Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Dan Harkins" <dharkins@lounge.org> Fri, 15 April 2016 20:46 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50FF312D7BF for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 13:46:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmKTxAEgRYQY for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 13:46:20 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 2817912D63C for <cfrg@irtf.org>; Fri, 15 Apr 2016 13:46:20 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 1580E1022400A; Fri, 15 Apr 2016 13:46:19 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Fri, 15 Apr 2016 13:46:19 -0700 (PDT)
Message-ID: <7a32ee823d39c1d80de6c179837451ab.squirrel@www.trepanning.net>
In-Reply-To: <571116B0.4050204@nthpermutation.com>
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com>
Date: Fri, 15 Apr 2016 13:46:19 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Michael StJohns <msj@nthpermutation.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/mdZKLQzwfQegp9KXc800uAP7a0k>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 20:46:21 -0000

On Fri, April 15, 2016 9:28 am, Michael StJohns wrote:
> On 4/15/2016 12:06 PM, Gueron, Shay wrote:
>> This means that repeating a nonce will not leak any information except
>> if the same nonce and the same message is encrypted. In that case, an
>> adversary could only know that the two identical message were
>> encrypted (this cannot be avoided in any deterministic scheme).
>
> Is there any other scheme currently in use in our protocols (TLS, IPSEC,
> etc) that has the property that identical messages under the same
> key/nonce (or key IV) are encrypted identically?

  Way back at IETF70 I proposed some ciphersuites for TLS using
AES-SIV (RFC 5297). AES-SIV has the same nonce-misuse properties
as AES-GCM-SIV but it's a 2-pass cipher mode. The general response
I received can be summarized as "we don't need nonce misuse because
the nonce is not part of the API that Joe User, who may be ignorant
of nonce usage issues, calls and everyone writing a TLS implementation
knows what he or she is doing so it's not a problem."

  Of course, times change and so do opinions.

  regards,

  Dan.