IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Andy Lutomirski <luto@amacapital.net> Fri, 08 April 2016 04:11 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B3912D576 for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 21:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymjrGX9sXq7Z for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 21:11:49 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F364C12D1D2 for <cfrg@irtf.org>; Thu, 7 Apr 2016 21:11:48 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id p188so123501867oih.2 for <cfrg@irtf.org>; Thu, 07 Apr 2016 21:11:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=USJTMCtEoT9kK6zQNY0kUnwCfTW0v5WgUmgsgS2Aof8=; b=znYmdWVILbq/3q+s5fnHb/t55J0lDGfx1DICAZkKj+CmcCg76m5LPWR68VpnfPGjcP EIgAX6UfDrbGcXlRkZVTb9V2mtoPl2wlVAFXkN6iM6b+vrahj97Rw6hKYlvoGgICc14P F/qtXdI3bgT2QnYvoR4+XfMB63cvo9SaciqptBY9We5WvB58FkzYUvUzjEB4ZpyodtMy V8NBvmsK+oZ5mh5qxFY5eCGTEH5OEF0J+PS7C1IZNo0xRx3kAMapAp6irKen1671IarJ sGbhnGoCVOewvsI15VdQlWMsuBMKIQnCcGp8YWa0BrQakDTCnghVZHGPaooWhnHLz0jU X2Jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=USJTMCtEoT9kK6zQNY0kUnwCfTW0v5WgUmgsgS2Aof8=; b=K7OdIBg2UlxKuUcFK2d65WxTZVAVaU5twN7pTtoXSyJ2r1IcVdC0hJi+0Rz47QNYrU um+QVEBjjNShiM7/XfH+exv0Qo1+mok/04cOUFOlU5DC+m3IkDCEUShL2HJKJhy7kOPA ukea0IxDDNDPHqKAZyja4kD5qCPMDkswT0V/ltZ1tZFYh8vPryMUgSPL5DADFQvabzCd hvSeTa1/SqAjeTJZ3BH2xO/cRfaXasM1HaP3Oam4RqiMJAzU9/h+Kxe4eaAas9MDvQf1 fNtE/18tVszUiTHBEUoNaBCPaq6xvWEraifT16PiIkPf1aHwffuvj4Ah0S5+fdTg7xNs 2R+g==
X-Gm-Message-State: AD7BkJLQsAQglZa35XL1DlWnY9b9Nj28ZNGHXKg1clBvkgxoqYBCATu749WQZwv4sXytDFMws0SkVUelA7b3Z8qy
X-Received: by 10.202.88.130 with SMTP id m124mr3177124oib.52.1460088708387; Thu, 07 Apr 2016 21:11:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.202.209 with HTTP; Thu, 7 Apr 2016 21:11:28 -0700 (PDT)
In-Reply-To: <emdd1fc76d-d2ba-4b8e-847b-b13ac51ba92a@sgueron-mobl3>
References: <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com> <emdd1fc76d-d2ba-4b8e-847b-b13ac51ba92a@sgueron-mobl3>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 07 Apr 2016 21:11:28 -0700
Message-ID: <CALCETrXqnjDhNS7igbEi4vjUGpWVDdAEzHE5x_JNnjrOZhY--A@mail.gmail.com>
To: "Gueron, Shay" <shay.gueron@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/_y54Y0mP39wigY48EIugHah4jh8>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 04:11:51 -0000

On Thu, Apr 7, 2016 at 9:00 PM, Gueron, Shay <shay.gueron@gmail.com> wrote:
>  Regarding:
>
> ****
> The only relevant text I can find in the draft is:
>
> If the AES key is 16 bytes long then define the _record-encryption
> key_ as the encryption of the nonce using the AES key. If AES-256 is
> being used then this is insufficient as 256 bits of key material are
> needed. Therefore the record-encryption key in this case is the
> concatenation of the result of encrypting, using the AES key, the
> nonce with the least-significant bit of the first byte set to zero
> and then to one.
>
> This very much sounds to be like (a) a 256-bit key is derived from a
> 128-bit key and (b) the draft doesn't actually specify what the record
> key is in any other case. I interpreted the vague text to mean that
> the record key is the AES key in all other cases.
>
> Can you clarify the draft?
>
> --Andy
> ****
>
> Yes, of course. Here is the paragraph with explanatory notes in *** ... ***
>
> If the AES key is 16 bytes long then define the _record-encryption
> key_ as the encryption of the nonce using the AES key. *** so far, the case
> of 128-bit key***
>
> If AES-256 is being used *** now the case of 256-bit key***
> then this is insufficient as 256 bits of key material are needed *** because
> one invocation produces only 128 bits, and we want to derive a 256-bit key
> ***
> Therefore the record-encryption key in this case is the *** here is the
> explanation: ***
> concatenation of the result of encrypting, using the AES key *** recall that
> it is the 256-bit case***, the nonce with the least-significant bit of the
> first byte set to zero and then to one.
> *** that is AES  New key (256 bits) =  AES256 (NONCE[127:1] || 0) || AES256
> (NONCE[127:1] || 1)  (256 bits altogether).
>
> Thus, "This very much sounds to be like (a) a 256-bit key is derived from a
> 128-bit key and (b) the draft doesn't actually specify what the record" is
> not the case.
> Shay
>

Hmm, I guess I didn't read it quite right.

What happens if AES-128 is used and the "AES key" is 32 bytes long?
Or is this not allowed?

It might help to clarify exactly what variants of this scheme exist in
terms of AES variant and key size.

--Andy

v2.23.0 | Report a Bug | By Email