Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
Yoav Nir <ynir.ietf@gmail.com> Thu, 31 March 2016 06:29 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6020912D9AA for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 23:29:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXxrg92LTMjr for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 23:29:18 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E30D012D9A9 for <cfrg@irtf.org>; Wed, 30 Mar 2016 23:29:16 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id p65so210591403wmp.1 for <cfrg@irtf.org>; Wed, 30 Mar 2016 23:29:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4hsGBLn8YrxeNuTjxO77S0DMCxi4LPK0aetBjkVirWw=; b=LBqLF7QY3JAh8548C8FM3nOuyOF13WLY5hSNvlVFYyg8BgPfPIa1Q7i3rqtiWl59cj HZlcVhBc/pGUN+4ITvyqvOE5ZLplmAp5/YgCDNSUUM2SCjBEqF5jWbmZRFcpcT1jywxy maIkh04TTRGmwcZFAu7+T4EApM8eiZiqjcyrumsS/3mRmcCtn5MEl//IVU8x8eS5LuDs Kz5BEegBvySOeT2zKN+ePuHRshUpdYLqYj1lNkez2wTT8TGgTryPvDcPDcE5L/Btr8V0 Ak0+8uMzb3z8U5TiH724R+VYWGXaczs56YnB3nvTLPcR5uRHCng7q0o3TPk+6w0cgekk 11xQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=4hsGBLn8YrxeNuTjxO77S0DMCxi4LPK0aetBjkVirWw=; b=I0Iknxht1JuITmkGDmNE6ykZnQjl5Fu0FWsdLmKh5BQVYia5LcvTI9XVXlMm1NR1ak gYOdixW04H2qjcB2tpVOwEOqdiSdZObBMmdXkrzRo7tOBONIcLCwVF5p6IYDWj6M65wH YD/j/ZkAg0qmQAlKlHfMtopA9hHtm0WPZj6IyhsAWIfwwrvnAPl9FK0M6c2qtBXvCBN7 i6HylzuAg/Ox0+0/pId3q2Q58ntCBQcNHHRY2YINvkzOyII6uFkchOO9N7fJ0ZIhQm/Q IAEToD9SMK28fokExnvIz80PDgLlIDd0wQWDw+o0DyY4TzmfJKiVYsIFZ+EQjde546ON SmCA==
X-Gm-Message-State: AD7BkJKGUpc2T+U4Thwbg21R8jaMmZ3tcCKNKqbBODnElwpYU2BV+VBiq4rBlSVOgpBEQA==
X-Received: by 10.28.234.69 with SMTP id i66mr11927318wmh.96.1459405755458; Wed, 30 Mar 2016 23:29:15 -0700 (PDT)
Received: from yoavs-mbp-2.mshome.net ([176.13.4.23]) by smtp.gmail.com with ESMTPSA id hh8sm7292657wjc.42.2016.03.30.23.29.13 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 30 Mar 2016 23:29:14 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="iso-8859-1"
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3 (Normal)
In-Reply-To: <c9ad857d6d00c45036836553ffcd6dad.squirrel@www.trepanning.net>
Date: Thu, 31 Mar 2016 09:29:12 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF0CDA1D-FB46-4214-9859-1EC898C3E9C2@gmail.com>
References: <1893951588-3704@skroderider.denisbider.com> <CAHOTMVJOQRgTKQViYQu2qxzK4q9SrvdBZnGPmoeUyKO40aCdhg@mail.gmail.com> <541C676F-162B-49D5-9DD6-F9F0BA6DA513@gmail.com> <81b4ebaa8011b127a72168ef67afdec6.squirrel@www.trepanning.net> <20048027-CB56-4FBB-ADF4-75CAFD4CE015@gmail.com> <c9ad857d6d00c45036836553ffcd6dad.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/aw4jpm0bjR5q2Z7-Bd3fTQkY1Sg>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 06:29:20 -0000
> On 31 Mar 2016, at 9:23 AM, Dan Harkins <dharkins@lounge.org> wrote: > > > > On Wed, March 30, 2016 11:01 pm, Yoav Nir wrote: >> >>> On 31 Mar 2016, at 8:38 AM, Dan Harkins <dharkins@lounge.org> wrote: >>> >>> On Wed, March 30, 2016 9:13 pm, Yoav Nir wrote: >>>> Hi, Tony >>>> >>>>> On 31 Mar 2016, at 6:40 AM, Tony Arcieri <bascule@gmail.com> wrote: >>>>> >>>>> On Wed, Mar 30, 2016 at 6:56 PM, denis bider <ietf-cfrg@denisbider.com >>>>> <mailto:ietf-cfrg@denisbider.com>> wrote: >>>>> I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to >>>>> derive the final encryption key. >>>>> >>>>> No? >>>>> 4. Encryption >>>>> >>>>> AES-GCM-SIV encryption takes a 16-byte authentication key, a 16- or >>>>> 32-byte AES key, a 128-bit nonce, and arbitrary-length plaintext and >>>>> additional data inputs. It outputs an authenticated ciphertext that >>>>> will be 16 bytes longer than the plaintext. >>>> >>>> I think the relevant section is the next paragraph where the record >>>> encryption key is defined. That too is defined to be the same length as >>>> the input key: >>>> >>>> If the AES key is 16 bytes long then define the _record-encryption >>>> key_ as the encryption of the nonce using the AES key. If AES-256 is >>>> being used then this is insufficient as 256 bits of key material are >>>> needed. Therefore the record-encryption key in this case is the >>>> concatenation of the result of encrypting, using the AES key, the >>>> nonce with the least-significant bit of the first byte set to zero >>>> and then to one. >>> >>> It's not the length, it's the number of values possible in that >>> length. Because this cipher mode is using AES-256-ECB as a 128-bit >>> PRP it is generating two distinct 128-bit blobs and concatenating >>> them. That means that there can only be 2^128 possible values of >>> that 256-bit key. >> >> Actually itâs 2^127, because the least significant bit of the first byte >> is set first to zero and then to one, rather than for example setting it >> to the original value first and flipping it for the second. > > The key is a concatenation of the output of two runs of AES-256-ECB. > It doesn't matter that one bit was set or cleared. > >> But it is 2^127 possibilities for a record encryption key that is used >> either once or a very few times, and despite knowing that there are only >> 2^127 possibilities, I donât see how you could iterate on them without >> either breaking AES-256 or iterating over the entire 2^256 space. > > As Watson pointed out, the number of values is 2^256 - 2^128. > You don't need to iterate over the entire 2^256 space to know which > values won't be possible keys, it's all 2^128 of them where the first > 128 bits match the second 128 bits. Right. That is over all uses of AES-GCM-SIV ever. But for a single 256-bit AES-GCM-SIV key, there are only 2^127 possible AES-CTR keys because the nonce determines the record key. >> I guess it would be nice to explain why they chose not to use a 256-bit >> nonce, but enlarging the nonce is not free. > > The nonce has to be the same size as the field that POLYVAL operates > on, and that's 2^128 bits. Right. Yoav
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay