Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 April 2016 21:41 UTC
Return-Path: <prvs=39194c8253=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1700812E0BB for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 14:41:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.195
X-Spam-Level:
X-Spam-Status: No, score=-5.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33rtx2QjRrpk for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 14:41:06 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 53CA712E512 for <cfrg@irtf.org>; Thu, 21 Apr 2016 14:41:05 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id u3LLdWYD003720; Thu, 21 Apr 2016 17:39:32 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Adam Langley <agl@imperialviolet.org>
Thread-Topic: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Thread-Index: AdGcFn+WcBDJFfpWREmYbD5sdatNiw==
Date: Thu, 21 Apr 2016 21:41:01 +0000
Message-ID: <20160421214110.18280531.21292.64723@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="===============1016669443=="
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-04-21_15:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1604210336
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/TO4XRvfZJEg-t10r3UNXG_CtMHw>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 21:41:09 -0000
And if you're absolutely viscerally opposed to OFB - for the 1st encryption use the nonce itself, and for the 2nd encryption input - XOR the nonce with 0x00..01. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Blumenthal, Uri - 0553 - MITLL Sent: Thursday, April 21, 2016 16:35 To: Adam Langley Cc: Yehuda Lindell; cfrg@irtf.org; Adam Langley Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications For the 3rd time: why not generate record key using AES-OFB? Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Adam Langley Sent: Thursday, April 21, 2016 16:28 To: Blumenthal, Uri - 0553 - MITLL Cc: Shay Gueron; Andy Lutomirski; Yehuda Lindell; cfrg@irtf.org; Adam Langley Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications On Thu, Apr 21, 2016 at 1:11 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote: > I’m afraid Andy is correct. Say one record has its nonce xxxx…xxxx0 (127 > bits plus 0), and another record has its nonce xxx…xxx1. The record key > produced for both records will be the same, because it clobbers/ignores the > LSB. That is what I understood when I wrote those words. I might have misunderstood Shay however! This is the reason that the Security Considerations section mentions that it's only safe to repeat an nonce 2^31 (rather than 2^32) times with the AES-256 version. Cheers AGL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL