IETF Logo Mail Archive

Re: [Cfrg] AES-GCM-SIV with a new key hierarchy

Aaron Zauner <azet@azet.org> Sun, 26 June 2016 10:37 UTC

Return-Path: <azet@azet.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19EED12D137 for <cfrg@ietfa.amsl.com>; Sun, 26 Jun 2016 03:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNXX-jKl73sB for <cfrg@ietfa.amsl.com>; Sun, 26 Jun 2016 03:37:37 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0A2F12D0FB for <cfrg@ietf.org>; Sun, 26 Jun 2016 03:37:37 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id i123so52606506pfg.0 for <cfrg@ietf.org>; Sun, 26 Jun 2016 03:37:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=r1TFIz3SAxiDKLn7UbIwtZwbKEAIpABod4PPRpqkgc8=; b=CzoN1QOWBUmM2+Uh6Sn+80lm0zZOqF4PRuhxDbFXJakKcODTbgfoXXIrTuHXMU7isY RTivFeeRXEOF3a/v/bz08kIuLlr6XWs38bGr1TCFeg1LzPu1L9RRIT6D0oPT+1wTl40P mv1+QQfldgyi9gb7hehvrdAzrt4TjzdBJX/BE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=r1TFIz3SAxiDKLn7UbIwtZwbKEAIpABod4PPRpqkgc8=; b=GiXckX4za7w521HfA/QfODobtHCuD9pE7v4l1zt9zR9HBDpja92afhb3pX+cRtwUxp TiTbhAhVK8cNeopTVx0OVBPjONmMOhr0pznBuTbU7JaXgknjpDKf2rvGVXFJAhIQfqv4 wMCO8jt6jTlGe3/QVNaYpaJNnZYpbdTXjtslHX1MgJcnRDoDNGuiVqqWDqAYkO3POkrd S9IKm4sNXKCvrmHd4Y17uvRBmw9No/kk+r/9Yl95sqK4fZg6U6BpwPG88DB0cGGYbbWy w3UufV2sszrr45HA6zAvBODagVugncWJeLVBdbrpus+2UfoCdLqm1dWIfCLJajLI6+AY Pu9g==
X-Gm-Message-State: ALyK8tLaH6jiV+eEbjVbFFkAJgVpbIvG+09jTZdkCMGswyTpEwcYw3oaKXCPVAWwh6cDlQ==
X-Received: by 10.98.13.81 with SMTP id v78mr23465390pfi.91.1466937457180; Sun, 26 Jun 2016 03:37:37 -0700 (PDT)
Received: from [192.168.1.234] ([114.121.129.119]) by smtp.gmail.com with ESMTPSA id bw1sm4987223pab.17.2016.06.26.03.37.33 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 26 Jun 2016 03:37:36 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_0A6FB2AE-2A0C-4C06-BBB8-795FFBFE0323"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <em01122224-6812-4371-a628-21d5f8515794@sgueron-mobl3>
Date: Sun, 26 Jun 2016 18:37:30 +0800
Message-Id: <6844F3DB-A00F-41F7-9F3D-D32BF07D2037@azet.org>
References: <em01122224-6812-4371-a628-21d5f8515794@sgueron-mobl3>
To: "Gueron, Shay" <shay.gueron@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/t0rg1YBs8-wsFtfzf-Pq3JUXxig>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: Yehuda Lindell <Yehuda.Lindell@biu.ac.il>, "cfrg@ietf.org" <cfrg@ietf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] AES-GCM-SIV with a new key hierarchy
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jun 2016 10:37:39 -0000

Hi Shay,

Thank you for your explanation.

So if that'd be a CFRG poll I'd go with the following preference:

> On 26 Jun 2016, at 16:26, Gueron, Shay <shay.gueron@gmail.com> wrote:
> 
> Of course - let me describe.
> For simplicity, I describe the case of a 128-bit MK.
> 
> Option 1: K1 = E_MK (0), K2 = E_K1 (0)  (K1 will be used for encryption, and K2 for the authentication)
> Then continue AES-GCM-SIV as it is defined now (including a derivation of a record encryption key, per nonce N)

+

> 
> Option 2: K1 = E_MK (N), K2 = E_K1 (N)
> Then AES-GCM-SIV as it is defined now, but without an  additional derivation of a record encryption key; just set K1 as the record encryption key.

+++

> 
> Note: Option 1 is merely a static "pre-derivation" (where K1, K2 can be cached). Here, MK is used directly only twice.
> Option 2 uses MK (directly) with each nonce. Here, the hash key also depend on the nonce.
> 
> There is another option.
> 
> Option 3: K1 = E_MK (0), K2 = E_K1 (0)
> Then continue AES-GCM-SIV as it is defined now (including a derivation of a record encryption key, per nonce N) and also define a record hash key via E_K2 (N).

++

Aaron

v2.23.0 | Report a Bug | By Email