IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

"Gueron, Shay" <shay.gueron@gmail.com> Fri, 08 April 2016 04:00 UTC

Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD6C12D795 for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 21:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7_j9jpCLIQM for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 21:00:14 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F044212D783 for <cfrg@irtf.org>; Thu, 7 Apr 2016 21:00:13 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id 191so5422028wmq.0 for <cfrg@irtf.org>; Thu, 07 Apr 2016 21:00:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version:content-transfer-encoding; bh=aTyZTUNkySjfAhfPzhIoFHXSLOafqJFxE5MQmfqabdk=; b=lkBluaEYo2fa87g68iJE9o1TRv9kiblgbbhNtZxDfmW4nTbxmk8G8M1aQ65qSuDHay RKusPWKyLgpJh2JeSmg1IwZgweDWTdqz+XSP+ymaWDsHYywRk08SUZHXU+NCMF8xtwjq h8edQDZNEp0H4vwb9pWqv50eB8TqBWvoMwZa3m5clLVtSRyq/FPOXKitkm9FnNgw9vsy LdW2ZM8oihbv9yfTccVh042nPsCbnVtpP4Ahc8DWz+z73NPRKV6EiyZnXVHZ0adnbfpB I2dLp5ptJ7ZQ0Rr2i1iT2yzCDyFYfbc1jNad5HER3D8axZm3wU10O686a3qrD6NNZmcm Sw7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version:content-transfer-encoding; bh=aTyZTUNkySjfAhfPzhIoFHXSLOafqJFxE5MQmfqabdk=; b=dAJH0tHbP0wohEBr8BRFpcQboLfndOm6KdSnZ25WaK4bc1qQWXKcdJefCA33fRlFT0 W95fBc8OmT8zdxa/NhBIr86Zp6U2iyaWSeTiezpdG79/G8gb+pzyKwafyQXaSqPgWC3P OZX9b3gMYBqYu4ESNKXjiXmU+WW+y9jhKBCTjqRbsQzIegO5Q5k6W2wFuMBCvBHG3tcC iTfoptj4mKEwe2JqaNqNkU+LfnJX+lzQVTI3SzSbAiB+//Z2ftcnWccye4nGOpNpVGj2 6uRhYv+ZaeaiIHnMbFM7H530mTmuTlaivp+YNrlEfGm+2P8Clj/DpmaGo0ecm3/dtlPr wu5g==
X-Gm-Message-State: AD7BkJJ5uu7VXyox3cDpF3HYBvAE0Ok7JIxVcV+2xsMI5FmDv7er4M1eRTRDN/02y5jrdA==
X-Received: by 10.28.222.84 with SMTP id v81mr1158361wmg.14.1460088012279; Thu, 07 Apr 2016 21:00:12 -0700 (PDT)
Received: from [192.168.127.191] (bzq-199-168-31-213.red.bezeqint.net. [31.168.199.213]) by smtp.gmail.com with ESMTPSA id 198sm948483wml.22.2016.04.07.21.00.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Apr 2016 21:00:11 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Apr 2016 04:00:00 +0000
Message-Id: <emdd1fc76d-d2ba-4b8e-847b-b13ac51ba92a@sgueron-mobl3>
In-Reply-To: <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yrNzfgllmUR6m0oKUfjqjgI9-Lk>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 04:00:16 -0000

  Regarding:

****
The only relevant text I can find in the draft is:

If the AES key is 16 bytes long then define the _record-encryption
key_ as the encryption of the nonce using the AES key. If AES-256 is
being used then this is insufficient as 256 bits of key material are
needed. Therefore the record-encryption key in this case is the
concatenation of the result of encrypting, using the AES key, the
nonce with the least-significant bit of the first byte set to zero
and then to one.

This very much sounds to be like (a) a 256-bit key is derived from a
128-bit key and (b) the draft doesn't actually specify what the record
key is in any other case. I interpreted the vague text to mean that
the record key is the AES key in all other cases.

