Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06

Stefano Tessaro <> Wed, 22 November 2017 15:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73B871288A9 for <>; Wed, 22 Nov 2017 07:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yheTaiNmJg3V for <>; Wed, 22 Nov 2017 07:08:51 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 45B5C12783A for <>; Wed, 22 Nov 2017 07:08:51 -0800 (PST)
Received: by with SMTP id i14so18630190lfc.1 for <>; Wed, 22 Nov 2017 07:08:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=hyOFnlmF9Z/tlgkj8BfoKS61QOsfF3ITqWFSguCFHWg=; b=KAbEvFh93iyKCc37pfXATywBrjkSaJ392kGp1J6kTAcqn5lZk8qWQTqYJ0AUFulTNc YLLX1l9UDtrrzE2Gz/sUbIg+sJ58VNULomX7fA3103iVKmxoWNcK6HP47JbEpEtrcJVI jAalfghswecU5AUQakKDdjPRqHS0ndtw26OC7IKSR3Y6XQusybGFfc4fQe5ipCPqa3LD cPz1dcUJ3XpAMn9PE9VPsGk5P/S9+LnES6Tsk5m9m2Ctg2WjAzUMQa79YQJLs8F5U9zv yEge05/DOas9oo0pVjormSMgvbQAUwNqafUwPQ19FC+PLkzCCDwJEVKW9/1eiuMLA2qW dXBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=hyOFnlmF9Z/tlgkj8BfoKS61QOsfF3ITqWFSguCFHWg=; b=K3aKi9cOSKn8NImiHt2uZEf2mVVoxhtmmQJmR2AHKmL756wTmRVsZE4WmV5BD8ouKK 1lxI7gs8TiVJZBYhKLTxQS4ZGOFKpHDLvwOpkdQyV0+h21MrT2yt+cGRhqZ9r7GXxYIg aGRyBXsRQVMwhO3srlOpA5sS6E4c8gjZ0uoqwAWgdo/JeoTaCd+0u7JNVVVswAmH7yNu ssOxYc9y+++sGrcEMiPf+nFqsVIg1VUu7BNhkcPA8K1Hu+YfPk940gXcU4rQac7jIP3L PE+8IT50aTVd0uUt8wz9R+OObPSf/UvNT/fcn/vbVotV9Q+d7GrgwTAp0oUoOzCLD/8l r47A==
X-Gm-Message-State: AJaThX5ZP6W89lUYBP/PKsnDUDw0fQoH21+kkRpaVr883TinG+pm6xEh zq/u6wCAWTSAEubY3pm83ZvMtHy+xroVHZjJUg8=
X-Google-Smtp-Source: AGs4zMY0K9TvqUaoTiQK2K5rOhKVru5ysuDxrDgDPKbzQV5UGR+NOLk5ApIfo9kpIbwJBaohctR/8KM1TtXuUTwLR/4=
X-Received: by with SMTP id h70mr6112825lfh.60.1511363329432; Wed, 22 Nov 2017 07:08:49 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 22 Nov 2017 07:08:48 -0800 (PST)
In-Reply-To: <>
References: <>
From: Stefano Tessaro <>
Date: Wed, 22 Nov 2017 07:08:48 -0800
X-Google-Sender-Auth: OyYnXem6rAJXCBy67auHfHGKOt0
Message-ID: <>
To: Yehuda Lindell <>
Cc: "" <>, Paterson Kenny <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Nov 2017 15:08:53 -0000

Dear all,

We have made a version of our work available at

We have extended the bounds to cover a large class of KDFs. In
particular, our bound covers the KDF in the current AES-GCM-SIV
proposal, as well as the simpler one we suggested in an earlier
e-mail, which is the one from the initial AES-GCM-SIV proposal.

Priyanka Bose
Viet Tung Hoang
Stefano Tessaro

On Mon, Oct 2, 2017 at 10:29 PM, Yehuda Lindell
<> wrote:
> Dear all,
> The paper by Bose, Hoang and Tessaro (BHT) shows that AES-GCM-SIV has excellent multi-user security bounds (according to the authors, this is the first scheme that has been shown to have the property that the multi-user security is essentially as good as the single user security). Thus, this is great support for AES-GCM-SIV as a standard.
> Conceptually, the reason why AES-GCM-SIV gets much better multi-user security than other modes is due to the continual key derivation that ensures that even if two users have the same key, the damage is minimal since they must also use the same IV in order to face a problem.
> The authors also show that the ORIGINAL key derivation mode proposed for AES-GCM-SIV is actually good enough (i.e., simple key derivation via CTR mode, and without truncation). They say that it is more efficient, and this is true theoretically. However, practically, when using AES-NI, the cost of 2 additional encryptions for the key derivation is almost zero due to the pipeline (2 more cycles), and negligible even for reasonably small messages. Especially, since these are shadowed by the key expansion that is required in any case.
> At the time, there were objections to the plain CTR derivation method, during the CFRG discussions (e.g., due to the fact that for 256-bit keys, this rules out the possibility of keys of the form K||K). Instead, an OCB style derivation was promoted. Subsequently, we ended up with the current truncated CTR method. We therefore propose to not change the key derivation method (again).
> Thanks,
> Shay, Adam and Yehuda
> _______________________________________________
> Cfrg mailing list

Stefano Tessaro
Assistant Professor of Computer Science
University of California, Santa Barbara