IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Michael StJohns <msj@nthpermutation.com> Sat, 16 April 2016 01:00 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49A2912D70B for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 18:00:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8JFJgEn9FlQ for <cfrg@ietfa.amsl.com>; Fri, 15 Apr 2016 18:00:29 -0700 (PDT)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6B1012D0F1 for <cfrg@irtf.org>; Fri, 15 Apr 2016 18:00:28 -0700 (PDT)
Received: by mail-pf0-x230.google.com with SMTP id n1so61757293pfn.2 for <cfrg@irtf.org>; Fri, 15 Apr 2016 18:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=XaMmTFBlV/2JI8O/EmWvkAlVWPksTZuIaWBC/9hif2E=; b=L+HZwjgdOrsaEACghIgHvGfVIJpckchz4F5rPkMYs/3XoSMsLsH6klTWFHBmc2NbdF +QRb39EvEjjlPziwUWEClEpT99BUNzXyVWODL55SHDifoCmpZUekdWx9raLSP6xQxifF hPA7/rrxDZZHd/7MqXbhdpfzf1xD2nmSWG+Y5Xo8/o92/+kiNSaS7oryhCsw/sCWYNbL C+xLcAyvl+RNx8K+sSezT3exRR32EeI86V4WRfrjQ1CKLs+TSuQduJv0bXKAriLpK8h0 VXABQAv7B8yI1Gif/MbCPIHPRAx6Y8yz/JQHlaRV0cKsemPJYIofWMpssf6aTe9EN4DF BUaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=XaMmTFBlV/2JI8O/EmWvkAlVWPksTZuIaWBC/9hif2E=; b=VpoLL7Ef7PCDYIi4X+2dfBHKOiwJyHuKp5t+F9WvS2u1f9NIiwrEFstn57oTw+pK62 u5mo7G7ms9sKlI+3ROLoLbX0mvM2ORIXx1GO7sHZrQe8ppSjdBOG5H7m86YPvVAP708e lcF6JFik9qKRM54CKQo5qkI26iJwyNC53qb8DD2cZ2MbmlSYa+H9ns9aER58+womobR4 FJPNBvv1SCZU0CDj2YBsqcbyiQqSrjkNrIVMZOH5svfQkkW4ZlMY3uHzy2Q0CV7yXfHo 4nLTFVwmBeuAvJ5ZrXaA6YAgd139G6G5TRLjQxaHDtAlbJ7HabUKw0HLFO8rNGZx1Q6m YTpw==
X-Gm-Message-State: AOPr4FV/JVyEjwOC3uiSAZENa2F8p+pmMoNEACKeXhsZBuxe1tR82Qu87+oryWWLYUxIAA==
X-Received: by 10.98.11.205 with SMTP id 74mr33272517pfl.98.1460768428360; Fri, 15 Apr 2016 18:00:28 -0700 (PDT)
Received: from [100.44.155.40] ([100.44.155.40]) by smtp.gmail.com with ESMTPSA id m87sm67277044pfj.38.2016.04.15.18.00.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Apr 2016 18:00:27 -0700 (PDT)
To: Adam Langley <agl@imperialviolet.org>
References: <em464be0a9-7577-4391-a5db-130cf5c040f9@sgueron-mobl3> <571116B0.4050204@nthpermutation.com> <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <57118EB7.9080907@nthpermutation.com>
Date: Fri, 15 Apr 2016 21:00:39 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <CAMfhd9VDf0NiVcyDejC_GbMdHmdVeNmdUf1-2QBPFh6WSOCoeg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/s-Nj3uXDSM_6R47AhdkwV3_3Au0>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Apr 2016 01:00:30 -0000

On 4/15/2016 1:13 PM, Adam Langley wrote:
> On Fri, Apr 15, 2016 at 9:28 AM, Michael StJohns <msj@nthpermutation.com> wrote:
>> Is there any other scheme currently in use in our protocols (TLS, IPSEC,
>> etc) that has the property that identical messages under the same key/nonce
>> (or key IV) are encrypted identically?
> I think all encryption schemes have this property if I understand you.
>
> Given a fixed (key, nonce, message), all AEADs should be
> deterministic, i.e. will produce a fixed ciphertext. That includes
> AES-GCM, ChaCha20-Poly1305, AES-CCM etc
>
> For CBC modes, some people consider them to be functions of (key,
> message)→ciphertext, in which case the random IV makes them
> non-deterministic in that model. But if considered to be a function of
> (key, message, IV)→ciphertext then they, too, are deterministic too.

Hi Adam - thanks for the question.

That's not exactly what I mean/meant.  In TLS, the same message (record, 
etc) sent under the same key and IV/NONCE (as produced by the TLS 
PRF/KDF functions or produced randomly) will provide different 
ciphertext based on the fact that the record counter changes with each 
message.  That counter doesn't necessarily have to be part of the 
authenticated data in an AEAD cipher as the nonce formation is somewhat 
external to processing (with the exception of the block counter).

To get the equivalent behavior for AES-GCM-SIV, you need to ensure there 
is some sort of per-message unique mixin (unique within the association 
duration at least) that causes the tag to be different which causes the 
nonce to be different.

*sigh* Let me try it another way.  Take generic AES-GCM, a key and a 
random association nonce.  We form the message nonce from the 
concatenation of the association nonce and a message id or counter. We 
form the block nonce from the concatenation of the message nonce and the 
block counter.  We encrypt the block nonce to provide the data to be 
XOR'd.  The message and AD that we encrypt and protect need not include 
the message id - as long as we can derive it or count it, we don't have 
to send it and it will not be included under the cryptographic 
calculations.  This mostly doesn't matter, because if either end gets 
the counter wrong, the message fails to authenticate at the receiver.

That's not the case for AES-GCM-SIV.  If the message ID is not part of 
the data provided (either payload to be encrypted or associated AD) to 
the POLYVAL function, you will have identical tags for identical 
messages leading to identical ciphertext for identical plain text.

It turns out that this mostly doesn't matter to TLS or IPSEC as they 
both MAC the message sequence number so that's going to be covered by 
any AEAD Associated Data integrity processing and result in a different 
cipher text for the same message even with AES-GCM-SIV. But I remember 
arguments about removing the sequence number in other protocols to save 
space (e.g. its running over TLS - what do we need a sequence number in 
the record for? ) and I worry that this nuance might be missed in future 
protocols that use this cipher mode.


Mike





>
>
> Cheers
>
> AGL
>

v2.23.0 | Report a Bug | By Email