IETF Logo Mail Archive

Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document

Yoav Nir <ynir.ietf@gmail.com> Thu, 31 March 2016 06:01 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A3C812D0F4 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 23:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKI2LfFf1olU for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2016 23:01:55 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80B6812D0F6 for <cfrg@irtf.org>; Wed, 30 Mar 2016 23:01:55 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id 127so121200016wmu.1 for <cfrg@irtf.org>; Wed, 30 Mar 2016 23:01:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C9wAmojrUYrPHo5/PUcNv9+cpurnNdBfeTTT2SWwtus=; b=UAhWzD8DVbfCdgHsSFqnlTftP7bwVcQrRugatNbKwgSaBZahopYYiWHQ85JYjZioXx Lln+WqTwTBKZ4ae2EB5uUQ/PDLZRn9XKAtmw5PDLtvqS+d1+mRxFeYNh+ZRvftPykcYy UgfcHCuYJWjyS5kOKETm9UxtAdP01D0Axausyol7JP/3u4E5cMaTsU73BOEtn9BQ0kYv eNVe2DtHP9TeGS8d/Lnk0w+dDkCD0EmlwWXIaxioLuBG5BooA9HBdqCzzJlYiBqKURZM pkF+aWCRie8vJekBsMEXMaAaQwP3GAijtPWLGULYI3bvPR0B+4bHkMR/uEDJUouxbntI ukxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C9wAmojrUYrPHo5/PUcNv9+cpurnNdBfeTTT2SWwtus=; b=Z3K3pToVOb4eFtmlVcHI8yQzMh6Pf+T1gpshwplG40EVVwxXEqlSxS0h9ds0zSjT24 hl/HbQm5dNZWLaJC40Z9Ay9VqDAgZbZzQKwNd/pb2HmDJA9EnMSXSXuUOzhx65wyhmmV 35mOIijJk/SfLtpiTDwWyMebTPSGTy4A4Iy008nAVDFgkgn4lrJqIOy1z/pbIb9X/EWo 3Mozaxb+XEl/n4P3n6bo1Cx7DJxzpbkie8nKw4wjFe3JW2kx04uZAjrLtW/obPPCLshk /65C6bY9qpyCEqsgjToDhg0qvMzE19iNf6ymhxgXD4FWZbCLpdYelmjcNCie/28bmtvI 8VeA==
X-Gm-Message-State: AD7BkJK6o0oTkM/YdE4hGa/9Lkn2DscUl/c9UxM6MUhichAJJJe2GomanofKTNFzBIpseg==
X-Received: by 10.28.145.196 with SMTP id t187mr13705254wmd.81.1459404114071; Wed, 30 Mar 2016 23:01:54 -0700 (PDT)
Received: from yoavs-mbp-2.mshome.net ([176.13.4.23]) by smtp.gmail.com with ESMTPSA id u4sm7255101wjz.4.2016.03.30.23.01.50 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 30 Mar 2016 23:01:53 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset="utf-8"
From: Yoav Nir <ynir.ietf@gmail.com>
X-Priority: 3 (Normal)
In-Reply-To: <81b4ebaa8011b127a72168ef67afdec6.squirrel@www.trepanning.net>
Date: Thu, 31 Mar 2016 09:01:45 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <20048027-CB56-4FBB-ADF4-75CAFD4CE015@gmail.com>
References: <1893951588-3704@skroderider.denisbider.com> <CAHOTMVJOQRgTKQViYQu2qxzK4q9SrvdBZnGPmoeUyKO40aCdhg@mail.gmail.com> <541C676F-162B-49D5-9DD6-F9F0BA6DA513@gmail.com> <81b4ebaa8011b127a72168ef67afdec6.squirrel@www.trepanning.net>
To: Dan Harkins <dharkins@lounge.org>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zlmfKS1pFD7uvjTNka2_XpKaVqI>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 06:01:57 -0000

> On 31 Mar 2016, at 8:38 AM, Dan Harkins <dharkins@lounge.org> wrote:
> 
> 
> 
> On Wed, March 30, 2016 9:13 pm, Yoav Nir wrote:
>> Hi, Tony
>> 
>>> On 31 Mar 2016, at 6:40 AM, Tony Arcieri <bascule@gmail.com> wrote:
>>> 
>>> On Wed, Mar 30, 2016 at 6:56 PM, denis bider <ietf-cfrg@denisbider.com
>>> <mailto:ietf-cfrg@denisbider.com>> wrote:
>>> I believe Dan's point was that AES256-GCM-SIV uses a 128-bit tag to
>>> derive the final encryption key.
>>> 
>>> No?
>>> 4.  Encryption
>>> 
>>>   AES-GCM-SIV encryption takes a 16-byte authentication key, a 16- or
>>>   32-byte AES key, a 128-bit nonce, and arbitrary-length plaintext and
>>>   additional data inputs.  It outputs an authenticated ciphertext that
>>>   will be 16 bytes longer than the plaintext.
>> 
>> I think the relevant section is the next paragraph where the record
>> encryption key is defined. That too is defined to be the same length as
>> the input key:
>> 
>>   If the AES key is 16 bytes long then define the _record-encryption
>>   key_ as the encryption of the nonce using the AES key.  If AES-256 is
>>   being used then this is insufficient as 256 bits of key material are
>>   needed.  Therefore the record-encryption key in this case is the
>>   concatenation of the result of encrypting, using the AES key, the
>>   nonce with the least-significant bit of the first byte set to zero
>>   and then to one.
> 
>  It's not the length, it's the number of values possible in that
> length. Because this cipher mode is using AES-256-ECB as a 128-bit
> PRP it is generating two distinct 128-bit blobs and concatenating
> them. That means that there can only be 2^128 possible values of
> that 256-bit key.

Actually it’s 2^127, because the least significant bit of the first byte is set first to zero and then to one, rather than for example setting it to the original value first and flipping it for the second.

But it is 2^127 possibilities for a record encryption key that is used either once or a very few times, and despite knowing that there are only 2^127 possibilities, I don’t see how you could iterate on them without either breaking AES-256 or iterating over the entire 2^256 space. 

I guess it would be nice to explain why they chose not to use a 256-bit nonce, but enlarging the nonce is not free.

Yoav

v2.23.0 | Report a Bug | By Email