IETF Logo Mail Archive

Re: [Cfrg] AES-GCM-SIV with a new key hierarchy

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Sun, 26 June 2016 16:18 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8107012B05E for <cfrg@ietfa.amsl.com>; Sun, 26 Jun 2016 09:18:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90eoFxIq38cK for <cfrg@ietfa.amsl.com>; Sun, 26 Jun 2016 09:18:26 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0658.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe04::658]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4980E12D0D1 for <cfrg@ietf.org>; Sun, 26 Jun 2016 09:18:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=CFFm1GqN9nUyDBeFY2v7Ha+wcod/GEymu9xDFwmmrYA=; b=hnLFkn84kCbTQmbVDCwYPyvPLPCvNEdltyjgCExsgdXPIldeokOcCGFhDWMfKoYDAbkHUCIJQpOWdymbA/xqhgL1VDU2Lgv2gY2vVxA6ffE67KIUqHtHoPmedl+/O6XOZjZCyUU5UydAchJtMPqtSlM5GGBk+0ZRxBE+p3+CLqw=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) with Microsoft SMTP Server (TLS) id 15.1.528.16; Sun, 26 Jun 2016 16:18:04 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0528.014; Sun, 26 Jun 2016 16:18:02 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Gueron, Shay" <shay.gueron@gmail.com>, Aaron Zauner <azet@azet.org>
Thread-Topic: [Cfrg] AES-GCM-SIV with a new key hierarchy
Thread-Index: AQHRzjuUR736sQFAhky9Y9Rjoz5iCJ/7ZyEAgAAFMwCAAJUqgA==
Date: Sun, 26 Jun 2016 16:18:02 +0000
Message-ID: <D395BE92.6F21F%kenny.paterson@rhul.ac.uk>
References: <1D6C8C6D-8D82-43D4-A1B9-800C493E6BD0@azet.org> <em01122224-6812-4371-a628-21d5f8515794@sgueron-mobl3>
In-Reply-To: <em01122224-6812-4371-a628-21d5f8515794@sgueron-mobl3>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [78.146.50.187]
x-ms-office365-filtering-correlation-id: 1854a009-bde3-47f3-b9a0-08d39ddd72d3
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1822; 6:HlC/kzWjHWz3Qggzd9R0J0aoLnUlH/DRwNwLkCOuos8gNAPpuMICbLvazav1mNU0Da/vQd59tYVeiOsSAHEGG/EsJq605GPMYg5xb29FNNSGzGTmm9CqDLLbO7e7f6nTLVNKoixbvvddr6eWooANSfVLp6tlUEX1jwpJUYGWTbUqx9raFES9UWuL2WbK8OaVWbqM4D7LDmkTqKdcr8hXxsfQXdWoHlAN9lnq4iZLL/GV2X4RcVuUDe5NNfQWnH+wb9CZHjG1FL03KUS3kP5SxyBn6z7zed+y0UU8Wu8eg7k=; 5:AkA7pBixD6BUBh94sLFR1xAlmQoYfHBIpTEzANvOBzpu2N9UkarjrnHUbhZrOhN8FsHiCYWQLXZ5zyniTmtClNLVfo6Va0r4c/jx9ozJOXhqx/BriE6AnGs06ZUFU37fXSq/Xp/kkB+DYk1tIncwgQ==; 24:TlDo4SZHYf+FAahJgMrZFZZcqADApK4jXW4/jW31pXt/hNhqY2isg+AyibfOhbdQsPSyPjtJyrb1ccvQltAY9KbvMXcOy+yNcQ8WbKw/f78=; 7:Un3XnWpzb3B6jTQrbsk5QGX5zL5TJOZo9JbVCHq5SXlFhtU+htyxs1r3nMiHCGjNc+IzsorSSO8iP6nG9tSi7BtPbKWwRTJ8Qn7+gVcK4qlXRHa0OWRwv0tonx7FhXrClvh4OSlaExUW3LjPplGakse3VnwsrQq1E0J6zztXVEAzaaZlBYEdW7edZNyz87QDen0Lb4A5EIi8mcNdOy7SixL3/TtXV80g7EeNTqoVDeMLUtYwfFtnlEkJ+MeLQQal
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1822;
x-microsoft-antispam-prvs: <VI1PR03MB1822F911E1A0C09459534CBFBC200@VI1PR03MB1822.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(211936372134217);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:VI1PR03MB1822; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1822;
x-forefront-prvs: 0985DA2459
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(13464003)(377454003)(189002)(24454002)(86362001)(10400500002)(87936001)(50986999)(54356999)(68196006)(76176999)(101416001)(92566002)(81156014)(81166006)(189998001)(586003)(8676002)(3280700002)(68736007)(2950100001)(97736004)(5001770100001)(4001350100001)(2900100001)(15975445007)(77096005)(3660700001)(5002640100001)(6116002)(102836003)(3846002)(8936002)(74482002)(36756003)(2906002)(305945005)(7846002)(7736002)(4326007)(122556002)(106356001)(106116001)(105586002)(230783001)(19580405001)(19580395003)(83506001)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1822; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <7A7DDFA543649447913853CE0098DE05@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2016 16:18:02.8612 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1822
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/f0G1Sw8Dl7MYJ-9xTye4bw5EccM>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>, "cfrg@ietf.org" <cfrg@ietf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] AES-GCM-SIV with a new key hierarchy
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2016 16:18:29 -0000

