Re: [Cfrg] AES-PMAC-SIV
Tony Arcieri <bascule@gmail.com> Thu, 09 November 2017 01:29 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9834E126FB3 for <cfrg@ietfa.amsl.com>; Wed, 8 Nov 2017 17:29:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQLr5yVJiCJf for <cfrg@ietfa.amsl.com>; Wed, 8 Nov 2017 17:29:40 -0800 (PST)
Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E10B126DED for <cfrg@irtf.org>; Wed, 8 Nov 2017 17:29:40 -0800 (PST)
Received: by mail-vk0-x235.google.com with SMTP id y196so2996862vkc.5 for <cfrg@irtf.org>; Wed, 08 Nov 2017 17:29:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=WUjgYt2UVJwUuxehDGScV54yh32g36p15xHLjXMMjRE=; b=HVee1cDnPonLupGJvwdGXxdDMTaA8DH08PPufsYKK1/INGJeTr/92KXZ9cZ+QcpFVS UuL4aYRWdGlpBwNKO+JNbdQlA9PJYb+Sj7f2SKffomCkpQNGpZkO1VrKPch9JYF5/pz+ 76olMcmNR67zjP8pTdnvRiNLLvQfyW0LNtey+7AMfsWWIV69zOsA0St59IqbQER8AhGJ 9iJFtodlWXuWGm06icGmi0iEFFK4/l5+DGvtkpG6WH2ifO7CdtrUFh1cIv2SlIRP7Yd+ wyQtuXp/e9zIPt73n50tr1clxgsbfUEYpKV6r7K3tKFXM1Jk1dYn5AMCH+T/2UNZI+tt cJjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=WUjgYt2UVJwUuxehDGScV54yh32g36p15xHLjXMMjRE=; b=HHMNBlJ3xMugbIVgidFYaJHM84EqtwzFEA/jkfuFiExXlnBUOV3iJCgfYr/YsNbhnk GlygOcurcGb0necP683WIr+gqQxzzCUad67SP+QkrNm+HCUB+4bIlGW1ZKSVF/+Bktz/ PV8RxAY22B33fNkLKOX61/2z6z0XJA5mJrQVZSM0OVCWmYLPHAT57ktbW4he2BqNixn7 8bYxqn7n5upsPqg+36qP1Hg5eRRH87Cto0R4AL2Ft1rCGI98f1FfKUGfPxwUEb7NvV7r rtLOPa22OhymKfBm6u7bJKo6XDTyjfRst8zB1w8KJIvNQY7BIfwEsxiA3absjTnhJGYl Lf6w==
X-Gm-Message-State: AJaThX6x+wcgWvAG95VpMWohC1GJHjVpwvufdvjgE66pFy6YjsEBjSEb SRwhR3b0zE/9R7kjJAOI/I2izyb49XISCv4njlc=
X-Google-Smtp-Source: ABhQp+SC4ZXmPWj0M5tTdDbG79BM2KHSmhk3RV2IzOCjXlrU6sId/Pvw276KItGu5yd1f7WzNGr3iZT7kK0eR55g8yg=
X-Received: by 10.31.3.98 with SMTP id 95mr1954663vkd.82.1510190979411; Wed, 08 Nov 2017 17:29:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.14.199 with HTTP; Wed, 8 Nov 2017 17:29:18 -0800 (PST)
In-Reply-To: <3E54E0CC-AE74-4CDC-A499-17219D9E0987@biu.ac.il>
References: <3E54E0CC-AE74-4CDC-A499-17219D9E0987@biu.ac.il>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 08 Nov 2017 17:29:18 -0800
Message-ID: <CAHOTMV+=uXxr-VuwXqO6QcxnE=TZiGzLho_kNA4q=p5F8nfbEg@mail.gmail.com>
To: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a1142870edef461055d82bc62"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lcw7ThsfmViCMx6DhZ9EyCbplps>
Subject: Re: [Cfrg] AES-PMAC-SIV
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2017 01:29:42 -0000
On Wed, Nov 8, 2017 at 1:02 PM, Yehuda Lindell <Yehuda.Lindell@biu.ac.il> wrote: > 1) I don’t know how it can be hard to find implementations of AES-GCM-SIV > to benchmark against. In addition to reporting measurements in the papers, > we have also explicitly referenced both the github AES-NI implementation at > https://github.com/Shay-Gueron/AES-GCM-SIV, and the BoringSSL > implementation. Note that BoringSSL can be compiled both with AES-NI + > CLMUL and without AES-NI (and CLMUL). So, you can compare easily on > modern x86 processors and also on ARM v7 (which does not have AES-NI and > CLMUL). > Thank you. I'm not sure how I didn't find this. I assure you I looked! > 2) The statement about bounds is blatantly false. Indeed, AES-SIV has a > birthday limit on the number of blocks. After encrypting 2^64 blocks, the > adversary has an advantage of 1/2. Thus, in order to limit the adversary’s > advantage to 2^-32, you can encrypt at most 2^48 blocks. In contrast, > AES-GCM-SIV comes with BEYOND BIRTHDAY BOUNDS. This is described explicitly > in the AES-GCM-SIV papers. In fact, if the same nonce is always used, then > AES-GCM-SIV has the same bounds as AES-SIV, but when nonces repeat a > bounded amount, AES-GCM-SIV’s bounds are way beyond AES-SIV. > The specific bounds I am referring to are the ones referred to in section 9 (Security Considerations) of draft-irtf-cfrg-gcmsiv-06: If the nonce is fixed then AES-GCM-SIV acts like AES-GCM with a random > nonce, with the caveat that identical plaintexts will produce identical > ciphertexts. However, we feel that the 2^32 limit for AES- GCM is too risky > in a multi-key setting. Thus with AES-GCM-SIV we recommend that, for a > specific key, a nonce not be repeated more than 2^8 times. I apologize if this is a mischaracterization. I actually asked a number of people about this particular bound prior to posting, and at one point was of the opinion I shouldn't even mention it. I would definitely appreciate any clarifications you can provide to these bounds and how these relate to the corresponding ones in AES-SIV. -- Tony Arcieri
- [Cfrg] AES-PMAC-SIV Yehuda Lindell
- Re: [Cfrg] AES-PMAC-SIV Tony Arcieri
- Re: [Cfrg] AES-PMAC-SIV Yehuda Lindell