Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

[Andy Lutomirski <luto@amacapital.net>]

On Mar 30, 2016 10:23 PM, "Andy Lutomirski" <luto@amacapital.net> wrote:
>
>
> On Mar 30, 2016 9:56 PM, "denis bider" <ietf-cfrg@denisbider.com> wrote:
> >
> > I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to
derive the final encryption key.
> >
> > Regardless of the original input key size, the encryption key is
derived in a way that, at some point, is reduced to 128 bits of entropy.
> >
> > I find this to be a good point, and indeed, a plausible concern.
> >
>
> If true, it may even be a fairly large concern.  If each message uses a
separate 128-bit key, then this could plausibly be subject to the type of
parallel attack djb loves talking about where each *message* is a target.
That would make collecting 2^64 or so potentially interesting ciphertexts
considerably easier than with most modes.
>
> But it looks like the key is just a normal key.

I take this back.  I was reading the GCM-SIV paper, not the draft, and I'm
having trouble reconciling them.

If AES-128 is used, or if AES-256 is used with a 256-bit user-supplied key
(I think -- the draft is vague and should IMO be clarified), then the key
is just the key.

If AES-256 is used with a 128-bit key, then the key is munged with the
nonce to make a new key.  I don't like this at all:

1. What's the point?  Why not require an appropriate length of key to begin
with?

2. By deriving a nonce-dependent key, you add a key scheduling step that
might kill performance for short messages, I think.

3. Is it possible that this invalidates the security proof?  After all, it
sounds like you can have two instantiations that share an authentication
key but not a record key, and I don't think the proof was meant to cover
this case.

4. Since this claims nonce-MR, setting nonce=0 is valid.  If someone does
this, then I think they are vulnerable to the extra-easy parallel attack.

To what extent is this draft supposed to match the paper?

--Andy

>
> --Andy
>
> >
> >
> > ----- Original Message -----
> > From: Tony Arcieri
> > Sent: Wednesday, March 30, 2016 19:11
> > To: Dan Harkins
> > Cc: Yehuda Lindell ; cfrg@irtf.org ; Adam Langley
> > Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant
Authenticated Encryption" as a CFRG document
> >
> > On Wed, Mar 30, 2016 at 12:22 PM, Dan Harkins <dharkins@lounge.org>
wrote:
> > Would you agree that AEAD_AES_256_GCM_SIV provides no more
> > security than AEAD_AES_128_GCM_SIV? I say this because the
> > authentication key is 128-bits regardless
> >
> > I disagree with this. 128-bits of symmetric security is fine today. The
threats where you might want 256-bit encryption are things like
hypothetical future quantum computers which are able to use Grover's
algorithm.
> >
> > Encryption needs to stand the test of time. Authentication has less
burdensome demands. If it's possible to pull off an online chosen
ciphertext attack after the advent of quantum computers which can use
Grover's algorithm to break 128-bit crypto (10+ years in the future
maybe?), the story might be different, but for long-term confidentiality of
ciphertexts I think a larger key size for a symmetric cipher is more
important.
> >
> > The same argument can be applied to digital signatures and quantum
cryptography: they matter less than encryption, because we can resign data
if a quantum attack seems imminent, but if a quantum attacker already has
access to ciphertexts there's nothing we can do.
> >
> > --
> >
> > Tony Arcieri
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> >