Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt

"Dang, Quynh (Fed)" <> Mon, 09 May 2016 14:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A0A5F12B02B; Mon, 9 May 2016 07:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NISP49xnUD3n; Mon, 9 May 2016 07:09:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 061A312B00A; Mon, 9 May 2016 07:09:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JAxiww4qeFaxbQ0DDkIG7CDIOfLhgF68QK17h+73/mM=; b=XEIkzEMSsTKN3RnIVru4MwWQNz6QPLc1EEZGEuZn5fL5+smD4O0o1r/UeDzYNP1rUOxrqWoaGah7bqwC6nwgCAII5RogAbSmmkxHZyosQAbeoLPMZjc6HPqXb66wO/ENOw0z5nL20aCF9FBoMVhur6RW2jfU3FprfQ/RSX7EQoo=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.492.11; Mon, 9 May 2016 14:09:18 +0000
Received: from ([]) by ([]) with mapi id 15.01.0492.011; Mon, 9 May 2016 14:09:18 +0000
From: "Dang, Quynh (Fed)" <>
To: Adam Langley <>, "" <>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt
Thread-Index: AQHRqe3DInz5CLAZikmWiZtbLflSOJ+wigKAgAAHgQM=
Date: Mon, 09 May 2016 14:09:18 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-office365-filtering-correlation-id: f6cafcc5-cb23-41f6-9a55-08d378138316
x-microsoft-exchange-diagnostics: 1; BN1PR09MB122; 5:SnZa2lcqOyXWV5iB/U/60z3xIymAcsY75aKrnRRuSHbTyZVpjyEqyip1RXOObK72Egl/xKVOzPOTIeo6Hnco9N5Dmst/3a28LHcp2TkX5HVUQEUqj01xVWlKWEAT8rOACeMv59mx04p4G2/9MQdJBA==; 24:KDbJSGWb1exixBmVdaJX77M6ItNQKbt5xN0pKRU2SQE35/+mxNfbeC+T+CsDLAvhLydMN4LmHzFYsVOlXkSyLjfDBWLPtDvjVu7Qzdp8kKI=; 7:W/1gfrV/Qs8U8SESFEtSrGIwht9B0A5V66qukDQwKdrpSkFq33/XettJ1u6jxIKmRt7MZCOwF2ygQ3HO7JqrLOz+IgJgYwhF+IgBtXk/PEr+vrVdsrDUkrOb83u25XMDD7yjPcmH0eNmuypFBVpx1QZuH0yJFWzbTURYWXRyDiBfIOeq1xtt0ruVX+/QHb5U
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB122;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:BN1PR09MB122; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB122;
x-forefront-prvs: 0937FB07C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(377454003)(9170700001)(33656002)(77096005)(5003600100002)(81166005)(189998001)(106116001)(92566002)(5008740100001)(5001770100001)(10400500002)(86362001)(19580405001)(3660700001)(19580395003)(9686002)(15975445007)(99286002)(8936002)(122556002)(2501003)(54356999)(76176999)(50986999)(4326007)(2950100001)(2900100001)(5002640100001)(3280700002)(76576001)(2906002)(586003)(3846002)(6116002)(102836003)(66066001)(74316001)(87936001)(1220700001)(230783001)(11100500001)(5004730100002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB122;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2016 14:09:18.6036 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB122
Archived-At: <>
Resent-To: <>
Cc: "" <>, "" <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 May 2016 14:09:23 -0000

Hi Adam,

Deriving a record encryption key from a random nonce (hopefully a new nonce) aims to make it a fresh record encryption key for every encryption call under a given encryption key.

The freshness of record encryption keys solely depends on the uniqueness of the nonces.  This situation can be improved without any additional cost by deriving the record encryption key from the POLYVAL value S_s and the nonce.  Therefore, as long as the message is new, the record encryption key is expected to be fresh regardless of whether the nonce is fresh or not.

In Sections 8 and 9, the text talked about random nonce. It should be clearly explained that counter-nonces are as good as random nonces: only the uniqueness of the nonces under a given key is desired.


P.S: My discussion on this topic is my personal curiosity of technical details and does not necessarily represent any views of my employer.
From: Cfrg <> on behalf of Adam Langley <>
Sent: Monday, May 9, 2016 8:33:05 AM
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt

On Mon, May 9, 2016 at 5:23 AM, <> wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum of the IETF.

Dear all,

In light of discussions here we've changed the way that AES-GCM-SIV
works with AES-256. It wasn't the case the two equal plaintexts with
consecutive nonces would produce equal ciphertext. However, it seems
to be insufficiently clear, and masking off a bit from the nonce
(i.e., 127-bit nonce) looks inelegant.

Thus, the record-encryption key is now generated using the "OFB mode"
suggestion made by Uri Blumenthal. (Thanks to him for that.)

In addition, we changed the initial counter value to avoid setting the
least-significant 32 bits to zero. Starting the block counter at zero
reduced the security margin in the analysis, and we realised that
there was no reason for it.



Cfrg mailing list