treat this as a request for deterministic encryption and
>> not pass any nonce to S2V?
>   Well the registry is not for deterministic encryption so I would
>say using it that way is not appropriate and would not think this
>is correct.
>   Seems to me that if you want to use AES-SIV (or any of the AEAD
>modes from RFC 5116) in a way that is not defined by RFC 5116 then
>use them through some raw interface and not the constrained one
>created by RFC 5116. You'll note that the RFC 5116 interface also
>assumes that all AAD is a single blob and does not support AES-SIV's
>vector of AAD. What do you do with this registry if you need/want
>to pass a vector of AAD to AES-SIV? Well, I'd say you don't use this
>registry as your interface.
>   Hope this helps,
>   Dan.
>Cfrg mailing list