Can you clarify the draft?

--Andy
****

Yes, of course. Here is the paragraph with explanatory notes in *** ... 
***

If the AES key is 16 bytes long then define the _record-encryption
key_ as the encryption of the nonce using the AES key. *** so far, the 
case of 128-bit key***

If AES-256 is being used *** now the case of 256-bit key***
then this is insufficient as 256 bits of key material are needed *** 
because one invocation produces only 128 bits, and we want to derive a 
256-bit key ***
Therefore the record-encryption key in this case is the *** here is the 
explanation: ***
concatenation of the result of encrypting, using the AES key *** recall 
that it is the 256-bit case***, the nonce with the least-significant bit 
of the first byte set to zero and then to one.
*** that is AES  New key (256 bits) =  AES256 (NONCE[127:1] || 0) || 
AES256 (NONCE[127:1] || 1)  (256 bits altogether).

Thus, "This very much sounds to be like (a) a 256-bit key is derived 
from a 128-bit key and (b) the draft doesn't actually specify what the 
record" is not the case.
Shay


------ Original Message ------
From: "Andy Lutomirski" <luto@amacapital.net>
To: "Gueron, Shay" <shay.gueron@gmail.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>; "Adam Langley" 
<agl@imperialviolet.org>; "Yehuda Lindell" <yehuda.lindell@biu.ac.il>; 
"Adam Langley" <agl@google.com>
Sent: 4/8/2016 2:16:07 AM
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant 
Authenticated Encryption" as a CFRG document ---- Some clarifications

>On Tue, Apr 5, 2016 at 6:14 AM, Gueron, Shay <shay.gueron@gmail.com> 
>wrote:
>>  The (ACM CCS) paper described a GCM-SIV implementation with 128-bit 
>>keys.
>>  The CFRG submission is different in two respects:
>>  1. A 256-bit version that is added.
>>  2. There is key derivation added (based on the nonce) to refresh the
>>  encryption key for each record.
>>
>>  The purpose of #2 is to allow AES-GCM-SIV to use a single key 
>>multiple
>>  times. In the original paper version, an IV is derived from the 
>>universal
>>  hash function (and the nonce) over the message, and occupies 95 bits 
>>of the
>>  counter block during the encryption. Collisions are imminent after 
>>2^48
>>  uses, and to maintain safety margins, we would need to restrict the 
>>usage of
>>  one key to 2^32 messages. This could seem like a real constraint for 
>>a real
>>  AE scheme. With a differently derived key (derived from the nonce), 
>>the
>>  lifetime of one key can be extended.
>>
>>  The cost of extending the lifetime of the key is that of computing a 
>>key
>>  schedule, but this overhead is small on the target platforms that 
>>have AES
>>  hardware support.
>>
>>  To clarify a possible confusion about the 256-bit variant: no 256-bit 
>>key is
>>  ever derived from a 128-bit key. A 256-bit encryption key is derived 
>>from
>>  the 256-bit master key and a (128-bit) nonce but two encryptions. The
>>  authentication key has 128 bits, and so does the authentication tag.
>
>The only relevant text I can find in the draft is:
>
>    If the AES key is 16 bytes long then define the _record-encryption
>    key_ as the encryption of the nonce using the AES key.  If AES-256 
>is
>    being used then this is insufficient as 256 bits of key material are
>    needed.  Therefore the record-encryption key in this case is the
>    concatenation of the result of encrypting, using the AES key, the
>    nonce with the least-significant bit of the first byte set to zero
>    and then to one.
>
>This very much sounds to be like (a) a 256-bit key is derived from a
>128-bit key and (b) the draft doesn't actually specify what the record
>key is in any other case.  I interpreted the vague text to mean that
>the record key is the AES key in all other cases.
>
>Can you clarify the draft?
>
>--Andy

v2.23.0 | Report a Bug | By Email