IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 April 2016 20:11 UTC

Return-Path: <prvs=39194c8253=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DABFE12E080 for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 13:11:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.193
X-Spam-Level:
X-Spam-Status: No, score=-5.193 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eBsTffCGlNiT for <cfrg@ietfa.amsl.com>; Thu, 21 Apr 2016 13:11:39 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id D431C12E04D for <cfrg@irtf.org>; Thu, 21 Apr 2016 13:11:38 -0700 (PDT)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id u3LKA5Be044468; Thu, 21 Apr 2016 16:10:05 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Shay Gueron <shay.gueron@gmail.com>, Andy Lutomirski <luto@amacapital.net>
Thread-Topic: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Thread-Index: AQHRjz1rcBDJFfpWREmYbD5sdatNi59/a4CAgAAK8YCACtLeAIAK6AgAgAAF9YD//74rAA==
Date: Thu, 21 Apr 2016 20:11:33 +0000
Message-ID: <D33EAB85.2AC03%uri@ll.mit.edu>
References: <CALCETrVP_Op+-jpoP0JBFWZZQkvo0JYuLNtAS=itSPTb4Ptkuw@mail.gmail.com> <em615f096a-5286-4b23-b267-26099193d002@sgueron-mobl3> <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com> <CAMfhd9UrK2kBL9J-_y=fDGKMLXt02=aO2UM2LyPkEwvj+wi7Zw@mail.gmail.com> <CAMfhd9VEMs1TikiGFgifGdQha_t5B_CaGxC3=gsoPzUZe1TurA@mail.gmail.com> <CALCETrWNEDVpkG5EOOkLBSwFb0ggMHEo1-SAwAAD83aN235pCA@mail.gmail.com> <CAHP81y_XKxmvB+ZvbwzjQvN2TZtnBuXU6UTWRc0rBzvfxX=eHw@mail.gmail.com>
In-Reply-To: <CAHP81y_XKxmvB+ZvbwzjQvN2TZtnBuXU6UTWRc0rBzvfxX=eHw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.2.160219
x-originating-ip: [172.25.177.156]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha384"; boundary="B_3544099882_1252712"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-04-21_14:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1603290000 definitions=main-1604210315
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/Y79EYOFjlddfpOapEGNmDWhNrwg>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2016 20:11:41 -0000

I’m afraid Andy is correct. Say one record has its nonce xxxx…xxxx0 (127
bits plus 0), and another record has its nonce xxx…xxx1. The record key
produced for both records will be the same, because it clobbers/ignores the
LSB.

Again, why don’t you just use AES256-OFB to produce 256-bit record key?
-- 
Regards,
Uri Blumenthal

From:  Cfrg <cfrg-bounces@irtf.org> on behalf of Shay Gueron
<shay.gueron@gmail.com>
Date:  Thursday, April 21, 2016 at 16:06
To:  Andy Lutomirski <luto@amacapital.net>
Cc:  Adam Langley <agl@imperialviolet.org>, Yehuda Lindell
<yehuda.lindell@biu.ac.il>, CFRG <cfrg@irtf.org>, Adam Langley
<agl@google.com>
Subject:  Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant
Authenticated Encryption" as a CFRG document ---- Some clarifications

> Andy, 
> 
> Addressing your concern:
>>>> >>> This has the odd property that the
>>>> >>> record encryption key is the same for two messages with nonces that
>>>> >>> differ only in the LSB of the first byte.
> This is not the case. What the spec states means the following:
> The record encryption key is derived by
> 
> AES256 (NONCE[127:1] || 0) || AES256 (NONCE[127:1] || 1)
> 
> I hope this helps clarifying.
> Regards, Shay

v2.23.0 | Report a Bug | By Email