Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Mon, 09 May 2016 14:09 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0A5F12B02B; Mon, 9 May 2016 07:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NISP49xnUD3n; Mon, 9 May 2016 07:09:20 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0102.outbound.protection.outlook.com [23.103.200.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 061A312B00A; Mon, 9 May 2016 07:09:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JAxiww4qeFaxbQ0DDkIG7CDIOfLhgF68QK17h+73/mM=; b=XEIkzEMSsTKN3RnIVru4MwWQNz6QPLc1EEZGEuZn5fL5+smD4O0o1r/UeDzYNP1rUOxrqWoaGah7bqwC6nwgCAII5RogAbSmmkxHZyosQAbeoLPMZjc6HPqXb66wO/ENOw0z5nL20aCF9FBoMVhur6RW2jfU3FprfQ/RSX7EQoo=
Received: from BN1PR09MB124.namprd09.prod.outlook.com (10.255.200.27) by BN1PR09MB122.namprd09.prod.outlook.com (10.255.200.156) with Microsoft SMTP Server (TLS) id 15.1.492.11; Mon, 9 May 2016 14:09:18 +0000
Received: from BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) by BN1PR09MB124.namprd09.prod.outlook.com ([10.255.200.27]) with mapi id 15.01.0492.011; Mon, 9 May 2016 14:09:18 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Adam Langley <agl@imperialviolet.org>, "internet-drafts@ietf.org" <internet-drafts@ietf.org>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt
Thread-Index: AQHRqe3DInz5CLAZikmWiZtbLflSOJ+wigKAgAAHgQM=
Date: Mon, 09 May 2016 14:09:18 +0000
Message-ID: <BN1PR09MB124E96645FF8A3E2B55D179F3700@BN1PR09MB124.namprd09.prod.outlook.com>
References: <20160509122358.4946.5494.idtracker@ietfa.amsl.com>, <CAMfhd9XFnC1YdUgEUvmq4o0=z-HPLxPDjxGZ+dNOA0_g7bMs3w@mail.gmail.com>
In-Reply-To: <CAMfhd9XFnC1YdUgEUvmq4o0=z-HPLxPDjxGZ+dNOA0_g7bMs3w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: imperialviolet.org; dkim=none (message not signed) header.d=none;imperialviolet.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.223.60]
x-ms-office365-filtering-correlation-id: f6cafcc5-cb23-41f6-9a55-08d378138316
x-microsoft-exchange-diagnostics: 1; BN1PR09MB122; 5:SnZa2lcqOyXWV5iB/U/60z3xIymAcsY75aKrnRRuSHbTyZVpjyEqyip1RXOObK72Egl/xKVOzPOTIeo6Hnco9N5Dmst/3a28LHcp2TkX5HVUQEUqj01xVWlKWEAT8rOACeMv59mx04p4G2/9MQdJBA==; 24:KDbJSGWb1exixBmVdaJX77M6ItNQKbt5xN0pKRU2SQE35/+mxNfbeC+T+CsDLAvhLydMN4LmHzFYsVOlXkSyLjfDBWLPtDvjVu7Qzdp8kKI=; 7:W/1gfrV/Qs8U8SESFEtSrGIwht9B0A5V66qukDQwKdrpSkFq33/XettJ1u6jxIKmRt7MZCOwF2ygQ3HO7JqrLOz+IgJgYwhF+IgBtXk/PEr+vrVdsrDUkrOb83u25XMDD7yjPcmH0eNmuypFBVpx1QZuH0yJFWzbTURYWXRyDiBfIOeq1xtt0ruVX+/QHb5U
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB122;
x-microsoft-antispam-prvs: <BN1PR09MB1225FE0B83DE1EDE6BA1CEEF3700@BN1PR09MB122.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:BN1PR09MB122; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB122;
x-forefront-prvs: 0937FB07C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(377454003)(9170700001)(33656002)(77096005)(5003600100002)(81166005)(189998001)(106116001)(92566002)(5008740100001)(5001770100001)(10400500002)(86362001)(19580405001)(3660700001)(19580395003)(9686002)(15975445007)(99286002)(8936002)(122556002)(2501003)(54356999)(76176999)(50986999)(4326007)(2950100001)(2900100001)(5002640100001)(3280700002)(76576001)(2906002)(586003)(3846002)(6116002)(102836003)(66066001)(74316001)(87936001)(1220700001)(230783001)(11100500001)(5004730100002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB122; H:BN1PR09MB124.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2016 14:09:18.6036 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB122
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/yuFEbXhrTQiJtXyx_vSWUZt0zbo>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2016 14:09:23 -0000
Hi Adam, Deriving a record encryption key from a random nonce (hopefully a new nonce) aims to make it a fresh record encryption key for every encryption call under a given encryption key. The freshness of record encryption keys solely depends on the uniqueness of the nonces. This situation can be improved without any additional cost by deriving the record encryption key from the POLYVAL value S_s and the nonce. Therefore, as long as the message is new, the record encryption key is expected to be fresh regardless of whether the nonce is fresh or not. In Sections 8 and 9, the text talked about random nonce. It should be clearly explained that counter-nonces are as good as random nonces: only the uniqueness of the nonces under a given key is desired. Regards, Quynh. P.S: My discussion on this topic is my personal curiosity of technical details and does not necessarily represent any views of my employer. ________________________________________ From: Cfrg <cfrg-bounces@irtf.org> on behalf of Adam Langley <agl@imperialviolet.org> Sent: Monday, May 9, 2016 8:33:05 AM To: internet-drafts@ietf.org Cc: cfrg@ietf.org; i-d-announce@ietf.org Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt On Mon, May 9, 2016 at 5:23 AM, <internet-drafts@ietf.org> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Crypto Forum of the IETF. Dear all, In light of discussions here we've changed the way that AES-GCM-SIV works with AES-256. It wasn't the case the two equal plaintexts with consecutive nonces would produce equal ciphertext. However, it seems to be insufficiently clear, and masking off a bit from the nonce (i.e., 127-bit nonce) looks inelegant. Thus, the record-encryption key is now generated using the "OFB mode" suggestion made by Uri Blumenthal. (Thanks to him for that.) In addition, we changed the initial counter value to avoid setting the least-significant 32 bits to zero. Starting the block counter at zero reduced the security margin in the analysis, and we realised that there was no reason for it. Cheers AGL _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.… Adam Langley
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-01.… Dang, Quynh (Fed)