IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Shay Gueron <shay.gueron@gmail.com> Fri, 08 April 2016 08:25 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D6712D569 for <cfrg@ietfa.amsl.com>; Fri, 8 Apr 2016 01:25:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7Wcg4SXVPIm for <cfrg@ietfa.amsl.com>; Fri, 8 Apr 2016 01:25:53 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B73912D555 for <cfrg@irtf.org>; Fri, 8 Apr 2016 01:25:53 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id y204so128724756oie.3 for <cfrg@irtf.org>; Fri, 08 Apr 2016 01:25:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=mvwwJJZCnFFfX4QKww1OgjZHaTSK8IqJyEAlj7hRSXw=; b=qGFt752NvE9i/NBQpKVmg2ZBMaWMgzh0FFqh5KsnK/WflmsO1YfnU17eUbe6TkL1Of RayYqVV6hPeU12Szp/oqobzoQ3m7lsIiSmIKRho82rV/EyIwF8jQpAqH6+WH7rl+FeGy VyapU2A6/zmHG1xW14DBTB+TrzvwvYbmkLkMs7mE65sovGDnYEXNZwBvUi5GfhOcSjq9 PiM+rlid5CZ7fERRfpR7JgB/d4vDpqRC3myTkQDUBsPbEN3Z4zO7XkW4iTnaGPRAIhC1 A78ilf6IeCPtS/JJrtlhCxDq68qXxuHrz5g5Z2SnME1ZcSuKHZf3f+HA0WUafCRaEUjC bKKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=mvwwJJZCnFFfX4QKww1OgjZHaTSK8IqJyEAlj7hRSXw=; b=PS4H/7VseN7YpaF+jbCgyMZm/55nnvZFs+XmIIW9I+WlNF72gScnX3OZ+DtqsIFxXo goJl8wYRu096SsQsQquAl4wA1FHqXGOa7Zgzl2nA6Nia6ULCLELEXB6Qd9GbVWrOCF4K Mu763e8mgkFl6o6CnUG9iNyn9iRzSnLxn50YisKGOqxyD4k/J/Ihs165bCH7Q3ei8QNX 11AuCA4r7xvYij9zwc49Ia0i6KstFthI/AQpMkB88PaSWpvDnDWVTrj8caYaVQisylJH XSNfVecHC9ndHaqC0iOdbuud1maWv/XvWMSZCYhsqpZfFualPJRoITGmuj+tStEubtBz oERg==
X-Gm-Message-State: AD7BkJLDE/LPhLpspDYRsX8sFh7L8fwWVcthA6MRuhHgb3le63shDGpRAzJLuNOCYrRbw+/wdOUtCvEDHj+faQ==
MIME-Version: 1.0
X-Received: by 10.157.2.69 with SMTP id 63mr3814225otb.170.1460103952678; Fri, 08 Apr 2016 01:25:52 -0700 (PDT)
Received: by 10.157.14.175 with HTTP; Fri, 8 Apr 2016 01:25:52 -0700 (PDT)
In-Reply-To: <CALCETrXqnjDhNS7igbEi4vjUGpWVDdAEzHE5x_JNnjrOZhY--A@mail.gmail.com>
References: <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com> <emdd1fc76d-d2ba-4b8e-847b-b13ac51ba92a@sgueron-mobl3> <CALCETrXqnjDhNS7igbEi4vjUGpWVDdAEzHE5x_JNnjrOZhY--A@mail.gmail.com>
Date: Fri, 08 Apr 2016 11:25:52 +0300
Message-ID: <CAHP81y_RvS06btCsF5UBgW85OcVnPMgEjwLN1KdHeSY6GiRECA@mail.gmail.com>
From: Shay Gueron <shay.gueron@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: multipart/alternative; boundary="94eb2c114d246f4ba5052ff4f1ba"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/kq0abmmvGtGvxnFEi9o01Il8EcA>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 08:25:59 -0000

OK, let me explain:

There are (only) two options for the key: 128 bit or 256 bits.

For the "128-bit" case, the document states
"If the AES key is 16 bytes long then define the _record-encryption-key_ as
the encryption of the nonce using the AES key".
That is AES128 (NONCE)  (using the 128-bit key). This is the
straightforward case.

The "256-bit" case, is covered in my previous explanation, basically:

AES256 (NONCE[127:1] || 0) || AES256 (NONCE[127:1] || 1)  (using the
256-bit key, and producing 256 bits altogether).

I hope this helps. We will definitely edit the text and post a version that
includes these explanations (soon).

Thank you, Shay



2016-04-08 7:11 GMT+03:00 Andy Lutomirski <luto@amacapital.net>:

> On Thu, Apr 7, 2016 at 9:00 PM, Gueron, Shay <shay.gueron@gmail.com>
> wrote:
> >  Regarding:
> >
> > ****
> > The only relevant text I can find in the draft is:
> >
> > If the AES key is 16 bytes long then define the _record-encryption
> > key_ as the encryption of the nonce using the AES key. If AES-256 is
> > being used then this is insufficient as 256 bits of key material are
> > needed. Therefore the record-encryption key in this case is the
> > concatenation of the result of encrypting, using the AES key, the
> > nonce with the least-significant bit of the first byte set to zero
> > and then to one.
> >
> > This very much sounds to be like (a) a 256-bit key is derived from a
> > 128-bit key and (b) the draft doesn't actually specify what the record
> > key is in any other case. I interpreted the vague text to mean that
> > the record key is the AES key in all other cases.
> >
> > Can you clarify the draft?
> >
> > --Andy
> > ****
> >
> > Yes, of course. Here is the paragraph with explanatory notes in *** ...
> ***
> >
> > If the AES key is 16 bytes long then define the _record-encryption
> > key_ as the encryption of the nonce using the AES key. *** so far, the
> case
> > of 128-bit key***
> >
> > If AES-256 is being used *** now the case of 256-bit key***
> > then this is insufficient as 256 bits of key material are needed ***
> because
> > one invocation produces only 128 bits, and we want to derive a 256-bit
> key
> > ***
> > Therefore the record-encryption key in this case is the *** here is the
> > explanation: ***
> > concatenation of the result of encrypting, using the AES key *** recall
> that
> > it is the 256-bit case***, the nonce with the least-significant bit of
> the
> > first byte set to zero and then to one.
> > *** that is AES  New key (256 bits) =  AES256 (NONCE[127:1] || 0) ||
> AES256
> > (NONCE[127:1] || 1)  (256 bits altogether).
> >
> > Thus, "This very much sounds to be like (a) a 256-bit key is derived
> from a
> > 128-bit key and (b) the draft doesn't actually specify what the record"
> is
> > not the case.
> > Shay
> >
>
> Hmm, I guess I didn't read it quite right.
>
> What happens if AES-128 is used and the "AES key" is 32 bytes long?
> Or is this not allowed?
>
> It might help to clarify exactly what variants of this scheme exist in
> terms of AES variant and key size.
>
> --Andy
>

v2.23.0 | Report a Bug | By Email