Re: [Cfrg] AES-GCM-SIV with a new key hierarchy

Aaron Zauner <> Sun, 26 June 2016 08:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6ED8912B041 for <>; Sun, 26 Jun 2016 01:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fV3it1mFOhMz for <>; Sun, 26 Jun 2016 01:08:02 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D33712B02C for <>; Sun, 26 Jun 2016 01:08:02 -0700 (PDT)
Received: by with SMTP id hl6so49617075pac.2 for <>; Sun, 26 Jun 2016 01:08:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=IYjyaIJN6QXIWj/pDQVLcnY8C8NncqGfetosiwsvYWc=; b=ROmWjaUolVZzn3TmdG7Gc59hVmg7Fm79mNhD9+VkKBcBdF5FaK0Uhu2ZeEp3B9MTz4 AoavlSX0G1xOiBRA0E0U3nHvnJTMUfKXIIxqFDMasIPAYZIgRpyb0tGnq5GIGngfA2ma ythx/MUM2V5TZtMst5OAY6TYi5dLs6+OzSHDQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=IYjyaIJN6QXIWj/pDQVLcnY8C8NncqGfetosiwsvYWc=; b=TtVIUa4Sfa7mxAcCWBa2fxQdzZAUadKEK/xHIq1cekRxpEXfH+HbCgofIE58EBoxZP ogM5siTzRl13OZCOleEUBofpQQo6FomU6LJyHrn35RfqqNkoMczcu6XdRtdNsiOqpBQe YU6L2C37gukZ1j9TUgpTPMyMAklCGV7sU5iXdhGHUagXr9dQmaAL2opDpHfcke6le0gI dqU/0EsCAaWL3+2sXIgaLwEgnrdejNhfWw2JofnsY+d3AXQzn4NUx5pVvPrZzA/aYxsx XUfLH79zFjkmwwGZZhlZD2FjTOAmNWtnpEvo1hUpekeHs/4bhN4deSHcclc6NhRUj2Fy TBnA==
X-Gm-Message-State: ALyK8tK0McgQY8bCdIUTXjo8LcVpXHI9KAYKm9Wr9/Q1OTOp18LtmFK70WtdIL+a1uf4Yg==
X-Received: by with SMTP id w13mr22719631pas.142.1466928481563; Sun, 26 Jun 2016 01:08:01 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id d65sm4168028pfa.45.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 26 Jun 2016 01:08:00 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_33F6D7DF-3582-4C97-A71C-D0F2451069F5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <>
In-Reply-To: <em85e6ab2a-6a3c-4b2e-986d-2e44c2965663@sgueron-mobl3>
Date: Sun, 26 Jun 2016 16:07:36 +0800
Message-Id: <>
References: <em85e6ab2a-6a3c-4b2e-986d-2e44c2965663@sgueron-mobl3>
To: "Gueron, Shay" <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Resent-To: <>
Cc: Yehuda Lindell <>, "" <>, Adam Langley <>
Subject: Re: [Cfrg] AES-GCM-SIV with a new key hierarchy
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 26 Jun 2016 08:08:03 -0000

> On 25 Jun 2016, at 01:10, Gueron, Shay <> wrote:
> An alternative would be to incorporate the nonce from the beginning, during the derivation of K, H from MK. This will modify the record encryption key and also the hash key per each nonce. In that case the extra derivation of the record encryption key (per nonce) could be skipped (but also could be not done).

Could you clarify on that paragraph? e.g. with pseudocode?

Incorporating the nonce in the MK derivation step makes sense to me.

But; I don't fully grasp the last part of this paragraph; if you skip the extra derivation per record encryption key per nonce you lose nonce-MR?! Given the nonce is incorporated in the MK derivation step, this isn't an issue, but I'm not 100% sure what your suggestion here is.