IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Michael StJohns <msj@nthpermutation.com> Fri, 15 April 2016 16:28 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E53A412E107 for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7aLwdJrQyBy for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 09:28:42 -0700 (PDT)
Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD59312DF30 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:28:42 -0700 (PDT)
Received: by mail-pf0-x22d.google.com with SMTP id e128so58164207pfe.3 for <cfrg@irtf.org>; Fri, 15 Apr 2016 09:28:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=pfr00x/wrX+Ti2zafs4snS542u/pvbM5QOuyH++oZPQ=; b=fFYNBtiW9lnpUiLltfMyK3653NgzoIWJU0YXA6m8EK0dadnw4cVYtoS0C6g/5TcRUx OiVI4gCg0fSKNnkX3no4x1Np88aYWK0Jgdu/Vv4bB1etoo3yiTcUEXZ/LKf1hxLBnmDx OEvGVculpQRe/dGkakZ4+iA/58FOlkcezyJ6vggM6/op8Fe+5SIyiL/JNp0SYWzogDO+ A+P3N06REIGbLIqgxzQMLG5FSq2OxiV8AIkwKI5McEAYmeWRrDnvm1BJDIaAUZ5eciEW FmC8HvUJKaYRgg4oyfz4CNSNArjutsEiGISgfrQ3G3VDHaoOHG7nBVAnEOmb+lu8O07Z nbUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pfr00x/wrX+Ti2zafs4snS542u/pvbM5QOuyH++oZPQ=; b=KSQwEKlDf1UwCxf4YMHywHJxpQSzEFiX7EitH2uwhGwC6uDoMhkaydf7PRIYhX9gUt zzicBIG+bxmKC7PaTG7irrNJRppwUVYj7MeAIi6zHJDF24cticTUdiys0ZbPLr2kvn2f 2CqMcO6YSZ3HY6sBzivCW2RlOhwdJKii2P1777G3IYtBfhY4hszEnfm6ySBgylfIByqu 3P0PEpNIo8IZa/1kUC8CEBlT7f3QsNYI5qEuI+D0b8YXUaFonLeVLOemcjJjikbEuG+C Ot44yvt4PZtWScXPY73eC0Cpu9FgHZC2d/0UfLZltQS2SkvUK00ldIpizpLlvrZtM0PR 6jEA==
X-Gm-Message-State: AOPr4FXapMA8r1zf3I6Wm2h2Z7x2L6TZZsN20r9keB8oB0M9A4PzqXiuVYdsimkn1gELJw==
X-Received: by 10.98.65.215 with SMTP id g84mr30344985pfd.94.1460737722210; Fri, 15 Apr 2016 09:28:42 -0700 (PDT)
Received: from [10.90.130.63] (soi.silverspringnet.com. [74.121.22.10]) by smtp.gmail.com with ESMTPSA id d19sm65744680pfj.92.2016.04.15.09.28.41 for <cfrg@irtf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Apr 2016 09:28:41 -0700 (PDT)
To: cfrg@irtf.org
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <571116B0.4050204@nthpermutation.com>
Date: Fri, 15 Apr 2016 12:28:32 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/nYWIfiJ8Oqw1ypgSomm1Gadh5xw>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 16:28:44 -0000

On 4/15/2016 12:06 PM, Gueron, Shay wrote:
> This means that repeating a nonce will not leak any information except 
> if the same nonce and the same message is encrypted. In that case, an 
> adversary could only know that the two identical message were 
> encrypted (this cannot be avoided in any deterministic scheme). 

Is there any other scheme currently in use in our protocols (TLS, IPSEC, 
etc) that has the property that identical messages under the same 
key/nonce (or key IV) are encrypted identically?

I've been reading this thread only intermittently and perhaps I missed 
the discussion, but the above property seems to be a "bad thing"(tm) in 
the general scheme of things.  Perhaps it can be mitigated by specific 
protocols with specific techniques but that seems to be contrary to the 
idea that this is an idiot-proof (in terms of implementation) 
improvement over AES-GCM itself.

Mike

v2.23.0 | Report a Bug | By Email