Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt

Adam Langley <> Mon, 09 May 2016 12:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3484A12B057; Mon, 9 May 2016 05:33:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wrwxzOpXBUa2; Mon, 9 May 2016 05:33:07 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 64AEC12D170; Mon, 9 May 2016 05:33:06 -0700 (PDT)
Received: by with SMTP id r184so93120347qkc.1; Mon, 09 May 2016 05:33:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=5A5r74DtOQzNCWoi3OHS1NLdjTdDxS4Be76+yXnJboU=; b=Xg9OSczeoZ9aNJn7rabDxUBm+RxKLU0O05+OKYjMm7CCU6fug0QHrQCD5GUxdWZSpO yTViuc2VWX4nGQIZXagr64wi1O5NssdC9w2H/u9zr/rkBVOiQMjU/kIrYAQMP1sMZ+6F HCVffuWte7CR39D/G1iO6b28fbi1nKReCYMOQayYc25mtp05psM0S1Wdp0M9DJ3N0xi9 JRxkIrbyhm5mTpD2KzIQqOU1C/dT4Q0zC3IXTVzBrRFZSCdHIbFccpzbmo4EpSgCt88E fhq9QmQ2FPOArxdx8t5N4x1bWaDyiM1ldN+dU6HddRAzzisZR5/dIfkag1Uh8A9TaW3P yMKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=5A5r74DtOQzNCWoi3OHS1NLdjTdDxS4Be76+yXnJboU=; b=HcQe1diNd/aiUmCFZeELjVIJvXlZGayhnjJc9dZhrpXgwjwF9E5admjakxoKlVTiKB DtWxa7QImKDqXeWa+1MXAEJfppfuutkSjIf9Z0zq4XJzhPKLYAQiXfbZEA6dVSnuh0T2 5NHQd9hk+zuIQCouA3CHHwqLicKDXB09kJM2E802j6i4xmtuWuIK4lbDem/GS+4YbOLW W6deD+NITsjtm+7lwSYvDcUcRtVvXmqdvvhMSUIf1rzqlCKmBcLXPdb/IAf0JAPFnOWV o2ys0hB6qHkzwkJHB7MFGUN/T7joSXdoARjkpEOUBUNWyvpoF3iW0bPjiLFOjapu0e0f g0Ng==
X-Gm-Message-State: AOPr4FUu8WaH++B51wLdwA6G6KC+pnSQNRMKnw58BbQfZcRpRACn0YW6An4J9gNRFqnEryzDLyIn5IKgjAEC9g==
MIME-Version: 1.0
X-Received: by with SMTP id b32mr17182730qkh.61.1462797185520; Mon, 09 May 2016 05:33:05 -0700 (PDT)
Received: by with HTTP; Mon, 9 May 2016 05:33:05 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Mon, 09 May 2016 05:33:05 -0700
X-Google-Sender-Auth: kEkCaoOxorewptJR3Hu3lfb11jU
Message-ID: <>
From: Adam Langley <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Resent-To: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 May 2016 12:33:10 -0000

On Mon, May 9, 2016 at 5:23 AM, <> wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum of the IETF.

Dear all,

In light of discussions here we've changed the way that AES-GCM-SIV
works with AES-256. It wasn't the case the two equal plaintexts with
consecutive nonces would produce equal ciphertext. However, it seems
to be insufficiently clear, and masking off a bit from the nonce
(i.e., 127-bit nonce) looks inelegant.

Thus, the record-encryption key is now generated using the "OFB mode"
suggestion made by Uri Blumenthal. (Thanks to him for that.)

In addition, we changed the initial counter value to avoid setting the
least-significant 32 bits to zero. Starting the block counter at zero
reduced the security margin in the analysis, and we realised that
there was no reason for it.