Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Aaron Zauner <azet@azet.org> Fri, 15 April 2016 16:53 UTC
Return-Path: <azet@azet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7EA812D138 for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:53:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1SBxKIMg7sOR for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:53:31 -0700 (PDT)
Received: from mail-pa0-x232.google.com (mail-pa0-x232.google.com [IPv6:2607:f8b0:400e:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C824112DEE8 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:45:48 -0700 (PDT)
Received: by mail-pa0-x232.google.com with SMTP id zm5so56907730pac.0 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:45:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=YJTim+q6c7mzB03Mkv1n93W7icFGADxEH0/3v2yVmr0=; b=ReBp0d6HxYZbhwkNf/bwhIF1TQ0BgjSA+avtygQMJfRv2tSSvNg1YFMFnGmMAtNhEi LDNs61LwXWtsEKAUNyto1kbg1juk1YsLVA2LakPOTXvjCQ+FN3b39QZik+EcqmWXXlL+ vlFczpeGtano+qdJHNaCwfdj0vn0y396Pukc4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=YJTim+q6c7mzB03Mkv1n93W7icFGADxEH0/3v2yVmr0=; b=eTaWUth0pXwdCpaJW0tpA7PhdBdi4L5mUg9n2SqLTaDfdbr2S6JD6mDJ+1AgZmFy6j mAK/8C+Nzn//ZE9I1LfVDl09aczUhwhKgo2BEE//z5jGQchnU1FyOBUIBbJUfEdx2aK5 yaiyo1Zy1TwWRgpxvlbULOEpm4PRn40K9knFKoP9O2BFi9hf8LuUQqBfUYYYY8zkpfAF JE1S4TSE5DpiiYaraWgclP+23YSWHLDpNx/jvJ0vQRka2SaPeOyNeVCfgR62QcOX+Tgp 37nEVccLVnsyKRNdcgWZSu7GBBdoGrKPulkcyJpgb3/E8gmZIfHDExDTy8bw2MyQaYDr wiyw==
X-Gm-Message-State: AOPr4FVSXPUytLXGu2Wn/bHHvmscIopPHSMlgStKYAioezIY4k4y2qcR80U58gSBGy/QDQ==
X-Received: by 10.66.251.132 with SMTP id zk4mr30898447pac.50.1460738748364; Fri, 15 Apr 2016 09:45:48 -0700 (PDT)
Received: from [172.20.10.7] (ppp-49-237-179-54.revip6.asianet.co.th. [49.237.179.54]) by smtp.gmail.com with ESMTPSA id f12sm65847244pfd.87.2016.04.15.09.45.44 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 15 Apr 2016 09:45:46 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_6CB16246-ACAB-4EB2-B806-710981EBCC83"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <emf2010780-3b17-4624-9138-2e9af03f589a@sgueron-mobl3>
Date: Fri, 15 Apr 2016 23:46:21 +0700
Message-Id: <BEED6FDC-D6EA-46F8-B030-AC4BD3830161@azet.org>
References: <emf2010780-3b17-4624-9138-2e9af03f589a@sgueron-mobl3>
To: "Gueron, Shay" <shay.gueron@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/hlcVJvZC7jqMxwh-lmFb8fjnldY>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 16:53:33 -0000
Hi, > On 15 Apr 2016, at 23:13, Gueron, Shay <shay.gueron@gmail.com> wrote: > This means the following: repeating a nonce will not leak any information except if the same nonce and the same message is encrypted. In that case, an adversary could only know that the two identical message were encrypted (this cannot be avoided in any deterministic scheme). > > Of course, there are limits to the number of times messaged can be encrypted with the same key. The security margins of the CCS2015 paper (original scheme) were proven there. > > The CFRG submission extends the number of times that a single key (either 128 or 256 bits) can be used - and gets better bounds - at the cost of extra key expansion, as specified (we will publish the improved bounds). Thanks for the clarification on that part. > However, if a user chooses to use the scheme to send many (e.g., ~2^48) messages while always repeating the same nonce, then AES-GCM-SIV simply reduces to the GCM-SIV of the CCS2015 paper (and the synthetic IV's will, at high probability, collide). This is inevitable under such a "nonce abuse" scenario. Basically, this case would behave similarly to AES-GCM with a random 96-bit nonce, used ~2^48 with the same key. Ok, so I did understand this correctly in the first place. That's actually of some concern to me, we've seen some implementations (most Cavium based, AFAICT) in the wild that use random 96-bit nonces with AES-GCM [0], some actually repeat them [1]. Likewise it's probable that implementers may err with AES-GCM-SIV and repeat messages under the same nonce ~2^48 times in some scenarios. > What else can be expected? The explanation you provided above (w.r.t. repeating messages under a single nonce ~2^48 times) is quite sufficient, may I suggest it gets added to the security consideration section so implementers might not repeat the same mistake with this particular design? Thanks for your time & feedback, Aaron [0] https://www-01.ibm.com/support/docview.wss?uid=swg21979604 [1] https://kb.radware.com/Questions/SecurityAdvisory/Public/Security-Advisory-Explicit-Initialization-Vector-f
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL