IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

"Gueron, Shay" <shay.gueron@gmail.com> Thu, 31 March 2016 04:38 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C6512D147 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 21:38:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x4zAORLUDimY for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 21:38:12 -0700 (PDT)
Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D43112D113 for <cfrg@irtf.org>; Wed, 30 Mar 2016 21:38:12 -0700 (PDT)
Received: by mail-pa0-x22c.google.com with SMTP id tt10so57122123pab.3 for <cfrg@irtf.org>; Wed, 30 Mar 2016 21:38:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version; bh=OedsR0v0HmFOBLJ+LZY7Z94KF0ps2j5u4syxgfFiZKE=; b=e3n5SP6MP9ymoGo9tgjOVerDEId+eFi8LRcWgbE1JzHZ6NRWXToazGdkfTEeOp//sN bl2Jy9uFsfIrjqK5DcLefHSVyAZ+/oxfc34oyDRzdjvZnmiWEfZRfJZl7NPj1+uWQjzC Z958HtswABuqJpElbGLN1F1Lbb4B1o+DTfqLCrr7hqslU4AoXckKd2xN51yx4dxlF/ZP a1QPaRp3wMHO4by1FY1Jo+dgPLFW6eK2UUMPphuqRnAcPEIEr5RC/+Vbbw7pqR58I8QY H+NQ7dJsNaF9DBhH00T/7J5cVdryhgCg0rsE4vlhldgvzPvrzQO6hEA21K1FqxQyq/nM RjFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version; bh=OedsR0v0HmFOBLJ+LZY7Z94KF0ps2j5u4syxgfFiZKE=; b=E9u0Vheygev8LTjPD+jxzQ3CuJTEXm8s9vx/LcRoz6i6E7aWSUXRZ78LJTWD556I1B 3fKOoXLGkplVeaeGRIe4k4ee/xxrWfo04An6F03lLxWdFnwn/oCJop2VFBusxAG6i042 zmBOjCVqduXvQ57zTWCxmR72qd/m/Kg/t8Yr/fpUsKJYNKLGpwAE4FeRzvR5kzEJIj38 XNI/AuYVmQ22R3yXYD1YEeP+V6BeAzUh3cFPXTRjGfT0l9gmNLT+6UyznHcrR7ZYlmwA LiHyjmyF6pMg3z1dHQFpbjjKCopE53fXdv+LiadBibjlXePRobRYfrAtVJ9BBtIUTQmi md3A==
X-Gm-Message-State: AD7BkJLT/rYAx0AMNKTSyJtJP7jeTatm3GKTLTojIDqDsn4p3UWnG3U88TvPUeoaPFutpQ==
X-Received: by 10.66.237.173 with SMTP id vd13mr18825154pac.24.1459399091993; Wed, 30 Mar 2016 21:38:11 -0700 (PDT)
Received: from [10.185.148.3] ([192.55.54.40]) by smtp.gmail.com with ESMTPSA id q85sm9435478pfq.81.2016.03.30.21.38.08 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 30 Mar 2016 21:38:11 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Tony Arcieri <bascule@gmail.com>
Date: Thu, 31 Mar 2016 04:38:02 +0000
Message-Id: <em1e90f982-c325-46fb-932f-9cd7149ad120@sgueron-mobl3>
In-Reply-To: <541C676F-162B-49D5-9DD6-F9F0BA6DA513@gmail.com>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB72F1A0E3-7184-424E-9F30-B31555151B0C"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/PqW6RY4Q9xFzxTAwnK0VzyIp_oc>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 04:38:14 -0000

Hello everyone,
To clarify a possible confusion about the 256-bit variant: no 256-bit 
key is ever derived from a 128-bit key (as Yoav pointed out). The 
authentication key has 128 bits, and so does the authentication tag.

The raised concern is that since the flow derives a 256-bit key by 
applying AES256 to a 128-bit nonce (with 0 and 1), then we actually have 
maximum 2^128 possible keys as a result, and not maximum 2^256. Thus, 
the entropy seems reduced to 2^128.

However, if AES256 is secure as a pseudorandom permutation, then even if 
you derive a key by applying to 0 and 1 (and therefore have only 1 
option), the effect is still pseudorandom to anyone not being able to 
break AES256. It is not the number of possible derived keys, but their 
strength. By using AES256 to derive them, the strength is that of 
256-bit security.

Thanks,
Shay and Yehuda

------ Original Message ------
From: "Yoav Nir" <ynir.ietf@gmail.com>
To: "Tony Arcieri" <bascule@gmail.com>
Cc: "Yehuda Lindell" <yehuda.lindell@biu.ac.il>; "cfrg@irtf.org" 
<cfrg@irtf.org>; "Adam Langley" <agl@google.com>
Sent: 3/31/2016 7:13:47 AM
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant 
Authenticated Encryption" as a CFRG document

>Hi, Tony
>
>>On 31 Mar 2016, at 6:40 AM, Tony Arcieri <bascule@gmail.com> wrote:
>>
>>On Wed, Mar 30, 2016 at 6:56 PM, denis bider 
>><ietf-cfrg@denisbider.com> wrote:
>>>I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to 
>>>derive the final encryption key.
>>
>>No?
>>4. Encryption AES-GCM-SIV encryption takes a 16-byte authentication 
>>key, a 16- or 32-byte AES key, a 128-bit nonce, and arbitrary-length 
>>plaintext and additional data inputs. It outputs an authenticated 
>>ciphertext that will be 16 bytes longer than the plaintext.
>
>I think the relevant section is the next paragraph where the record 
>encryption key is defined. That too is defined to be the same length as 
>the input key:
>
>If the AES key is 16 bytes long then define the _record-encryption key_ 
>as the encryption of the nonce using the AES key. If AES-256 is being 
>used then this is insufficient as 256 bits of key material are needed. 
>Therefore the record-encryption key in this case is the concatenation 
>of the result of encrypting, using the AES key, the nonce with the 
>least-significant bit of the first byte set to zero and then to one.
>
>Yoav

v2.23.0 | Report a Bug | By Email