IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Andy Lutomirski <luto@amacapital.net> Tue, 26 April 2016 16:44 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24FD712D50F for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 09:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mb0jm8Iwc-v8 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 09:44:44 -0700 (PDT)
Received: from mail-ob0-x232.google.com (mail-ob0-x232.google.com [IPv6:2607:f8b0:4003:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B799112D137 for <cfrg@irtf.org>; Tue, 26 Apr 2016 09:44:44 -0700 (PDT)
Received: by mail-ob0-x232.google.com with SMTP id bg3so9761709obb.1 for <cfrg@irtf.org>; Tue, 26 Apr 2016 09:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CC4DXxX+T+D+U9O60cUrInj5kIzzVt7MjmlZoufjt8g=; b=VsrHH/DR9sTdO0OxraQjVCcrgPD7wwYFa1rayKXJKi7tesWUdepIOJ1OtzBEg7sQXq Uae1FlVgURSwHx9julnPzWOWjcD8rj2duE8xeefU/uipg3sn0TgPWalRGGw81J+qjrY6 ntmOH6Zam5Y7dtAy6sZ0YKA68FvjdtERN7BCuu+cdc7c2uJur3JLuKnsKKDtsANcnjfP 0FIYp9stWGgHRlUWtmiUQITriD7xP5mPGJjNRJk14DvJ9HBxogw3dGYD2wcGAvhNygpK dENT6HkKRkHiZEaE9NchEElkUkPWirby2UJiEgHAoe8VrZpMFOMF5fBowapSUW1fhtOs LBwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CC4DXxX+T+D+U9O60cUrInj5kIzzVt7MjmlZoufjt8g=; b=ZBH+/2imkfgLwwiLTlYbnMwvFMx38Wkxmug4aWhHY/Ia9k9sC3R+42CA70Yf1ABr4T +p7vCdOl09an+EteIlBihI98TxPJvHPrW049wttq0NVDhB6njqeFGnoPwB5ajlV3YdL7 KqQSo1af2Z/pbaFom/3bkAQjJfAHqv+BxCBL3+mJAI8gJF4zbdtca1zHv3fbhBg6l0hL 635HIC1rqqRsuNF1WIZ9nkW1knMQf9gSmKeSm3Ed4h5WX5dztCGJ5yH4G3D780xXgkFT RvgvLWNSG9wGr6F6nUa7QfhrkOidI7ZDgydtN3E/xINL7X4tD0Rq38c/KoQjhzmUHUZJ 4HdQ==
X-Gm-Message-State: AOPr4FXNXl7at0M9DLIzGZXOlSYyxqEhRL7uHJP4H5TUbkHhgPV4y++oyPZo6/M9o08dUzURcGBfst5y+gnCA81C
X-Received: by 10.60.144.103 with SMTP id sl7mr1540506oeb.79.1461689084119; Tue, 26 Apr 2016 09:44:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.80.135 with HTTP; Tue, 26 Apr 2016 09:44:24 -0700 (PDT)
In-Reply-To: <emd177ba4d-0be1-4293-afb1-fc0b1a9c54f9@sgueron-mobl3>
References: <D33EAB85.2AC03%uri@ll.mit.edu> <emd177ba4d-0be1-4293-afb1-fc0b1a9c54f9@sgueron-mobl3>
From: Andy Lutomirski <luto@amacapital.net>
Date: Tue, 26 Apr 2016 09:44:24 -0700
Message-ID: <CALCETrWnuuhQGP7zLO9kh+EEsOXaDZycQVSge_=8R38cQj1-vQ@mail.gmail.com>
To: "Gueron, Shay" <shay.gueron@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/UtQoaePO5kbf55NXWyirAiZw2Eg>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 16:44:46 -0000

On Thu, Apr 21, 2016 at 1:38 PM, Gueron, Shay <shay.gueron@gmail.com> wrote:
> OK, I did not understand what Andy meant...
>
> Indeed, for deriving the encryption in the 256-bit key case, the nonce has
> effectively 127 bits.
>
> Repeating this (127-bit) nonce degenerates the encryption to using the same
> 256-bit key.
>
> Still, the CTR mode encryption that follows, is not going to leak
> information unless the same message (with the same 127-bit IV) is encrypted.
> In such, the equality of the message is revelaed. But this is the nature of
> the deterministic processing, and this is what the nonce misuse resistance
> provides.

Then you're violating one of the basic properties that even
non-nonce-misuse-resistent schemes provide: when you encrypt two
messages using different nonces, you shouldn't reveal whether they're
the same message.  As proposed, this mode does *not* have that
property.

This isn't a probabilistic thing.  A program that uses a simple
counter as their nonce in the appropriate endianness will trigger this
for every single pair of consecutive messages.  That's a 100%
probability of information leak for a session that contains a mere 2^1
messages.

You can paper over it by saying that, in 256-bit AES mode, the nonce
is only 127 bits, but that's weird and someone's going to use it
wrong.  Given that fixing this is trivial, why not just fix it?  This
is, after all,
a mode designed to be misuse-resistant, and this design decision makes it very
easy to misuse.

--Andy

v2.23.0 | Report a Bug | By Email