Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
John Mattsson <john.mattsson@ericsson.com> Thu, 19 January 2017 10:19 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A45D129435 for <cfrg@ietfa.amsl.com>; Thu, 19 Jan 2017 02:19:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o4Eu189kFbof for <cfrg@ietfa.amsl.com>; Thu, 19 Jan 2017 02:19:50 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25F91129434 for <cfrg@ietf.org>; Thu, 19 Jan 2017 02:19:49 -0800 (PST)
X-AuditID: c1b4fb25-5dfff70000002ee9-a3-588092c2c28c
Received: from ESESSHC015.ericsson.se (Unknown_Domain [153.88.183.63]) by (Symantec Mail Security) with SMTP id 59.A9.12009.2C290885; Thu, 19 Jan 2017 11:19:48 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC015.ericsson.se ([153.88.183.63]) with mapi id 14.03.0319.002; Thu, 19 Jan 2017 11:20:38 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: Adam Langley <agl@imperialviolet.org>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
Thread-Index: AQHScbC0p4x0I5wsw0aH69/GsFzxwqE+udeAgAAj0wCAALoPAA==
Date: Thu, 19 Jan 2017 10:19:45 +0000
Message-ID: <D4A64D7D.58413%john.mattsson@ericsson.com>
References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com> <D4A59386.5822C%john.mattsson@ericsson.com> <CAMfhd9XQSi17mLKE1AFUa2ZG8nJq4MfccMomFm+0ctsKm_Ab9w@mail.gmail.com>
In-Reply-To: <CAMfhd9XQSi17mLKE1AFUa2ZG8nJq4MfccMomFm+0ctsKm_Ab9w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <CCD1F0AA1CB22A45926C9A33631F6341@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDIsWRmVeSWpSXmKPExsUyM2K7ve6RSQ0RBidXClq8eNbEanF0VxuL A5PHkiU/mTx+fssJYIrisklJzcksSy3St0vgymj/domxYJpNxZ4jU9gbGC9YdTFyckgImEhM fXqeHcQWEljHKNF1UKeLkQvIXsIo8e3MbVaQBJuAgcTcPQ1sILaIgKbEurPzwBqYBZQlji/d yghiCwvYSnQfWcMKUWMncX3HInYI20ni1qdWMJtFQFVi2u1rYDavgLnEwtm7GSGWHWSU2Pbr JgtIglMgUGLLirnMIDajgJjE91NrmCCWiUvcejKfCeJqAYkle84zQ9iiEi8f/wNbLCqgJ7H8 +RqouJJE45InQHEOoF5NifW79CFMa4lp7WoQExUlpnQ/hDpHUOLkzCcsExjFZyFZNguheRZC 8ywkzbOQNC9gZF3FKFqcWpyUm25krJdalJlcXJyfp5eXWrKJERhnB7f8Vt3BePmN4yFGAQ5G JR7eD031EUKsiWXFlbmHGCU4mJVEeMMnNEQI8aYkVlalFuXHF5XmpBYfYpTmYFES5zVbeT9c SCA9sSQ1OzW1ILUIJsvEwSnVwFjPvE5J/rHfUu1bhtL1J/3myj9i8HRotrT6sjGMc63BtfiC wy+kZ+cLBKSFnd4oPomrPCtS1Nmw2Fj43pUN8zz2avBa/t7Kk7Z6uur2F49Mfz/ceFi9+qnK 7B1CTDt9CiOFP0R3Lkr6spy51uDvnKe3bzQE3Jf2lG491nbixsHc8sz657L/Q5RYijMSDbWY i4oTAbaJYWavAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/WFmzTW-FK6iuJBGTBl0Y8bTqOFc>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2017 10:19:52 -0000
Hi Adam, Thanks for addressing my comments so fast! One more comment: - The use of one-time authentication keys has the benefit that it mitigates Fergusson’s authentication key recovery attack on GCM in the two-party case. In case of multicast the attack remains (but significantly restricted). This makes GCM-SIV a little bit more suitable for truncated tags than GCM. I think these advantages should be mentioned. - See reply on tag placement inline. Cheers, John On 2017-01-19, 01:13, "alangley@gmail.com on behalf of Adam Langley" <alangley@gmail.com on behalf of agl@imperialviolet.org> wrote: >On Wed, Jan 18, 2017 at 1:05 PM, John Mattsson ><john.mattsson@ericsson.com> wrote: >> - In addition to listing the performance penalty compared to GCM. The >> draft should also mention that compared to GCM, some nice properties >> disappear: >> - Neither Encryption nor Decryption is online as encryption/decryption >> cannot start before the whole plaintext/ciphertext is known. > >I agree that this is true for encryption, but I don't believe that >AES-GCM should be *de*crypted in a streaming fashion, but rather that >records should be sized so that this isn't a problem. (At which point >the benefit for streaming encryption becomes small or moot.) > >I've a long spiel about the dangers of processing unauthenticated >ciphertext which I'll spare you :) But, even for small machines, the >memory needed to safely buffer the decrypted plaintext to avoid >releasing it before it's authenticated is equal to the memory to >buffer the ciphertext followed by decrypting in-place. > >So I actually quite like that the tag is at the end of the message >with AES-GCM-SIV