Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt

Adam Langley <> Thu, 19 January 2017 17:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73CE4129447 for <>; Thu, 19 Jan 2017 09:15:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5RD1SI75VVUV for <>; Thu, 19 Jan 2017 09:15:00 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6126412942F for <>; Thu, 19 Jan 2017 09:15:00 -0800 (PST)
Received: by with SMTP id v96so42738784ioi.0 for <>; Thu, 19 Jan 2017 09:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=KreUggLNyH6yWtECTyHTLka554sS77vuk2At/kRKMks=; b=WgnUysV8BX4ZpQoc8SVQRgJq0hiRnL6YitBOCSaRUAvMD7CdM/hiw2C1YthIwamHm2 XTUJ7w6J9ylK289LUMOO8a1yjdik2ge5gXPpYlib+f9rMfZpjkTlCpSlT04Mb2Y6+e2I ZDK2e/3j6X/f5QqAjfxATzDFbjqhGY2PNW+Golrha2q6FbwSEzDYAeMwZ3TExLznkK1c +QD9R518MxqtARw/0LpiyzFBaczIty5pl+hGriTJTApT0c1ACBQiYA647U2Arfe8OdfR 79HdH8IUHTH8bEvo5dYlNSRZqvx6JFyVhcrGCCTWJBFmrMA+9bujZ32pUIFMbwN4D5vi 3r5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=KreUggLNyH6yWtECTyHTLka554sS77vuk2At/kRKMks=; b=DlHzvodnAzMmrt8J8D000McVvVhIbCazxQM8eKNHSsPMj06Ge5t1a3f6vpsaGjZjsl Ph76YxuAiIAYXsUG6jrOIuLSdTAubL1cUhdgN0tQLY+TxQtlHE1+p39jzT24q9sR3Y5K vNZOQ7SOnORn7vuRWDM3vth1p+OfiLVfmC16DnJHOdiaSBxwFYhVdoJEgm5eYzaEdZ0I tOPm6u9MH3ksrP9/nBOsviG9tgCWmmhIv3T8InJhynSpBu35hGpD+ic3WPdOavP2nlJS +J5iCL8fFbGkpF9Pwkg+qmB+c9WFshgyorevuPvzgPKMqMOeLUjzXehexpa4Qjnl17mv PHyA==
X-Gm-Message-State: AIkVDXJuk37T+RmBWJfpJgVKJDVqSu/oZ5mN1oEN2zdYo6XdxZFFq6pWgxzTGUvF7rRGgtnH3X7hAaptk9Ec2g==
X-Received: by with SMTP id p77mr9569035iod.97.1484846099598; Thu, 19 Jan 2017 09:14:59 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 19 Jan 2017 09:14:58 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
From: Adam Langley <>
Date: Thu, 19 Jan 2017 09:14:58 -0800
X-Google-Sender-Auth: q544l9wRDgBoHlKz1dDhgLugbLw
Message-ID: <>
To: John Mattsson <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jan 2017 17:15:02 -0000

On Thu, Jan 19, 2017 at 2:19 AM, John Mattsson
<> wrote:
> - The use of one-time authentication keys has the benefit that it
> mitigates Fergusson’s authentication key recovery attack on GCM in the
> two-party case. In case of multicast the attack remains (but significantly
> restricted). This makes GCM-SIV a little bit more suitable for truncated
> tags than GCM. I think these advantages should be mentioned.

Thanks. I've added a TODO locally to think about this. I'm not sure
that we want to mention truncating authentication tags because that
seems contrary to the general thrust of robustness here. I'll see
whether I can say something about the advantages of the one-time
authentication keys in general however.

>>So I actually quite like that the tag is at the end of the message
>>with AES-GCM-SIV because it makes it harder to do what I think is the
>>"wrong" thing.
> I would agree with you if placing the tag last actually improved anything,
> but the fact is that GCM-SIV actually forces processing of unauthenticated
> ciphertext by design (a change from GCM). I cannot see any security
> benefits with (C, T) compared to (T, C). The only difference I can see is
> that (C, T) increases the latency for decryption on multicore.

I don't understand why AES-GCM-SIV forces the processing of
unauthenticated plaintext. I think we might have different

To me, processing authenticated plaintext means that the crypto API
releases plaintext for other processing before it has authenticated
it. It doesn't mean that the plaintext cannot sit in memory during
decryption while the AEAD checks the tag. (Indeed, many GCM
implementations interleave decryption and calculation of the GHASH

So putting the tag at the end prevents such APIs from being written,
which I think is a benefit.

A second benefit to putting tags at the end is that it's generally
easier to have extra space at the end of a buffer than the beginning.
This is not precise and might be a result of my C/C++/Go-based
environment, but I'm going to claim that a (buf, len, max) pattern is
easier for people to do with in an API than a (buf,
initial-padding-length, len).

In a case where space at the end of a buffer is easier to deal with,
putting the tag at the end is nicer because, otherwise,
encryption-in-place has to write ciphertext blocks 16 bytes in advance
of where it read them. In order to avoid clobbering the next plaintext
block, that has to copied first. I admit it's only a minor problem.

On the other hand, I'm not sure that I see the benefits of putting the
tag first in terms of latency on multicore machines. The AEAD model is
that the whole ciphertext is in memory when the operation is called so
it's as easy to read the tag from the end as from the beginning.

I can see an advantage in cases where the system could start
decrypting while the remainder of the record was still being read. Was
that what you had in mind? At least for multicore machines, I don't
think records should be so large that it makes a difference though.