Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
"Gueron, Shay" <shay.gueron@gmail.com> Fri, 08 April 2016 04:00 UTC
Return-Path: <shay.gueron@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AD6C12D795 for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 21:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7_j9jpCLIQM for <cfrg@ietfa.amsl.com>; Thu, 7 Apr 2016 21:00:14 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F044212D783 for <cfrg@irtf.org>; Thu, 7 Apr 2016 21:00:13 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id 191so5422028wmq.0 for <cfrg@irtf.org>; Thu, 07 Apr 2016 21:00:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:cc:date:message-id:in-reply-to:reply-to:user-agent :mime-version:content-transfer-encoding; bh=aTyZTUNkySjfAhfPzhIoFHXSLOafqJFxE5MQmfqabdk=; b=lkBluaEYo2fa87g68iJE9o1TRv9kiblgbbhNtZxDfmW4nTbxmk8G8M1aQ65qSuDHay RKusPWKyLgpJh2JeSmg1IwZgweDWTdqz+XSP+ymaWDsHYywRk08SUZHXU+NCMF8xtwjq h8edQDZNEp0H4vwb9pWqv50eB8TqBWvoMwZa3m5clLVtSRyq/FPOXKitkm9FnNgw9vsy LdW2ZM8oihbv9yfTccVh042nPsCbnVtpP4Ahc8DWz+z73NPRKV6EiyZnXVHZ0adnbfpB I2dLp5ptJ7ZQ0Rr2i1iT2yzCDyFYfbc1jNad5HER3D8axZm3wU10O686a3qrD6NNZmcm Sw7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:cc:date:message-id:in-reply-to :reply-to:user-agent:mime-version:content-transfer-encoding; bh=aTyZTUNkySjfAhfPzhIoFHXSLOafqJFxE5MQmfqabdk=; b=dAJH0tHbP0wohEBr8BRFpcQboLfndOm6KdSnZ25WaK4bc1qQWXKcdJefCA33fRlFT0 W95fBc8OmT8zdxa/NhBIr86Zp6U2iyaWSeTiezpdG79/G8gb+pzyKwafyQXaSqPgWC3P OZX9b3gMYBqYu4ESNKXjiXmU+WW+y9jhKBCTjqRbsQzIegO5Q5k6W2wFuMBCvBHG3tcC iTfoptj4mKEwe2JqaNqNkU+LfnJX+lzQVTI3SzSbAiB+//Z2ftcnWccye4nGOpNpVGj2 6uRhYv+ZaeaiIHnMbFM7H530mTmuTlaivp+YNrlEfGm+2P8Clj/DpmaGo0ecm3/dtlPr wu5g==
X-Gm-Message-State: AD7BkJJ5uu7VXyox3cDpF3HYBvAE0Ok7JIxVcV+2xsMI5FmDv7er4M1eRTRDN/02y5jrdA==
X-Received: by 10.28.222.84 with SMTP id v81mr1158361wmg.14.1460088012279; Thu, 07 Apr 2016 21:00:12 -0700 (PDT)
Received: from [192.168.127.191] (bzq-199-168-31-213.red.bezeqint.net. [31.168.199.213]) by smtp.gmail.com with ESMTPSA id 198sm948483wml.22.2016.04.07.21.00.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Apr 2016 21:00:11 -0700 (PDT)
From: "Gueron, Shay" <shay.gueron@gmail.com>
To: Andy Lutomirski <luto@amacapital.net>
Date: Fri, 08 Apr 2016 04:00:00 +0000
Message-Id: <emdd1fc76d-d2ba-4b8e-847b-b13ac51ba92a@sgueron-mobl3>
In-Reply-To: <CALCETrX1CraU1+S92p8-Fzspm9QZJWA0vtEefDuchy8TN-g8+A@mail.gmail.com>
User-Agent: eM_Client/6.0.24316.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yrNzfgllmUR6m0oKUfjqjgI9-Lk>
Cc: Adam Langley <agl@imperialviolet.org>, Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "Gueron, Shay" <shay.gueron@gmail.com>
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2016 04:00:16 -0000
Regarding: **** The only relevant text I can find in the draft is: If the AES key is 16 bytes long then define the _record-encryption key_ as the encryption of the nonce using the AES key. If AES-256 is being used then this is insufficient as 256 bits of key material are needed. Therefore the record-encryption key in this case is the concatenation of the result of encrypting, using the AES key, the nonce with the least-significant bit of the first byte set to zero and then to one. This very much sounds to be like (a) a 256-bit key is derived from a 128-bit key and (b) the draft doesn't actually specify what the record key is in any other case. I interpreted the vague text to mean that the record key is the AES key in all other cases. Can you clarify the draft? --Andy **** Yes, of course. Here is the paragraph with explanatory notes in *** ... *** If the AES key is 16 bytes long then define the _record-encryption key_ as the encryption of the nonce using the AES key. *** so far, the case of 128-bit key*** If AES-256 is being used *** now the case of 256-bit key*** then this is insufficient as 256 bits of key material are needed *** because one invocation produces only 128 bits, and we want to derive a 256-bit key *** Therefore the record-encryption key in this case is the *** here is the explanation: *** concatenation of the result of encrypting, using the AES key *** recall that it is the 256-bit case***, the nonce with the least-significant bit of the first byte set to zero and then to one. *** that is AES New key (256 bits) = AES256 (NONCE[127:1] || 0) || AES256 (NONCE[127:1] || 1) (256 bits altogether). Thus, "This very