Re: [Cfrg] AES-GCM-SIV security of the additional data

Daniel Bleichenbacher <> Fri, 24 June 2016 13:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E6C2612DA9A for <>; Fri, 24 Jun 2016 06:17:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.126
X-Spam-Status: No, score=-4.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wf1JNHgnZ--U for <>; Fri, 24 Jun 2016 06:17:27 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DFB7112DA9D for <>; Fri, 24 Jun 2016 06:17:26 -0700 (PDT)
Received: by with SMTP id c2so119383706vkg.1 for <>; Fri, 24 Jun 2016 06:17:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Kz9cPOv5fg5rsOh+NAJO0jt6p8zawhf4HP0Mm8hYOhY=; b=QVTaXk4FKuuf+IbSsjrKuYuUCyxB0t4tdRJYcRm1d+4b41QNBHCikZGSD/zxkfzE9P ip1fyB3BwiofzGIpKpAvSKo87iPGHMryiZsIENZ9MNK7u2b7cysga5F/vIeZMtm2p0aM 5XcM8SpnCxaym/MQ7WCHKqbLKJWwqUAx/ATWWMMRNuU6vUB400gUPX8rwUkwn/2c3Vvk SlqEmdplTzMJjmPjxVqB7L1NWevysZj5YkfbEvIf5r4+6x997OKzWkXO6rFhqY3qHWBw ou0aGS4J6JI7XZlLuMhHQPrxy0IqAsLTOesFb0fW+jpp84CghmgH8dlW0nDIlTlST4w3 OPAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Kz9cPOv5fg5rsOh+NAJO0jt6p8zawhf4HP0Mm8hYOhY=; b=daumxsaVGL+w16CcIpQuVo6iTS6SwO4ud2pEg1C3dgcpyBpZ5hryMiHmz8wZvQ0Wdf LQrTgo1w8hrmcZ0I8LwPitgsUWVEfKquORlbhUy9UW6Y0SRTqSoqu0dU2Frz4IbFyP0j IUcOJyh/8j2kxURJ5csLVoPqO5Bm+PGKo9Y81GobD+9AZV8Gy6NGBXeuUzQLAQAbeAlN s2PwfgEsRCLPfcBalne93lddqPYa1uc5K2hIJWNQ1opiFtIMdXGdgBWHjbRMn6yihtFh rahf5iSt/EO1Cngz+omNslxaD33uPYFctxbuT1ywiLW8SAI2BDMRsOlk9Q9cD1AMTFUZ drug==
X-Gm-Message-State: ALyK8tJ0GdXth/krRFkxCKoq/Ixvy23BNyxqqUASu6avSfw6nSAwiOaYALie9+gedp1msCKEtpIpOHFvTAoreAQ2
X-Received: by with SMTP id q98mr2316976uaq.83.1466774245676; Fri, 24 Jun 2016 06:17:25 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 24 Jun 2016 06:17:25 -0700 (PDT)
In-Reply-To: <>
References: <>
From: Daniel Bleichenbacher <>
Date: Fri, 24 Jun 2016 15:17:25 +0200
Message-ID: <>
To: "Blumenthal, Uri - 0553 - MITLL" <>
Content-Type: multipart/alternative; boundary="94eb2c04004ce180d0053605fd27"
Archived-At: <>
Resent-To: <>
Cc: "" <>
Subject: Re: [Cfrg] AES-GCM-SIV security of the additional data
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Jun 2016 13:17:30 -0000

On Fri, Jun 24, 2016 at 3:08 PM, Blumenthal, Uri - 0553 - MITLL <> wrote:

> What is the probability of a sender (accidentally?)‎ generating a key that
> results in H being 0?
Random key generation is not my concern. My concern is a sender choosing a
key on purpose in such a way that
he does not have to authenticate additional data. The typical assumption is
that if an integrity check passes
then the sender is aware of the plaintext. Should this also be the case for
the additional data?

> Should a protocol check the H value and refuse to proceed (request
> re-generation) if H is 0?
> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
> *From: *Daniel Bleichenbacher
> *Sent: *Friday, June 24, 2016 07:35
> *To: *
> *Subject: *[Cfrg] AES-GCM-SIV security of the additional data
> ‎
> I'm wondering what can or should be expected about the security of the
> additional data.
> In particular, I'm considering the following scenario:
> Sender and receiver share a secret S.
> The sender knows the public key of the receiver and the receiver of course
> knows the private key.
> They use a hybrid encryption as follows:
> The sender chooses a new AES-GCM-SIV key, encrypts his message
> and includes S as additional data. The AES-GCM-SIV key is wrapped with
> the receivers public key and the wrapped key and ciphertext are sent to
> the receiver.
> Here an attacker can use that AES-GCM-SIV allows to select a key such that
> the
> element H used for POLYVAL is 0. In this case it would not be necessary
> for the sender
> to know S to construct a ciphertext that validates.
> A similar attack using AES-GCM seems much harder since the value H for the
> is obtained by encrypting 0 and thus I'm not aware of a way to do the same
> thing here.
> The attack does of course not violate any of the guarantees claimed.
> However, in the industry lots of ad hoc protocols are designed without
> proper security reductions and hence it seems a bit scary to me to allow
> this kind of "weak" keys. And since abuse resistance is
> one of the goals it might be a good idea to avoid such type of abuses.