Re: [Cfrg] AES-GCM-SIV security of the additional data
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sat, 25 June 2016 08:41 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28CF12D197 for <cfrg@ietfa.amsl.com>; Sat, 25 Jun 2016 01:41:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rETxRqAeW1KW for <cfrg@ietfa.amsl.com>; Sat, 25 Jun 2016 01:41:10 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0648.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::648]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC89712D176 for <cfrg@ietf.org>; Sat, 25 Jun 2016 01:41:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=I/b0x04VWoDCnVjTljMGJcvJhXoV4O1Vv1OKd73C9Qk=; b=ST6ZJf+6MTSNqNe/Z9U+zjhbp/hL4Ax2j6BWQZmopzLqdzUD230w1rsf+77uS3wUVadpi0RSU9tCjk60ltSDFGmuY+UjvnFX9hKq8HeMv5pi5jvx7CNpmQQU8+FJW/RfjtPw4q0isyDfO20vEXkiqSos7UK326oCCcpn0R+nbfw=
Received: from AM4PR03MB1811.eurprd03.prod.outlook.com (10.167.88.147) by AM4PR03MB1812.eurprd03.prod.outlook.com (10.167.88.148) with Microsoft SMTP Server (TLS) id 15.1.523.12; Sat, 25 Jun 2016 08:40:51 +0000
Received: from AM4PR03MB1811.eurprd03.prod.outlook.com ([10.167.88.147]) by AM4PR03MB1811.eurprd03.prod.outlook.com ([10.167.88.147]) with mapi id 15.01.0523.019; Sat, 25 Jun 2016 08:40:51 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Adam Langley <agl@imperialviolet.org>
Thread-Topic: [Cfrg] AES-GCM-SIV security of the additional data
Thread-Index: AQHRzgyMNFkKTSqpJkGxUgqboNSngJ/4rLoAgAC8/gCAAHS91Q==
Date: Sat, 25 Jun 2016 08:40:51 +0000
Message-ID: <46E4192A-3518-4E51-850C-667E710098C9@rhul.ac.uk>
References: <CAPqF7e0QsCPn_OSKEry60Hm9F2BDU6DNG6Yc2NU=ocyCU2mwFg@mail.gmail.com> <D392EEF2.6EF40%kenny.paterson@rhul.ac.uk>, <CAMfhd9ULAqwr1cVe-hStsBf_xdorwQtmS+=Ui32iW6ErHBci6g@mail.gmail.com>
In-Reply-To: <CAMfhd9ULAqwr1cVe-hStsBf_xdorwQtmS+=Ui32iW6ErHBci6g@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-originating-ip: [78.146.50.187]
x-ms-office365-filtering-correlation-id: f52246a5-4a78-410c-a893-08d39cd469ec
x-microsoft-exchange-diagnostics: 1; AM4PR03MB1812; 6:MDMAXe+/F7rA7zZt/z8vOQ0k8G5gbb8oVPfOp0sZfIRclMDz+w/10RcFeGJPrHUjrr+fJmyIFxwIr1WrhLH3w18HSbV8ZEq3Jyq3jhIXNFBwP/WN3N5nQ1GZ4jdJYE3YWBzwUHALx5fTUCyOjNPbJIt32dN7o1SVlC9IJ+Q8FcRcSAnkq3E7MvHZYHmaaiqJiBtrIKB2dD0hvR9K6PpVD9AbdzryMb9W49dREf58pweoeeGwB1aY4SyMOlaHCMKmSJlMchRDtWVysy1TCnFce7jWi6EWk/chSFqegncKVeXsAmglBbT+mdluBvlcy6lP; 5:XumLqxsk7lj2u3V2AmzT6od6i+9VzxiB13qNm4O693Wvg0HDk0IhIT2Q5bubMr2nqp00EIIwCSJPkqLSNq5o1z/a0a/WdrkkNclUB+Cd5dUiaUf/lXDE50L08SC9DqAYwXfRROWPrX1SpiQLAPngkA==; 24:BM8aD0suxNJMnpbJ8ATGdwoky3aeTBAL/IZt6wcEEmNAFshUOsb1OCA90opbm1VgsR/ZJRrg27YJ0E5N1Clr/JTDtqFDvrhqxNVxkPBjphg=; 7:R94y16ET7HUYd0FEep18Lf1irc3mzbRs+JHqVWGiKzn3RMVzsfKAudH2HquLtO1ZXH9wfl8MUNeAzJSVOV8h/ZkFZDqRB4b3zltVzxIZ7mrAagavdW0wb+uEYUG/VOhKEL1eMy6c3lVn3lCH/XIi+giKTEi2+PCOEkmqTiTvKmiRFSpncrNjyOtTwMuPr8620ezKIzZO6l4+FId2PMsLcmxf3fT/RJpK37EGVlQv4Ra7OuvWls5cgFrHgubj6Z+qgKkCG4e/cjAYJ6sgDep2NQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM4PR03MB1812;
x-microsoft-antispam-prvs: <AM4PR03MB181281D4CD1C27604848F523BC2F0@AM4PR03MB1812.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:AM4PR03MB1812; BCL:0; PCL:0; RULEID:; SRVR:AM4PR03MB1812;
x-forefront-prvs: 09840A4839
