Re: [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC algorithm
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Wed, 20 March 2013 12:36 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3A6321F88E5 for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2013 05:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVdorEzhdKBV for <cfrg@ietfa.amsl.com>; Wed, 20 Mar 2013 05:36:20 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) by ietfa.amsl.com (Postfix) with ESMTP id 3501821F8788 for <cfrg@irtf.org>; Wed, 20 Mar 2013 05:36:20 -0700 (PDT)
Received: from mail211-ch1-R.bigfish.com (10.43.68.249) by CH1EHSOBE018.bigfish.com (10.43.70.68) with Microsoft SMTP Server id 14.1.225.23; Wed, 20 Mar 2013 12:36:19 +0000
Received: from mail211-ch1 (localhost [127.0.0.1]) by mail211-ch1-R.bigfish.com (Postfix) with ESMTP id 2E5BAE00C1; Wed, 20 Mar 2013 12:36:19 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:134.219.208.197; KIP:(null); UIP:(null); IPV:NLI; H:EXCH-HUB03.cc.rhul.local; RD:exch-hub03.rhul.ac.uk; EFVD:NLI
X-SpamScore: 24
X-BigFish: VPS24(zz98dI1432Idb82hzz1f42h1ee6h1de0h1d18h1202h1e76h1d1ah1d2ahzzz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1aa3ir1155h)
Received: from mail211-ch1 (localhost.localdomain [127.0.0.1]) by mail211-ch1 (MessageSwitch) id 1363782977860165_22221; Wed, 20 Mar 2013 12:36:17 +0000 (UTC)
Received: from CH1EHSMHS036.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.230]) by mail211-ch1.bigfish.com (Postfix) with ESMTP id C64793A004B; Wed, 20 Mar 2013 12:36:17 +0000 (UTC)
Received: from EXCH-HUB03.cc.rhul.local (134.219.208.197) by CH1EHSMHS036.bigfish.com (10.43.69.245) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 20 Mar 2013 12:36:14 +0000
Received: from EXCH-MB01.cc.rhul.local ([169.254.3.31]) by EXCH-HUB03.cc.rhul.local ([2002:86db:d0c5::86db:d0c5]) with mapi id 14.02.0328.009; Wed, 20 Mar 2013 12:36:12 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Thread-Topic: [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC algorithm
Thread-Index: Ac4lL9NyQFK/uhfsRx+HrnkfaTBDmQAN60qA
Date: Wed, 20 Mar 2013 12:36:10 +0000
Message-ID: <B132B06E59C4A540A03C3393F53BC07C40B94FE1@EXCH-MB01.cc.rhul.local>
References: <255B9BB34FB7D647A506DC292726F6E1150BBD8DFD@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150BBD8DFD@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [78.147.242.69]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <52A50704CC78664191D7FE71EC71FF7A@rhul.ac.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC algorithm
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2013 12:36:21 -0000
Hi James, Good questions. My personal view in-line. I'll be interested in hearing David's viewpoint. On 20 Mar 2013, at 05:57, Manger, James H wrote: > If you pass additional data (AAD), but no plaintext, to the GCM AEAD algorithm you effectively get a MAC algorithm. It even has a name: GMAC. Indeed, and it's even standardised in various places :-) > > Presumably it is equally trivial to create a MAC algorithm from any AEAD algorithm. > > You can do this with the AEAD_AES_x_CBC_HMAC_SHA_y algorithms in draft-mcgrew-aead-aes-cbc-hmac-sha2-01. However, the output is a 16-byte IV, 16-byte ciphertext (encrypting a block of padding), and the truncated HMAC output. This is 32 bytes more than a straight HMAC of the AAD. > > Question 1: Is HMAC over AAD-plus-random-IV better cryptographically than HMAC over just the AAD? > No, there's no security advantage (that I know of) to having HMAC over "AAD plus random IV" compared to HMAC over just the AAD. > > When defining a secure message format a tempting simplification is to only define how to use an AEAD algorithm. Then if a particular message doesn't need confidentiality just put the content into the AAD field and leave the plaintext empty. This approach is less attractive if using an AEAD algorithm in "MAC mode" incurs an unnecessary 32-byte overhead over a dedicated MAC mode. > > Question 2: Should draft-mcgrew-aead-aes-cbc-hmac-sha2 add a special case for when the plaintext is empty? > If the answer to Q1 is "No", the special case might be "when the plaintext is empty: set the IV to all zeros; and the output is just the truncated hash (C = T), omitting the IV and ciphertext". Alternatively, the special case might just involve HMAC, with no AES operations. > If the answer to Q1 is "Yes", the special case might be "when the plaintext is empty: the output is C = IV || T, omitting the encrypted padding". I see the rationale of reducing overhead. Your proposal would also reduce the randomness requirements of the scheme for this "MAC only" mode. But even so I'd prefer not to go down this route because of the potential for confusion and mis-impementation. A single, clean design without too many options feels better in that respect. While I don't see any security issues immediately, I'd also be concerned about having a special case that might somehow interact badly with the general case. Do you see anything troubling there? Cheers, Kenny
- [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC algorit… Manger, James H
- Re: [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC alg… Paterson, Kenny
- Re: [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC alg… David McGrew (mcgrew)
- Re: [Cfrg] AEAD_AES_x_CBC_HMAC_SHA_y as a MAC alg… Manger, James H