[Cfrg] Security analysis of draft-smyshlyaev-re-keying-00.txt

Watson Ladd <watsonbladd@gmail.com> Mon, 07 November 2016 17:58 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48B9912956F for <cfrg@ietfa.amsl.com>; Mon, 7 Nov 2016 09:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGDZT8e0zsxd for <cfrg@ietfa.amsl.com>; Mon, 7 Nov 2016 09:58:08 -0800 (PST)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33AD41293F4 for <cfrg@irtf.org>; Mon, 7 Nov 2016 09:58:08 -0800 (PST)
Received: by mail-vk0-x22e.google.com with SMTP id x186so127860618vkd.1 for <cfrg@irtf.org>; Mon, 07 Nov 2016 09:58:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=4/MqxVSVlpdSLEWj36wXMk7nR0Nec5FP0+pKsibVhV8=; b=mTvgxpquodxVmQhYdOoRbyJcUlpeAAbAxS4xcoShxeZ6qgiwYxvo4/AX1McpHM32/t KcQwll6CDLpR24ahNNt0JFpDtLSKNfzLR8swjr02zxqRSRtzNrbPQER+fKqOu3mgTrLb cFMiygpacHVYQAPIawmM9N3RFEB70NLn4DAp3xziav+lX1NeJjo4QjmixckUyE7mTjjI aVAPxl/azC+TECWOMUBY2wIFXYsoHQOA0WJZeV23AKkB6znNnh0hb/+GKjX9ss1heG8w qtmSML6Sc/SFg8K9KVyt3LVV8Hg0zeGti01mvAk65/ARdK4bBnv4keC7Jiqd5JeU6DY3 kXGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4/MqxVSVlpdSLEWj36wXMk7nR0Nec5FP0+pKsibVhV8=; b=HI9XDr9IUj7YZRb7lAYNMAAqE2OX9xfYw1BTF7XFXS40PDg1ju55RjLgc1h/m5/zkU 1RrzLda+atOZAFXM/8Eh/VnKkWzYnWQlsuusqMLQLHdXlc67/wBjohKBjmiFl3l+XpmK McfY5rmh84JNHtpSC/vnVifshW4zQCoWIRpRWj41fUgmbqBYAUZb5fXIgu8I8vRC77nG FZcwwTEr8AA+YOTgAaPTpnqSaTlsuFNk7a29Bh+H7UlDl35vx7wXu+UrHl6n5FVmp872 H2l9XFH/PxSbFq/wK1FR8wVHrWV6jmkorrVuyttN/7O7uJORBy3pwI7VU6jzo52VrlVC H0kg==
X-Gm-Message-State: ABUngvfTytQeylLwWwdIyRqAZLF3SoCFR73Je3bxnqtsBe994OC0XzPdWF0GhJaD34pPY2xMJbJzeE7JvptGHg==
X-Received: by 10.31.41.150 with SMTP id p144mr5039200vkp.68.1478541486049; Mon, 07 Nov 2016 09:58:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.68.135 with HTTP; Mon, 7 Nov 2016 09:58:05 -0800 (PST)
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 7 Nov 2016 09:58:05 -0800
Message-ID: <CACsn0cm__WvALjy0_T6yVdktc_eg9pqp11uF8=NTPOFpPe_P9Q@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/eEYAULsWdRfZThoSgeBbNoIruUM>
Subject: [Cfrg] Security analysis of draft-smyshlyaev-re-keying-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Nov 2016 17:58:09 -0000

Dear all,

draft-smyshlyaev-re-keying-00.txt fails to achieve its stated security
goals, for fairly trivial reasons.

Draft-smyshlyaev-re-keying-00 uses the same value of H for the entire
message. The authenticity bounds for GCM depend on the length of the
message, not the number of blocks encrypted with the same key.
Therefore this bounds are not improved by the rekeying mechanism
proposed. The probability of forgery is L/2^{-128} where L is the
length of the message, and therefore we do not have beyond-birthday
bound security with this proposed mechanism.

Sincerely,
Watson Ladd