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(51914003)(24454002)(199003)(377454003)(82746002)(66066001)(81166006)(5002640100001)(561944003)(81156014)(189998001)(5003630100001)(7846002)(8936002)(86362001)(105586002)(7736002)(305945005)(33656002)(54356999)(50986999)(19580405001)(101416001)(76176999)(19580395003)(10400500002)(8676002)(2906002)(36756003)(4326007)(11100500001)(74482002)(2950100001)(586003)(106116001)(106356001)(87936001)(83716003)(3846002)(102836003)(3280700002)(92566002)(97736004)(110136002)(68736007)(230783001)(3660700001)(77096005)(6116002)(68196006)(2900100001)(15975445007)(122556002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR03MB1812; H:AM4PR03MB1811.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2016 08:40:51.2198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR03MB1812
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TGn4LpcS7VAtIXbvDoHAtvCvnj0>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jun 2016 08:41:13 -0000
Hi Adam, Thanks for the clarification. My remarks were based on the scheme as presented by Shay at Vienna; there, he introduced the misconception that two separate keys were involved; he did not clarify this during questioning (see the minutes). Of course the draft is definitive document and it's good that it presents the normal API. Cheers, Kenny Sent from my iPhone > On 25 Jun 2016, at 02:43, Adam Langley <agl@imperialviolet.org> wrote: > > On Fri, Jun 24, 2016 at 6:24 AM, Paterson, Kenny > <Kenny.Paterson@rhul.ac.uk> wrote: >> On a related point, my view is that it is a disbenefit that the >> AES-GCM-SIV proposal has two separate keys (one for encryption, the other >> for authentication) as inputs. That's not the AEAD interface that we have >> raised our implementers on. I raised this point at the CFRG meeting in >> Vienna back in May. Simply concatenating the two keys in the current >> proposal into one would address this issue, but not the one you raise (if >> I understand it correctly). > > The two keys are already concatenated in the draft, or else I > misunderstood your point: > https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-01#section-6 > > "Since the definition of an AEAD requires that the key be a single > value we define AEAD_AES_128_GCM_SIV to take a 32-byte key: the first > 16 bytes of which are used as the authentication key and the remaining > 16 bytes are used as the AES key. Likewise AEAD_AES_256_GCM_SIV takes > an 48-byte key: the first 16 bytes are again the authentication key > and the remaining 32 bytes is the AES key." > > > Cheers > > AGL > > -- > Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Aaron Zauner
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Aaron Zauner
- Re: [Cfrg] AES-GCM-SIV security of the additional… Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Adam Langley
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-GCM-SIV security of the additional… Jim Schaad
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- [Cfrg] AES-GCM-SIV with a new key hierarchy Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Antonio Sanso
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- [Cfrg] AES-GCM-SIV security of the additional data Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV security of the additional… Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Dan Harkins
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Shay Gueron