Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-02.txt

Adam Langley <> Mon, 29 August 2016 15:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BB95712D79D; Mon, 29 Aug 2016 08:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jaelpNpCGHSB; Mon, 29 Aug 2016 08:40:18 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 358C312D5F2; Mon, 29 Aug 2016 08:40:18 -0700 (PDT)
Received: by with SMTP id z190so141656829qkc.0; Mon, 29 Aug 2016 08:40:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=XNN5lmjs9Vv/iK2RzkZngA4mY/RO70JCK7E9KHUNnsY=; b=fIi73RqNyvMOVjynLBjY2x6yrqx5GuctF/MHNNBRssDt8JY8zayEkmwSzxRgGkLCVY I1WBjmyQeORlAByoIqDnVeP0p3Q7Xn+3OyX/2YSuxgobR1U42cYUxzsf5UDkdeBwJZer LfPKyqMRmGPCUafjCa5KNeiWOw5jZkEobdQTpEsT5a+CTBsz0fs1zN71CLBIRbStKQO3 DglUjW0CSRpIi4YKiij4Xs+4WW9MtoIyXYQifkzPQT4cqBuP/sJNwqDs15crBjjzZEyd cSlH5St+Sg6+dlUlvlRA8rWx9eI+xH4mpN8GIbpiVqb6gYITvk40a6xuputKdqbuW4C0 zCZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=XNN5lmjs9Vv/iK2RzkZngA4mY/RO70JCK7E9KHUNnsY=; b=mpuFZbgRigKmhSiL0NBWufi85JueDF/J4vfRaEaFY3sbkrT7nA2G44JaSAhaaC3BaG Nq2ZgRoq5TzUH2g0H3pXJxR8B0U0pDb8TAIisqFy3g/rEYiKvrqDXHVMq/Dcoget0D5H VyNUbSaYqCdL0okRpikoAz995fc+hdrDqbGBPe7NnoJXuwW74UMUYPjTSWnADjZq00TN L1PTc/Bsf/w186yXUSsS5+MWMONXpGlOVAvgUwsCAmrp1NJ5SxIzFvtxTltbsJHY4e98 ZKU0bQN4m/8nb2uKPcdjto5Q7Y1eGWxVoKMqLbZRSNrasy/9eRcg2FKFAAlE0vzTQvU4 RFZw==
X-Gm-Message-State: AE9vXwP30dy1glu3OiynCQyuqWfDrxDZiDiulJC3i09PCoKjpFGk78kCiURU7uIzQegE7nWy4QRfZrrivkXNFw==
X-Received: by with SMTP id f129mr19213703qke.155.1472485217142; Mon, 29 Aug 2016 08:40:17 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 29 Aug 2016 08:40:16 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Adam Langley <>
Date: Mon, 29 Aug 2016 08:40:16 -0700
X-Google-Sender-Auth: V67-N9EMAbCU1mxMm_ifeDtzoBs
Message-ID: <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-02.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Aug 2016 15:40:21 -0000

On Mon, Aug 29, 2016 at 8:37 AM, <> wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum of the IETF.

Dear all,

We have just published an updated version of the AES-GCM-SIV draft.
The major change in this update is the use of nonce-specific POLYVAL
keys. Previous versions of GCM-SIV did not do this and, instead, used
part of the AEAD's key as the POLYVAL key. Bleichenbacher pointed out
that this allowed some unexpected behavior if AES-GCM-SIV is used
under the assumption that the additional data is confidential. In such
a case, an attacker who controls the AEAD key can force the POLYVAL
key to be zero. If a user uses this AEAD to authenticate messages
based on a secret additional-data value, then this would be insecure,
as the attacker could calculate a valid authenticator without knowing
the input. This does not violate the standard properties of an AEAD,
as the additional data is not assumed to be confidential. However, it
demonstrates that AES-GCM-SIV is not a drop-in replacement to AES-GCM
in this scenario. We want the AES-GCM-SIV AEADs to be robust to
plausible misuse and also to be drop-in replacements for AES-GCM, and
therefore derive nonce-specific POLYVAL keys to avoid this issue.

The source code implementations of AES-GCM-SIV are updated in

Shay, Yehuda and Adam