Hi Shay

Thanks for presenting these options.

Could you summarise what the impact would be on your security proofs of
each of the three options, if any?

I'd also be interested to see an explicit accounting for the performance
impacts - this could be roughly characterised in terms of the number of
AES operations involved in key derivation per message in each case.

Cheers

Kenny 

On 26/06/2016 09:26, "Cfrg on behalf of Gueron, Shay"
<cfrg-bounces@irtf.org on behalf of shay.gueron@gmail.com> wrote:

>Of course - let me describe.
>For simplicity, I describe the case of a 128-bit MK.
>
>Option 1: K1 = E_MK (0), K2 = E_K1 (0)  (K1 will be used for encryption,
>and K2 for the authentication)
>Then continue AES-GCM-SIV as it is defined now (including a derivation
>of a record encryption key, per nonce N)
>
>Option 2: K1 = E_MK (N), K2 = E_K1 (N)
>Then AES-GCM-SIV as it is defined now, but without an  additional
>derivation of a record encryption key; just set K1 as the record
>encryption key.
>
>Note: Option 1 is merely a static "pre-derivation" (where K1, K2 can be
>cached). Here, MK is used directly only twice.
>Option 2 uses MK (directly) with each nonce. Here, the hash key also
>depend on the nonce.
>
>There is another option.
>
>Option 3: K1 = E_MK (0), K2 = E_K1 (0)
>Then continue AES-GCM-SIV as it is defined now (including a derivation
>of a record encryption key, per nonce N) and also define a record hash
>key via E_K2 (N).
>
>
>These options offer different nuances, and would have a noticeable
>performance effect only for short messages. My favorite, among these 3,
>is Option 3 (that seems to enjoy all the benefits, at a small additional
>latency).
>
>
>Shay
>
>
>------ Original Message ------
>From: "Aaron Zauner" <azet@azet.org>
>To: "Gueron, Shay" <shay.gueron@gmail.com>
>Cc: "cfrg@ietf.org" <cfrg@ietf.org>; "Yehuda Lindell"
><Yehuda.Lindell@biu.ac.il>; "Adam Langley" <agl@google.com>
>Sent: 6/26/2016 11:07:36 AM
>Subject: Re: [Cfrg] AES-GCM-SIV with a new key hierarchy
>
>>Hi,
>>>  On 25 Jun 2016, at 01:10, Gueron, Shay <shay.gueron@gmail.com> wrote:
>>>
>>>  An alternative would be to incorporate the nonce from the beginning,
>>>during the derivation of K, H from MK. This will modify the record
>>>encryption key and also the hash key per each nonce. In that case the
>>>extra derivation of the record encryption key (per nonce) could be
>>>skipped (but also could be not done).
>>
>>Could you clarify on that paragraph? e.g. with pseudocode?
>>
>>Incorporating the nonce in the MK derivation step makes sense to me.
>>
>>But; I don't fully grasp the last part of this paragraph; if you skip
>>the extra derivation per record encryption key per nonce you lose
>>nonce-MR?! Given the nonce is incorporated in the MK derivation step,
>>this isn't an issue, but I'm not 100% sure what your suggestion here
>>is.
>>
>>Thanks,
>>Aaron
>
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email