Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-02.txt

Adam Langley <agl@imperialviolet.org> Mon, 29 August 2016 15:40 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB95712D79D; Mon, 29 Aug 2016 08:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jaelpNpCGHSB; Mon, 29 Aug 2016 08:40:18 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 358C312D5F2; Mon, 29 Aug 2016 08:40:18 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id z190so141656829qkc.0; Mon, 29 Aug 2016 08:40:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=XNN5lmjs9Vv/iK2RzkZngA4mY/RO70JCK7E9KHUNnsY=; b=fIi73RqNyvMOVjynLBjY2x6yrqx5GuctF/MHNNBRssDt8JY8zayEkmwSzxRgGkLCVY I1WBjmyQeORlAByoIqDnVeP0p3Q7Xn+3OyX/2YSuxgobR1U42cYUxzsf5UDkdeBwJZer LfPKyqMRmGPCUafjCa5KNeiWOw5jZkEobdQTpEsT5a+CTBsz0fs1zN71CLBIRbStKQO3 DglUjW0CSRpIi4YKiij4Xs+4WW9MtoIyXYQifkzPQT4cqBuP/sJNwqDs15crBjjzZEyd cSlH5St+Sg6+dlUlvlRA8rWx9eI+xH4mpN8GIbpiVqb6gYITvk40a6xuputKdqbuW4C0 zCZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=XNN5lmjs9Vv/iK2RzkZngA4mY/RO70JCK7E9KHUNnsY=; b=mpuFZbgRigKmhSiL0NBWufi85JueDF/J4vfRaEaFY3sbkrT7nA2G44JaSAhaaC3BaG Nq2ZgRoq5TzUH2g0H3pXJxR8B0U0pDb8TAIisqFy3g/rEYiKvrqDXHVMq/Dcoget0D5H VyNUbSaYqCdL0okRpikoAz995fc+hdrDqbGBPe7NnoJXuwW74UMUYPjTSWnADjZq00TN L1PTc/Bsf/w186yXUSsS5+MWMONXpGlOVAvgUwsCAmrp1NJ5SxIzFvtxTltbsJHY4e98 ZKU0bQN4m/8nb2uKPcdjto5Q7Y1eGWxVoKMqLbZRSNrasy/9eRcg2FKFAAlE0vzTQvU4 RFZw==
X-Gm-Message-State: AE9vXwP30dy1glu3OiynCQyuqWfDrxDZiDiulJC3i09PCoKjpFGk78kCiURU7uIzQegE7nWy4QRfZrrivkXNFw==
X-Received: by 10.55.156.135 with SMTP id f129mr19213703qke.155.1472485217142; Mon, 29 Aug 2016 08:40:17 -0700 (PDT)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.200.36.199 with HTTP; Mon, 29 Aug 2016 08:40:16 -0700 (PDT)
In-Reply-To: <147248503934.19073.2852863561765850922.idtracker@ietfa.amsl.com>
References: <147248503934.19073.2852863561765850922.idtracker@ietfa.amsl.com>
From: Adam Langley <agl@imperialviolet.org>
Date: Mon, 29 Aug 2016 08:40:16 -0700
X-Google-Sender-Auth: V67-N9EMAbCU1mxMm_ifeDtzoBs
Message-ID: <CAMfhd9XmW2Bgo8bYw_xA61NO0x4qKx7+_Qv=vBsnQYK0GdcdaA@mail.gmail.com>
To: internet-drafts@ietf.org
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/izTUIUVWB70srUdSBSb1POpVrpA>
Cc: cfrg@ietf.org, i-d-announce@ietf.org
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2016 15:40:21 -0000

On Mon, Aug 29, 2016 at 8:37 AM, <internet-drafts@ietf.org> wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum of the IETF.

Dear all,

We have just published an updated version of the AES-GCM-SIV draft.
The major change in this update is the use of nonce-specific POLYVAL
keys. Previous versions of GCM-SIV did not do this and, instead, used
part of the AEAD's key as the POLYVAL key. Bleichenbacher pointed out
(https://mailarchive.ietf.org/arch/msg/cfrg/qgh-Yxmj7CC7cq2YZLpmfGA3x-o)
that this allowed some unexpected behavior if AES-GCM-SIV is used
under the assumption that the additional data is confidential. In such
a case, an attacker who controls the AEAD key can force the POLYVAL
key to be zero. If a user uses this AEAD to authenticate messages
based on a secret additional-data value, then this would be insecure,
as the attacker could calculate a valid authenticator without knowing
the input. This does not violate the standard properties of an AEAD,
as the additional data is not assumed to be confidential. However, it
demonstrates that AES-GCM-SIV is not a drop-in replacement to AES-GCM
in this scenario. We want the AES-GCM-SIV AEADs to be robust to
plausible misuse and also to be drop-in replacements for AES-GCM, and
therefore derive nonce-specific POLYVAL keys to avoid this issue.

The source code implementations of AES-GCM-SIV are updated in
https://github.com/Shay-Gueron/AES-GCM-SIV.


Shay, Yehuda and Adam