because it makes it harder to do what I think is the >"wrong" thing. I would agree with you if placing the tag last actually improved anything, but the fact is that GCM-SIV actually forces processing of unauthenticated ciphertext by design (a change from GCM). I cannot see any security benefits with (C, T) compared to (T, C). The only difference I can see is that (C, T) increases the latency for decryption on multicore. > >> - GCM-SIV removes the possibility to preprocess static headers (AAD). > >Indeed. > >(I wasn't sure where to put these points in the spec so, for the >moment, I've added an appendix for "Additional comparisons with >AES-GCM". I'm collecting changes in GitHub before making a new >version. For this message, see >https://github.com/agl/gcmsiv/commit/c6c7fd388dd122251264222b7491c6212e818 >319.) > >> - “The result of the encryption is the resulting ciphertext (truncated >> to the length of the plaintext) followed by the tag." >> >> I suggest that the tag is placed first instead of last in the >> ciphertext. This makes decryption online, which makes a large >> difference. Suggestion: >> >> “The result of the encryption is the tag followed by the ciphertext >> (truncated to the length of the plaintext)" > >(See above.) > >> >> >> - "within 5% of the speed of AES-GCM." >> Should state when this is the case, e.g. long plaintext/aad. > >Done. > >> >> - I think the draft should give performance data also for short >> plaintexts/aad or even better list the performance in number of >> operations: >> >> GCM: >> Block Cipher Operations = p + 1 >> GF(2^128) Multiplications = p + a + 1 >> >> GCM-SIV-128 >> Block Cipher Operations = p + 5 >> GF(2^128) Multiplications = p + a + 1 >> >> GCM-SIV-256 >> Block Cipher Operations = p + 7 >> GF(2^128) Multiplications = p + a + 1 >> >> (if I got it right...) > >I think that's correct and I've added that to the new appendix. > >> Where p is the block length of the plaintext and a is the block length >> of the additional authenticated data, >> >> I doubt that encryption of short messages are anywhere near 5% of GCM. >> >> - The "++" and "[:8]" operation should probably be defined. > >Done. > >> >> - What it the security/performance tradeoff with truncation in the key >> derivation? What would the security properties be if "[:8]" was >> removed? > >I'll have to let Shay answer this, but the rough idea is that, since >AES is a permutation, not two ciphertexts can be equal given that >we're encrypting different plaintexts using the KDF phase. However, >ideally we would want a PRF where outputs can be the same. By taking >only the first eight bytes of each ciphertext block, we better >approximate a PRF. > >> - The definition of U32LE seems unnecessary and only adds complexity. >> I suggest: >> OLD "U32LE(3) ++ nonce" >> NEW "03 ++ 000000 ++ nonce > >Good point. > >> >> - The term K1 is only used in Test Vectors. I guess it is an old term >> that should be removed. > >Done. > >> Some editorials: > >Thank you for all these. They should be taken care of. > >> - OLD "The record-authentication key is 128-bit and the >> record-authentication key" >> NEW "The record-authentication key is 128-bit and the >> record-encryption key" >> >> - "} else if bytelen(key-generating-key) == 32 { >> record-encryption-key = AES128(key = key-generating-key," >> >> Should be AES256 > >Indeed, and record-authentication-key is wrong too! > >> - Spacing around "+" and "*" are not consistent. >> >> - "the the" >> >> - yeilds >> >> - remainding >> >> - RFC7322 says "A comma is used before the last item of a series" > >I think I've leave this one to the RFC Editor! > > > >Cheers > >AGL
- [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Brian Smith
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Shay Gueron
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Richard Outerbridge
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… John Mattsson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Shay Gueron
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Dang, Quynh (Fed)
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.… Dang, Quynh (Fed)