[Cfrg] AES-GCM-SIV with a new key hierarchy

"Gueron, Shay" <shay.gueron@gmail.com> Fri, 24 June 2016 17:12 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6669212D119 for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 10:12:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 62plq-tW38ym for <cfrg@ietfa.amsl.com>; Fri, 24 Jun 2016 10:12:25 -0700 (PDT)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B9AD12D0C5 for <cfrg@ietf.org>; Fri, 24 Jun 2016 10:12:25 -0700 (PDT)
Received: by mail-wm0-x242.google.com with SMTP id a66so6661057wme.2 for <cfrg@ietf.org>; Fri, 24 Jun 2016 10:12:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version:content-transfer-encoding; bh=mBwjKCul+gPXCU5HwTFVuC1fFq52TrPb0OiOj3dHifE=; b=ceYoDOGwAvxJTola/as1deXkphZ2TbxbKauGQ5VS22akgBaCXemXG/xzu6WjoxEN9t KT4y4s0IACP2iSYLowPnnhKK5TNZh/L2xG2jPPAWVfeByDM8GdI8vB812ckvbkvWt1Zj WJtiah6u1LckWgdtvNoBRB9liyqAnpPMT9IJEXB6ZbWnQLfrgWWns/WPbAtc5fa+hVNZ Ix/hXH9Agy7v7Ttt/Qq5jDqZtVss/IYA914qIZtV5ot35WFLPHVaezt39y0odp9Hy+IB 3gHVMUIhsQ3K2cqlIeGaQDM2UcryMJS9W3Jsni0sv7rAdAMCQEu1C9Ahut5eBjCDZxDN LSPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version:content-transfer-encoding; bh=mBwjKCul+gPXCU5HwTFVuC1fFq52TrPb0OiOj3dHifE=; b=QZVC4rCETetNQFkq4i+tFEBXVvV6WLBN14ec06N4+lFPoVNyLH5Qgf6ylK/+XqYxoH 2vvFn+hSV3qpTiQJI59GIiu0yh45+DQ1zLJiv3l+ZOe/ejUG8oIsr+1hbEiHOmInLHAq RXBzeWJdqXySPN4Crze85VcOO2cVKoMLWQrwlpQ9O7atNG7jiytO2qV06uAHzVPSkiA7 qeoF9Sp9ly97sh0xHWRagy/qwnS7VwrAOIiD2eKxc6uB0J7TWIDYfBDjMeeTg5Al+zf5 iPJdZsYhUhgKzNkTPoAaxVEFEftcj/UmtINw2iar1PWSTuQGSDyQprOY7JLb1VT/TjT7 JQlw==
X-Gm-Message-State: ALyK8tIR8YS0tcAN6XZBkrklpujXkkPmElzqgXGxEf+Rvat1kkzC8kmLI9wtdroEsjC2vQ==
X-Received: by with SMTP id k205mr19236183wmb.17.1466788343989; Fri, 24 Jun 2016 10:12:23 -0700 (PDT)
Received: from [] (bzq-79-180-232-9.red.bezeqint.net. []) by smtp.gmail.com with ESMTPSA id a4sm6021766wjq.40.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 24 Jun 2016 10:12:23 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: "cfrg@ietf.org" <cfrg@ietf.org>
Date: Fri, 24 Jun 2016 17:10:23 +0000
Message-Id: <em85e6ab2a-6a3c-4b2e-986d-2e44c2965663@sgueron-mobl3>
In-Reply-To: <ema3c568ce-b47f-45fc-b799-b78ad0494efd@sgueron-mobl3>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/XwC7xuUp5RIbCqPcKlG1gwzxxOc>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>, Adam Langley <agl@google.com>
Subject: [Cfrg] AES-GCM-SIV with a new key hierarchy
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jun 2016 17:12:27 -0000

Hello everyone,

I start a new tread.

It is a branch off the one entitled "AES-GCM-SIV security of the 
additional data" and initiated by Daniel.

It combine Kenny's inputs about having two separate keys and the AEADE 
interface (which he raised at the CFRG meeting in
Vienna in May and also mentioned, in the previous thread, that 
concatenating 2 separate keys does not solve the problem that Daniel 

It also address a comment that Bart Preneel made at that CFRG meeting.


It is possible to define AES-GCM-SIV with a standard interface that has 
a single key (say, MK for "Master Key"), which can be 128 or 256 bits. 
Basically, by adding the following key derivation step:

     Using MK, derive two new keys K and H: K for encryption and H for 
     From that point on, apply AES-GCM-SIV as it is defined now, where 
(K, H) are the keys.

Note that K and H are derived statically from MK. The "record encryption 
key" for the encryption depends on the nonce N, via another derivation, 
as it is currently defined in AES-GCM-SIV.

Note: the derivations are different for the 128 and the 256 bit keys, 
but such derivations are already in use by AES-GCM-SIV.
With this, AES-GM-SIV could be used with the protocol Daniel described, 
and would address Kenny's comment on the AEAD interface.
(I guess that it could be better viewed as a drop in replacement to 

The cost is the additional key derivation. this cost could be low if the 
message is long, or if many messages are encrypted (so that K, H can be 

An alternative would be to incorporate the nonce from the beginning, 
during the derivation of K, H from MK. This will modify the record 
encryption key and also the hash key per each nonce. In that case the 
extra derivation of the record encryption key (per nonce) could be 
skipped (but also could be not done).

I would appreciate any comments on this.

Thanks, Shay