IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

Yoav Nir <ynir.ietf@gmail.com> Thu, 31 March 2016 06:29 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6020912D9AA for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 23:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXxrg92LTMjr for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 23:29:18 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E30D012D9A9 for <cfrg@irtf.org>; Wed, 30 Mar 2016 23:29:16 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id p65so210591403wmp.1 for <cfrg@irtf.org>; Wed, 30 Mar 2016 23:29:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4hsGBLn8YrxeNuTjxO77S0DMCxi4LPK0aetBjkVirWw=; b=LBqLF7QY3JAh8548C8FM3nOuyOF13WLY5hSNvlVFYyg8BgPfPIa1Q7i3rqtiWl59cj HZlcVhBc/pGUN+4ITvyqvOE5ZLplmAp5/YgCDNSUUM2SCjBEqF5jWbmZRFcpcT1jywxy maIkh04TTRGmwcZFAu7+T4EApM8eiZiqjcyrumsS/3mRmcCtn5MEl//IVU8x8eS5LuDs Kz5BEegBvySOeT2zKN+ePuHRshUpdYLqYj1lNkez2wTT8TGgTryPvDcPDcE5L/Btr8V0 Ak0+8uMzb3z8U5TiH724R+VYWGXaczs56YnB3nvTLPcR5uRHCng7q0o3TPk+6w0cgekk 11xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4hsGBLn8YrxeNuTjxO77S0DMCxi4LPK0aetBjkVirWw=; b=I0Iknxht1JuITmkGDmNE6ykZnQjl5Fu0FWsdLmKh5BQVYia5LcvTI9XVXlMm1NR1ak gYOdixW04H2qjcB2tpVOwEOqdiSdZObBMmdXkrzRo7tOBONIcLCwVF5p6IYDWj6M65wH YD/j/ZkAg0qmQAlKlHfMtopA9hHtm0WPZj6IyhsAWIfwwrvnAPl9FK0M6c2qtBXvCBN7 i6HylzuAg/Ox0+0/pId3q2Q58ntCBQcNHHRY2YINvkzOyII6uFkchOO9N7fJ0ZIhQm/Q IAEToD9SMK28fokExnvIz80PDgLlIDd0wQWDw+o0DyY4TzmfJKiVYsIFZ+EQjde546ON SmCA==
X-Gm-Message-State: AD7BkJKGUpc2T+U4Thwbg21R8jaMmZ3tcCKNKqbBODnElwpYU2BV+VBiq4rBlSVOgpBEQA==
X-Received: by 10.28.234.69 with SMTP id i66mr11927318wmh.96.1459405755458; Wed, 30 Mar 2016 23:29:15 -0700 (PDT)
Received: from yoavs-mbp-2.mshome.net ([176.13.4.23]) by smtp.gmail.com with ESMTPSA id hh8sm7292657wjc.42.2016.03.30.23.29.13 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 30 Mar 2016 23:29:14 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="iso-8859-1"
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3 (Normal)
In-Reply-To: <c9ad857d6d00c45036836553ffcd6dad.squirrel@www.trepanning.net>
Date: Thu, 31 Mar 2016 09:29:12 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF0CDA1D-FB46-4214-9859-1EC898C3E9C2@gmail.com>
References: <1893951588-3704@skroderider.denisbider.com> <CAHOTMVJOQRgTKQViYQu2qxzK4q9SrvdBZnGPmoeUyKO40aCdhg@mail.gmail.com> <541C676F-162B-49D5-9DD6-F9F0BA6DA513@gmail.com> <81b4ebaa8011b127a72168ef67afdec6.squirrel@www.trepanning.net> <20048027-CB56-4FBB-ADF4-75CAFD4CE015@gmail.com> <c9ad857d6d00c45036836553ffcd6dad.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/aw4jpm0bjR5q2Z7-Bd3fTQkY1Sg>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 06:29:20 -0000

> On 31 Mar 2016, at 9:23 AM, Dan Harkins <dharkins@lounge.org> wrote:
> 
> 
> 
> On Wed, March 30, 2016 11:01 pm, Yoav Nir wrote:
>> 
>>> On 31 Mar 2016, at 8:38 AM, Dan Harkins <dharkins@lounge.org> wrote:
>>> 
>>> On Wed, March 30, 2016 9:13 pm, Yoav Nir wrote:
>>>> Hi, Tony
>>>> 
>>>>> On 31 Mar 2016, at 6:40 AM, Tony Arcieri <bascule@gmail.com> wrote:
>>>>> 
>>>>> On Wed, Mar 30, 2016 at 6:56 PM, denis bider <ietf-cfrg@denisbider.com
>>>>> <mailto:ietf-cfrg@denisbider.com>> wrote:
>>>>> I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to
>>>>> derive the final encryption key.
>>>>> 
>>>>> No?
>>>>> 4.  Encryption
>>>>> 
>>>>>  AES-GCM-SIV encryption takes a 16-byte authentication key, a 16- or
>>>>>  32-byte AES key, a 128-bit nonce, and arbitrary-length plaintext and
>>>>>  additional data inputs.  It outputs an authenticated ciphertext that
>>>>>  will be 16 bytes longer than the plaintext.
>>>> 
>>>> I think the relevant section is the next paragraph where the record
>>>> encryption key is defined. That too is defined to be the same length as
>>>> the input key:
>>>> 
>>>>  If the AES key is 16 bytes long then define the _record-encryption
>>>>  key_ as the encryption of the nonce using the AES key.  If AES-256 is
>>>>  being used then this is insufficient as 256 bits of key material are
>>>>  needed.  Therefore the record-encryption key in this case is the
>>>>  concatenation of the result of encrypting, using the AES key, the
>>>>  nonce with the least-significant bit of the first byte set to zero
>>>>  and then to one.
>>> 
>>> It's not the length, it's the number of values possible in that
>>> length. Because this cipher mode is using AES-256-ECB as a 128-bit
>>> PRP it is generating two distinct 128-bit blobs and concatenating
>>> them. That means that there can only be 2^128 possible values of
>>> that 256-bit key.
>> 
>> Actually it’s 2^127, because the least significant bit of the first byte
>> is set first to zero and then to one, rather than for example setting it
>> to the original value first and flipping it for the second.
> 
>  The key is a concatenation of the output of two runs of AES-256-ECB.
> It doesn't matter that one bit was set or cleared.
> 
>> But it is 2^127 possibilities for a record encryption key that is used
>> either once or a very few times, and despite knowing that there are only
>> 2^127 possibilities, I don’t see how you could iterate on them without
>> either breaking AES-256 or iterating over the entire 2^256 space.
> 
>  As Watson pointed out, the number of values is 2^256 - 2^128.
> You don't need to iterate over the entire 2^256 space to know which
> values won't be possible keys, it's all 2^128 of them where the first
> 128 bits match the second 128 bits.

Right. That is over all uses of AES-GCM-SIV ever. But for a single 256-bit AES-GCM-SIV key, there are only 2^127 possible AES-CTR keys because the nonce determines the record key.

>> I guess it would be nice to explain why they chose not to use a 256-bit
>> nonce, but enlarging the nonce is not free.
> 
>  The nonce has to be the same size as the field that POLYVAL operates
> on, and that's 2^128 bits.

Right.

Yoav

v2.23.0 | Report a Bug | By Email