Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt

John Mattsson <john.mattsson@ericsson.com> Wed, 18 January 2017 21:06 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CFE8129485 for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 13:06:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yKZYP8F5z1D8 for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 13:06:38 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21D20127077 for <cfrg@ietf.org>; Wed, 18 Jan 2017 13:06:37 -0800 (PST)
X-AuditID: c1b4fb30-f2fff70000003c8a-ea-587fd8d91d16
Received: from ESESSHC008.ericsson.se (Unknown_Domain [153.88.253.124]) by (Symantec Mail Security) with SMTP id F6.54.15498.9D8DF785; Wed, 18 Jan 2017 22:06:36 +0100 (CET)
Received: from ESESSMB307.ericsson.se ([169.254.7.134]) by ESESSHC008.ericsson.se ([153.88.183.42]) with mapi id 14.03.0319.002; Wed, 18 Jan 2017 22:05:38 +0100
From: John Mattsson <john.mattsson@ericsson.com>
To: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
Thread-Index: AQHScbC0p4x0I5wsw0aH69/GsFzxwqE+udeA
Date: Wed, 18 Jan 2017 21:05:36 +0000
Message-ID: <D4A59386.5822C%john.mattsson@ericsson.com>
References: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com>
In-Reply-To: <148476063144.1938.2025448065922517313.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A6134E0B5CE1E84EAA16B462ACA0B26F@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgkeLIzCtJLcpLzFFi42KZGfG3RvfOjfoIg9m7WCyO7mpjcWD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxtqr/5kLdulUnH29namBcYV2FyMnh4SAiUTz31msXYxcHEIC 6xkl3i6fxgzhLGGUeHWohw2kik3AQGLungYwW0RAWWLqvodMILawgK1E95E1rBBxO4nrOxax dzFyANlGEq1NkiBhFgFVida/vSwgNq+AucSLe3vBxggJ+Eis7l4E1sop4Ctx485rsJGMAmIS 30+tAbOZBcQlbj2ZzwRxqIDEkj3nmSFsUYmXj/+B9YoK6Eksf74GKq4k0bjkCSvICcwCmhLr d+lDjLGWWHFsGSuErSgxpfshO8Q5ghInZz5hmcAoNgvJtlkI3bOQdM9C0j0LSfcCRtZVjKLF qcVJuelGRnqpRZnJxcX5eXp5qSWbGIHxc3DLb4MdjC+fOx5iFOBgVOLh/dBUHyHEmlhWXJl7 iFGCg1lJhNfvClCINyWxsiq1KD++qDQntfgQozQHi5I4r9nK++FCAumJJanZqakFqUUwWSYO TqkGRuXN9y+/P57nfqR6at3nWRlTQ6eEiFbubLz9SYHDqkQhTPKhxaUdzrNPfF+ed8L/nirz qqVCPyYumm96/szPFJ5J1/7M/rP7uDi7zK+mKDfPSZ8Py2bcOBqyKvH9a5+tnAunGqiVzdyT pBrlc29LguWkgNrI4we74v8/Plnslvv9765Vl7nvRR1RYinOSDTUYi4qTgQAlcA8JZsCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_SoRdIjfSn1-fEjy_k6Nu0JWrEw>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 21:06:40 -0000

Hi,

Very well written. Some comments and suggestions:

- In addition to listing the performance penalty compared to GCM. The
  draft should also mention that compared to GCM, some nice properties
  disappear:
  - Neither Encryption nor Decryption is online as encryption/decryption
    cannot start before the whole plaintext/ciphertext is known.
  - GCM-SIV removes the possibility to preprocess static headers (AAD).

- “The result of the encryption is the resulting ciphertext (truncated
   to the length of the plaintext) followed by the tag."

  I suggest that the tag is placed first instead of last in the
  ciphertext. This makes decryption online, which makes a large
  difference. Suggestion:

  “The result of the encryption is the tag followed by the ciphertext
   (truncated to the length of the plaintext)"


- "within 5% of the speed of AES-GCM."
  Should state when this is the case, e.g. long plaintext/aad.

- I think the draft should give performance data also for short
  plaintexts/aad or even better list the performance in number of
  operations:

  GCM:
    Block Cipher Operations = p + 1
    GF(2^128) Multiplications = p + a + 1

  GCM-SIV-128
    Block Cipher Operations = p + 5
    GF(2^128) Multiplications = p + a + 1

  GCM-SIV-256
    Block Cipher Operations = p + 7
    GF(2^128) Multiplications = p + a + 1

  (if I got it right...)

  Where p is the block length of the plaintext and a is the block length
  of the additional authenticated data,

  I doubt that encryption of short messages are anywhere near 5% of GCM.
  
- The "++" and "[:8]" operation should probably be defined.

- What it the security/performance tradeoff with truncation in the key
  derivation? What would the security properties be if "[:8]" was
  removed?



- The definition of U32LE seems unnecessary and only adds complexity.
  I suggest:
    OLD "U32LE(3) ++ nonce"
    NEW "03 ++ 000000 ++ nonce

- The term K1 is only used in Test Vectors. I guess it is an old term
  that should be removed.


Some editorials:

- OLD "The record-authentication key is 128-bit and the
       record-authentication key"
  NEW "The record-authentication key is 128-bit and the
       record-encryption key"

- "} else if bytelen(key-generating-key) == 32 {
     record-encryption-key = AES128(key = key-generating-key,"

  Should be AES256
  
- Spacing around "+" and "*" are not consistent.

- "the the"

- yeilds

- remainding

- RFC7322 says "A comma is used before the last item of a series"



Cheers,
John



On 2017-01-18, 18:30, "Cfrg on behalf of internet-drafts@ietf.org"
<cfrg-bounces@irtf.org on behalf of internet-drafts@ietf.org> wrote:

>
>A New Internet-Draft is available from the on-line Internet-Drafts
>directories.
>This draft is a work item of the Crypto Forum of the IETF.
>
>        Title           : AES-GCM-SIV: Nonce Misuse-Resistant
>Authenticated Encryption
>        Authors         : Shay Gueron
>                          Adam Langley
>                          Yehuda Lindell
>	Filename        : draft-irtf-cfrg-gcmsiv-03.txt
>	Pages           : 45
>	Date            : 2017-01-18
>
>Abstract:
>   This memo specifies two authenticated encryption algorithms that are
>   nonce misuse-resistant - that is that they do not fail
>   catastrophically if a nonce is repeated.
>
>
>The IETF datatracker status page for this draft is:
>https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/
>
>There's also a htmlized version available at:
>https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03
>
>A diff from the previous version is available at:
>https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-gcmsiv-03
>
>
>Please note that it may take a couple of minutes from the time of
>submission
>until the htmlized version and diff are available at tools.ietf.org.
>
>Internet-Drafts are also available by anonymous FTP at:
>ftp://ftp.ietf.org/internet-drafts/
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg