[Cfrg] AES-GCM-SIV with a new key hierarchy
"Gueron, Shay" <shay.gueron@gmail.com> Fri, 24 June 2016 17:12 UTC
Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6669212D119 for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 10:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62plq-tW38ym for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 10:12:25 -0700 (PDT)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B9AD12D0C5 for <cfrg@ietf.org>; Fri, 24 Jun 2016 10:12:25 -0700 (PDT)
Received: by mail-wm0-x242.google.com with SMTP id a66so6661057wme.2 for <cfrg@ietf.org>; Fri, 24 Jun 2016 10:12:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version:content-transfer-encoding; bh=mBwjKCul+gPXCU5HwTFVuC1fFq52TrPb0OiOj3dHifE=; b=ceYoDOGwAvxJTola/as1deXkphZ2TbxbKauGQ5VS22akgBaCXemXG/xzu6WjoxEN9t KT4y4s0IACP2iSYLowPnnhKK5TNZh/L2xG2jPPAWVfeByDM8GdI8vB812ckvbkvWt1Zj WJtiah6u1LckWgdtvNoBRB9liyqAnpPMT9IJEXB6ZbWnQLfrgWWns/WPbAtc5fa+hVNZ Ix/hXH9Agy7v7Ttt/Qq5jDqZtVss/IYA914qIZtV5ot35WFLPHVaezt39y0odp9Hy+IB 3gHVMUIhsQ3K2cqlIeGaQDM2UcryMJS9W3Jsni0sv7rAdAMCQEu1C9Ahut5eBjCDZxDN LSPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version:content-transfer-encoding; bh=mBwjKCul+gPXCU5HwTFVuC1fFq52TrPb0OiOj3dHifE=; b=QZVC4rCETetNQFkq4i+tFEBXVvV6WLBN14ec06N4+lFPoVNyLH5Qgf6ylK/+XqYxoH 2vvFn+hSV3qpTiQJI59GIiu0yh45+DQ1zLJiv3l+ZOe/ejUG8oIsr+1hbEiHOmInLHAq RXBzeWJdqXySPN4Crze85VcOO2cVKoMLWQrwlpQ9O7atNG7jiytO2qV06uAHzVPSkiA7 qeoF9Sp9ly97sh0xHWRagy/qwnS7VwrAOIiD2eKxc6uB0J7TWIDYfBDjMeeTg5Al+zf5 iPJdZsYhUhgKzNkTPoAaxVEFEftcj/UmtINw2iar1PWSTuQGSDyQprOY7JLb1VT/TjT7 JQlw==
X-Gm-Message-State: ALyK8tIR8YS0tcAN6XZBkrklpujXkkPmElzqgXGxEf+Rvat1kkzC8kmLI9wtdroEsjC2vQ==
X-Received: by 10.28.86.214 with SMTP id k205mr19236183wmb.17.1466788343989; Fri, 24 Jun 2016 10:12:23 -0700 (PDT)
Received: from [10.0.0.3] (bzq-79-180-232-9.red.bezeqint.net. [79.180.232.9]) by smtp.gmail.com with ESMTPSA id a4sm6021766wjq.40.2016.06.24.10.12.22 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 24 Jun 2016 10:12:23 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: "cfrg@ietf.org" <cfrg@ietf.org>
Date: Fri, 24 Jun 2016 17:10:23 +0000
Message-Id: <em85e6ab2a-6a3c-4b2e-986d-2e44c2965663@sgueron-mobl3>
In-Reply-To: <ema3c568ce-b47f-45fc-b799-b78ad0494efd@sgueron-mobl3>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XwC7xuUp5RIbCqPcKlG1gwzxxOc>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>, Adam Langley <agl@google.com>
Subject: [Cfrg] AES-GCM-SIV with a new key hierarchy
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 17:12:27 -0000
Hello everyone,
I start a new tread.
It is a branch off the one entitled "AES-GCM-SIV security of the
additional data" and initiated by Daniel.
It combine Kenny's inputs about having two separate keys and the AEADE
interface (which he raised at the CFRG meeting in
Vienna in May and also mentioned, in the previous thread, that
concatenating 2 separate keys does not solve the problem that Daniel
raised).
It also address a comment that Bart Preneel made at that CFRG meeting.
****
It is possible to define AES-GCM-SIV with a standard interface that has
a single key (say, MK for "Master Key"), which can be 128 or 256 bits.
Basically, by adding the following key derivation step:
Using MK, derive two new keys K and H: K for encryption and H for
authentication.
From that point on, apply AES-GCM-SIV as it is defined now, where
(K, H) are the keys.
Note that K and H are derived statically from MK. The "record encryption
key" for the encryption depends on the nonce N, via another derivation,
as it is currently defined in AES-GCM-SIV.
Note: the derivations are different for the 128 and the 256 bit keys,
but such derivations are already in use by AES-GCM-SIV.
With this, AES-GM-SIV could be used with the protocol Daniel described,
and would address Kenny's comment on the AEAD interface.
(I guess that it could be better viewed as a drop in replacement to
AES-GCM)
The cost is the additional key derivation. this cost could be low if the
message is long, or if many messages are encrypted (so that K, H can be
cached).
An alternative would be to incorporate the nonce from the beginning,
during the derivation of K, H from MK. This will modify the record
encryption key and also the hash key per each nonce. In that case the
extra derivation of the record encryption key (per nonce) could be
skipped (but also could be not done).
I would appreciate any comments on this.
Thanks, Shay
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Aaron Zauner
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Aaron Zauner
- Re: [Cfrg] AES-GCM-SIV security of the additional… Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Adam Langley
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-GCM-SIV security of the additional… Jim Schaad
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- [Cfrg] AES-GCM-SIV with a new key hierarchy Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Gueron, Shay
- Re: [Cfrg] AES-GCM-SIV security of the additional… Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Antonio Sanso
- Re: [Cfrg] AES-GCM-SIV security of the additional… Paterson, Kenny
- Re: [Cfrg] AES-GCM-SIV security of the additional… Blumenthal, Uri - 0553 - MITLL
- [Cfrg] AES-GCM-SIV security of the additional data Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV security of the additional… Daniel Bleichenbacher
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Dan Harkins
- Re: [Cfrg] AES-GCM-SIV with a new key hierarchy Shay Gueron