Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
Andy Lutomirski <luto@amacapital.net> Thu, 31 March 2016 08:22 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CF7D12D15B for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2016 01:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=amacapital-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XEz241BJHbg9 for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2016 01:22:45 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D7812D157 for <cfrg@irtf.org>; Thu, 31 Mar 2016 01:22:45 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id r187so50640154oih.3 for <cfrg@irtf.org>; Thu, 31 Mar 2016 01:22:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=zJO8LUZu4stMtJyHrs93ts91FRDXzzQi4PdofJzNwCo=; b=PSwwGi5GAvLV+ztUchIXxn4348ChmaXvnaHrRADjzAK5m6LDIkNmRbwBW3s7+oS+/r DBdOdi2n65K9NOdXuQONdw4+7RD8Czdn4NSHVDO3mNg1zy3tBrk1zuZrQVCWXCAxeNX2 wvoY5hPLBBT0K4UtCyH1d0XFViopCq2KNkRqENZxDJtssbqMwzoM1zQTui3M6xB/eVtz eKZrjlqgnc9GVCoE7B/lHIKAfVd/UEt/ndVEnANr/KDuYZXbTolA+pY8KjnIOqcm5o61 lGzOTcev0lMKaPl6FN1O+JHgCeRWiAIA5wD4VZlC2/I5QgBg873A2d6V0F1RmTJvQU+/ N5iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=zJO8LUZu4stMtJyHrs93ts91FRDXzzQi4PdofJzNwCo=; b=JUjRcImdZ4LglLzB2HaatDkqG/E42V9y70A/Rrd6Nil0r0YtTfQIX8qi3PF4wkpfOn S/sfRFw0DzZRSw0Jgj3OSSGDLwM/FOf+KSPEbhv0uZoF2Ap16T2BXanTa6JmWaZ+lmIw V6xq8rxzV/xcgdZVGJU6Vtm668FN0tOm2RWEVjE2/Ai2bpyBIqu+lkRZlqXwNz7DosyC HwmgJkhQFkn+itdG6nu/lr0z/qReeC80pJWkAEfTHUvR06stzYNODB8Q2LR7l4P8Ub2D WfFPIt6vRsm5RSeCWK51odbjz4q9xE31KO7Yimz1bzSig9k3vl+2mwyBh28c109k/zMs vAcQ==
X-Gm-Message-State: AD7BkJKzXZouQlwdjCnwdLQAGkFf0fRzu8rHc7GFCUug+V7KeWJ7GeYWyEiMdmKP/yjWLenvSHTic7l7CHh3H3Dg
MIME-Version: 1.0
X-Received: by 10.202.88.130 with SMTP id m124mr7186359oib.52.1459412564932; Thu, 31 Mar 2016 01:22:44 -0700 (PDT)
Received: by 10.202.202.209 with HTTP; Thu, 31 Mar 2016 01:22:44 -0700 (PDT)
Received: by 10.202.202.209 with HTTP; Thu, 31 Mar 2016 01:22:44 -0700 (PDT)
In-Reply-To: <CALCETrW7ew_inZdFDxSgcDER-4wcgAoN_8Tr9-ZgBy+cwLb8HA@mail.gmail.com>
References: <1893951588-3704@skroderider.denisbider.com> <CALCETrW7ew_inZdFDxSgcDER-4wcgAoN_8Tr9-ZgBy+cwLb8HA@mail.gmail.com>
Date: Thu, 31 Mar 2016 01:22:44 -0700
Message-ID: <CALCETrXV2E8rUDwWNqc+t1kJM4mdXpDhUN8fqqpW5uCf05g-pw@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
To: denis bider <ietf-cfrg@denisbider.com>
Content-Type: multipart/alternative; boundary="001a113d5e3e839fe9052f53f7fa"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/mL4dbnu08KvTHcmOzJ227dP1PFs>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, cfrg@irtf.org, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 08:22:49 -0000
On Mar 30, 2016 10:23 PM, "Andy Lutomirski" <luto@amacapital.net> wrote: > > > On Mar 30, 2016 9:56 PM, "denis bider" <ietf-cfrg@denisbider.com> wrote: > > > > I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to derive the final encryption key. > > > > Regardless of the original input key size, the encryption key is derived in a way that, at some point, is reduced to 128 bits of entropy. > > > > I find this to be a good point, and indeed, a plausible concern. > > > > If true, it may even be a fairly large concern. If each message uses a separate 128-bit key, then this could plausibly be subject to the type of parallel attack djb loves talking about where each *message* is a target. That would make collecting 2^64 or so potentially interesting ciphertexts considerably easier than with most modes. > > But it looks like the key is just a normal key. I take this back. I was reading the GCM-SIV paper, not the draft, and I'm having trouble reconciling them. If AES-128 is used, or if AES-256 is used with a 256-bit user-supplied key (I think -- the draft is vague and should IMO be clarified), then the key is just the key. If AES-256 is used with a 128-bit key, then the key is munged with the nonce to make a new key. I don't like this at all: 1. What's the point? Why not require an appropriate length of key to begin with? 2. By deriving a nonce-dependent key, you add a key scheduling step that might kill performance for short messages, I think. 3. Is it possible that this invalidates the security proof? After all, it sounds like you can have two instantiations that share an authentication key but not a record key, and I don't think the proof was meant to cover this case. 4. Since this claims nonce-MR, setting nonce=0 is valid. If someone does this, then I think they are vulnerable to the extra-easy parallel attack. To what extent is this draft supposed to match the paper? --Andy > > --Andy > > > > > > > ----- Original Message ----- > > From: Tony Arcieri > > Sent: Wednesday, March 30, 2016 19:11 > > To: Dan Harkins > > Cc: Yehuda Lindell ; cfrg@irtf.org ; Adam Langley > > Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document > > > > On Wed, Mar 30, 2016 at 12:22 PM, Dan Harkins <dharkins@lounge.org> wrote: > > Would you agree that AEAD_AES_256_GCM_SIV provides no more > > security than AEAD_AES_128_GCM_SIV? I say this because the > > authentication key is 128-bits regardless > > > > I disagree with this. 128-bits of symmetric security is fine today. The threats where you might want 256-bit encryption are things like hypothetical future quantum computers which are able to use Grover's algorithm. > > > > Encryption needs to stand the test of time. Authentication has less burdensome demands. If it's possible to pull off an online chosen ciphertext attack after the advent of quantum computers which can use Grover's algorithm to break 128-bit crypto (10+ years in the future maybe?), the story might be different, but for long-term confidentiality of ciphertexts I think a larger key size for a symmetric cipher is more important. > > > > The same argument can be applied to digital signatures and quantum cryptography: they matter less than encryption, because we can resign data if a quantum attack seems imminent, but if a quantum attacker already has access to ciphertexts there's nothing we can do. > > > > -- > > > > Tony Arcieri > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > >
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay