Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
Shay Gueron <shay.gueron@gmail.com> Fri, 08 April 2016 08:25 UTC
Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78D6712D569 for <cfrg@ietfa.amsl.com>; Fri, 8 Apr 2016 01:25:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7Wcg4SXVPIm for <cfrg@ietfa.amsl.com>; Fri, 8 Apr 2016 01:25:53 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B73912D555 for <cfrg@irtf.org>; Fri, 8 Apr 2016 01:25:53 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id y204so128724756oie.3 for <cfrg@irtf.org>; Fri, 08 Apr 2016 01:25:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=mvwwJJZCnFFfX4QKww1OgjZHaTSK8IqJyEAlj7hRSXw=; b=qGFt752NvE9i/NBQpKVmg2ZBMaWMgzh0FFqh5KsnK/WflmsO1YfnU17eUbe6TkL1Of RayYqVV6hPeU12Szp/oqobzoQ3m7lsIiSmIKRho82rV/EyIwF8jQpAqH6+WH7rl+FeGy VyapU2A6/zmHG1xW14DBTB+TrzvwvYbmkLkMs7mE65sovGDnYEXNZwBvUi5GfhOcSjq9 PiM+rlid5CZ7fERRfpR7JgB/d4vDpqRC3myTkQDUBsPbEN3Z4zO7XkW4iTnaGPRAIhC1 A78ilf6IeCPtS/JJrtlhCxDq68qXxuHrz5g5Z2SnME1ZcSuKHZf3f+HA0WUafCRaEUjC bKKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=mvwwJJZCnFFfX4QKww1OgjZHaTSK8IqJyEAlj7hRSXw=; b=PS4H/7VseN7YpaF+jbCgyMZm/55nnvZFs+XmIIW9I+WlNF72gScnX3OZ+DtqsIFxXo goJl8wYRu096SsQsQquAl4wA1FHqXGOa7Zgzl2nA6Nia6ULCLELEXB6Qd9GbVWrOCF4K Mu763e8mgkFl6o6CnUG9iNyn9iRzSnLxn50YisKGOqxyD4k/J/Ihs165bCH7Q3ei8QNX 11AuCA4r7xvYij9zwc49Ia0i6KstFthI/AQpMkB88PaSWpvDnDWVTrj8caYaVQisylJH XSNfVecHC9ndHaqC0iOdbuud1maWv/XvWMSZCYhsqpZfFualPJRoITGmuj+tStEubtBz oERg==
X-Gm-Message-State: AD7BkJLDE/LPhLpspDYRsX8sFh7L8fwWVcthA6MRuhHgb3le63shDGpRAzJLuNOCYrRbw+/wdOUtCvEDHj+faQ==
MIME-Version: 1.0
X-Received: by 10.157.2.69 with SMTP id 63mr3814225otb.170.1460103952678; Fri, 08 Apr 2016 01:25:52 -0700 (PDT)
Received: by 10.157.14.175 with HTTP; Fri, 8 Apr 2016 01:25:52 -0700 (PDT)
In-Reply-To: <CALCETrXqnjDhNS7igbEi4vjUGpWVDdAEzHE5x_JNnjrOZhY--A@mail.gmail.com>
References: <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com> <emdd1fc76d-d2ba-4b8e-847b-b13ac51ba92a@sgueron-mobl3> <CALCETrXqnjDhNS7igbEi4vjUGpWVDdAEzHE5x_JNnjrOZhY--A@mail.gmail.com>
Date: Fri, 08 Apr 2016 11:25:52 +0300
Message-ID: <CAHP81y_RvS06btCsF5UBgW85OcVnPMgEjwLN1KdHeSY6GiRECA@mail.gmail.com>
From: Shay Gueron <shay.gueron@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: multipart/alternative; boundary="94eb2c114d246f4ba5052ff4f1ba"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/kq0abmmvGtGvxnFEi9o01Il8EcA>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 08:25:59 -0000
OK, let me explain: There are (only) two options for the key: 128 bit or 256 bits. For the "128-bit" case, the document states "If the AES key is 16 bytes long then define the _record-encryption-key_ as the encryption of the nonce using the AES key". That is AES128 (NONCE) (using the 128-bit key). This is the straightforward case. The "256-bit" case, is covered in my previous explanation, basically: AES256 (NONCE[127:1] || 0) || AES256 (NONCE[127:1] || 1) (using the 256-bit key, and producing 256 bits altogether). I hope this helps. We will definitely edit the text and post a version that includes these explanations (soon). Thank you, Shay 2016-04-08 7:11 GMT+03:00 Andy Lutomirski <luto@amacapital.net>: > On Thu, Apr 7, 2016 at 9:00 PM, Gueron, Shay <shay.gueron@gmail.com> > wrote: > > Regarding: > > > > **** > > The only relevant text I can find in the draft is: > > > > If the AES key is 16 bytes long then define the _record-encryption > > key_ as the encryption of the nonce using the AES key. If AES-256 is > > being used then this is insufficient as 256 bits of key material are > > needed. Therefore the record-encryption key in this case is the > > concatenation of the result of encrypting, using the AES key, the > > nonce with the least-significant bit of the first byte set to zero > > and then to one. > > > > This very much sounds to be like (a) a 256-bit key is derived from a > > 128-bit key and (b) the draft doesn't actually specify what the record > > key is in any other case. I interpreted the vague text to mean that > > the record key is the AES key in all other cases. > > > > Can you clarify the draft? > > > > --Andy > > **** > > > > Yes, of course. Here is the paragraph with explanatory notes in *** ... > *** > > > > If the AES key is 16 bytes long then define the _record-encryption > > key_ as the encryption of the nonce using the AES key. *** so far, the > case > > of 128-bit key*** > > > > If AES-256 is being used *** now the case of 256-bit key*** > > then this is insufficient as 256 bits of key material are needed *** > because > > one invocation produces only 128 bits, and we want to derive a 256-bit > key > > *** > > Therefore the record-encryption key in this case is the *** here is the > > explanation: *** > > concatenation of the result of encrypting, using the AES key *** recall > that > > it is the 256-bit case***, the nonce with the least-significant bit of > the > > first byte set to zero and then to one. > > *** that is AES New key (256 bits) = AES256 (NONCE[127:1] || 0) || > AES256 > > (NONCE[127:1] || 1) (256 bits altogether). > > > > Thus, "This very much sounds to be like (a) a 256-bit key is derived > from a > > 128-bit key and (b) the draft doesn't actually specify what the record" > is > > not the case. > > Shay > > > > Hmm, I guess I didn't read it quite right. > > What happens if AES-128 is used and the "AES key" is 32 bytes long? > Or is this not allowed? > > It might help to clarify exactly what variants of this scheme exist in > terms of AES variant and key size. > > --Andy >
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay