IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

"Dan Harkins" <dharkins@lounge.org> Wed, 30 March 2016 19:22 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A5B712D8DB for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 12:22:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6De0pk5_t_V for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 12:22:14 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id B201D12D8DA for <cfrg@irtf.org>; Wed, 30 Mar 2016 12:22:14 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 0D3CE10224084; Wed, 30 Mar 2016 12:22:14 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 30 Mar 2016 12:22:14 -0700 (PDT)
Message-ID: <ba797271296147fdf44e0cc0e13be520.squirrel@www.trepanning.net>
In-Reply-To: <CAHP81y8hTXJJh=Cng+ZqgrpQVrHTX9bzd6c5vTLPVxpS5=GRuw@mail.gmail.com>
References: <D31EFD69.68456%kenny.paterson@rhul.ac.uk> <6F0FF2D1-BE7B-4793-A872-9AE908BE2B80@gmail.com> <CAHP81y8hTXJJh=Cng+ZqgrpQVrHTX9bzd6c5vTLPVxpS5=GRuw@mail.gmail.com>
Date: Wed, 30 Mar 2016 12:22:14 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Shay Gueron <shay.gueron@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/m9FBhHXqxQZtnlhAJnG8a_LoXas>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2016 19:22:16 -0000

  Hi Shay,

  Would you agree that AEAD_AES_256_GCM_SIV provides no more
security than AEAD_AES_128_GCM_SIV? I say this because the
authentication key is 128-bits regardless (and authentication
is arguably more important than encryption) and when using a
256-bit encryption key the "record encryption key" can only
take on 2^128 values.

  If there a benefit to the 256-bit variant over the 128-bit
one? I may be misunderstanding something.

  regards,

  Dan.

On Mon, March 28, 2016 8:41 am, Shay Gueron wrote:
> Hi Yoav,
>
> The number of nonces is not limited by 2^32.
>
> What is limited by this number is the maximum number of blocks per nonce
> in
> a single message. Exactly as CTR (and AES-GCM), and for the same reason:
> there are only 32 bits in a 128-bit block, that are left to increment  a
> counter.
>
> On the other hand, since a new key is derived each time from the IV (and
> the encryption key), GCM-SIV can be used, with a given key, practically an
> "unlimited" number of times.
>
> This details is different from the CCS paper and the (later) proposed
> spec.
>
> Thanks, Shay
>
>
>
> 2016-03-28 18:22 GMT+03:00 Yoav Nir <ynir.ietf@gmail.com>:
>
>>
>> > On 28 Mar 2016, at 5:34 PM, Paterson, Kenny
>> <Kenny.Paterson@rhul.ac.uk>
>> wrote:
>> >
>> > Dear CFRG,
>> >
>> > Shay, Adam and Yehuda have asked the CFRG chairs whether their draft
>> for
>> > AES-GCM-SIV can be adopted as a CFRG document. We are minded to do so,
>> but
>> > first wanted to canvass members of the group for their opinions on
>> taking
>> > this step.
>>
>> +1: definitely take this step.
>>
>> That said, I think the current document is missing a convincing
>> motivation. The security considerations section talks about randomly
>> choosing nonces and limits the number of such nonces that can safely be
>> randomly generated to 2^32. This makes sense, but for most uses (TLS,
>> IPsec, SSH) we can use a non-random nonces (a counter; an LFSR if you
>> want
>> to get fancy; DES-encrypting a counter if you want to get really fancy).
>> I’d be happier if there was an example where a counter is not
>> practical.
>>
>> Yoav
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email