much sounds to be like (a) a 256-bit key is derived from a 128-bit key and (b) the draft doesn't actually specify what the record" is not the case. Shay ------ Original Message ------ From: "Andy Lutomirski" <luto@amacapital.net> To: "Gueron, Shay" <shay.gueron@gmail.com> Cc: "cfrg@irtf.org" <cfrg@irtf.org>; "Adam Langley" <agl@imperialviolet.org>; "Yehuda Lindell" <yehuda.lindell@biu.ac.il>; "Adam Langley" <agl@google.com> Sent: 4/8/2016 2:16:07 AM Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications >On Tue, Apr 5, 2016 at 6:14 AM, Gueron, Shay <shay.gueron@gmail.com> >wrote: >> The (ACM CCS) paper described a GCM-SIV implementation with 128-bit >>keys. >> The CFRG submission is different in two respects: >> 1. A 256-bit version that is added. >> 2. There is key derivation added (based on the nonce) to refresh the >> encryption key for each record. >> >> The purpose of #2 is to allow AES-GCM-SIV to use a single key >>multiple >> times. In the original paper version, an IV is derived from the >>universal >> hash function (and the nonce) over the message, and occupies 95 bits >>of the >> counter block during the encryption. Collisions are imminent after >>2^48 >> uses, and to maintain safety margins, we would need to restrict the >>usage of >> one key to 2^32 messages. This could seem like a real constraint for >>a real >> AE scheme. With a differently derived key (derived from the nonce), >>the >> lifetime of one key can be extended. >> >> The cost of extending the lifetime of the key is that of computing a >>key >> schedule, but this overhead is small on the target platforms that >>have AES >> hardware support. >> >> To clarify a possible confusion about the 256-bit variant: no 256-bit >>key is >> ever derived from a 128-bit key. A 256-bit encryption key is derived >>from >> the 256-bit master key and a (128-bit) nonce but two encryptions. The >> authentication key has 128 bits, and so does the authentication tag. > >The only relevant text I can find in the draft is: > > If the AES key is 16 bytes long then define the _record-encryption > key_ as the encryption of the nonce using the AES key. If AES-256 >is > being used then this is insufficient as 256 bits of key material are > needed. Therefore the record-encryption key in this case is the > concatenation of the result of encrypting, using the AES key, the > nonce with the least-significant bit of the first byte set to zero > and then to one. > >This very much sounds to be like (a) a 256-bit key is derived from a >128-bit key and (b) the draft doesn't actually specify what the record >key is in any other case. I interpreted the vague text to mean that >the record key is the AES key in all other cases. > >Can you clarify the draft? > >--Andy
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Greg Hudson
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… David McGrew
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Salz, Rich
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Grigory Marshalko
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Ted Krovetz
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… denis bider
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Tony Arcieri
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Watson Ladd
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resist… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Aaron Zauner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Dan Harkins
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Michael StJohns
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Yoav Nir
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Grubbs
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paul Lambert
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Fedor Brunner
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Bryan Ford
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Paterson, Kenny
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Thomas Peyrin
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Shay Gueron
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Andy Lutomirski
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Adam Langley
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Mike Hamburg
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Taylor R Campbell
- Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Re… Gueron, Shay