Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications

Mike Hamburg <mike@shiftleft.org> Tue, 26 April 2016 18:07 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4373C12D55F for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 11:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.02
X-Spam-Level:
X-Spam-Status: No, score=-1.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RDNS_DYNAMIC=0.982, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=shiftleft.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qY9LukGINW71 for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 11:07:25 -0700 (PDT)
Received: from astral.shiftleft.org (192-195-80-246.PUBLIC.monkeybrains.net [192.195.80.246]) by ietfa.amsl.com (Postfix) with ESMTP id 4068012D55A for <cfrg@irtf.org>; Tue, 26 Apr 2016 11:07:25 -0700 (PDT)
Received: from [10.184.148.249] (unknown [209.36.6.242]) (Authenticated sender: mike) by astral.shiftleft.org (Postfix) with ESMTPSA id 6880A9FF9E; Tue, 26 Apr 2016 11:07:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shiftleft.org; s=sldo; t=1461694044; bh=5zO2vZ/khEejisXR9vozVZyjgQ7ypKbzhEG3vwxAZeg=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=cUqa0SukFlFyROqRvZlCOgUJQyZU/KhNo1soA6pmaNqNTtfpeY0izxRiVxiWcS6t0 HLm0XP88gZ6jhGct0CP2pidzhsZFp93+t/ALeACxbTtMkOW2vUUFM4xLz7wMRQVnkx bUO4WF8+BBPySdXC+wEc9IX9xpnr3EkB99Fw9ht4=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mike Hamburg <mike@shiftleft.org>
In-Reply-To: <CAMfhd9Xex0JLW8UWrUAjQb-bTizCp7XKCsgPB3R1k2eM3Pzuwg@mail.gmail.com>
Date: Tue, 26 Apr 2016 11:07:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <88D2AC3F-93B9-4357-816F-520D970180E2@shiftleft.org>
References: <D33EAB85.2AC03%uri@ll.mit.edu> <emd177ba4d-0be1-4293-afb1-fc0b1a9c54f9@sgueron-mobl3> <CALCETrWnuuhQGP7zLO9kh+EEsOXaDZycQVSge_=8R38cQj1-vQ@mail.gmail.com> <CAMfhd9Xex0JLW8UWrUAjQb-bTizCp7XKCsgPB3R1k2eM3Pzuwg@mail.gmail.com>
To: Adam Langley <agl@imperialviolet.org>
X-Mailer: Apple Mail (2.3124)
X-Virus-Scanned: clamav-milter 0.99 at astral
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zrd6rsf1pU6nkcZTXw7OF3hpfYk>
Cc: Yehuda Lindell <yehuda.lindell@biu.ac.il>, "cfrg@irtf.org" <cfrg@irtf.org>, Adam Langley <agl@google.com>
Subject: Re: [Cfrg] Adopting "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption" as a CFRG document ---- Some clarifications
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 18:07:26 -0000

> On Apr 26, 2016, at 10:25 AM, Adam Langley <agl@imperialviolet.org> wrote:
> 
> On Tue, Apr 26, 2016 at 9:44 AM, Andy Lutomirski <luto@amacapital.net> wrote:
>> Then you're violating one of the basic properties that even
>> non-nonce-misuse-resistent schemes provide: when you encrypt two
>> messages using different nonces, you shouldn't reveal whether they're
>> the same message.  As proposed, this mode does *not* have that
>> property.
> 
> Although the record encryption key may be the same for pairs of
> messages in AES-256 mode, that doesn't lead to identical plaintexts
> having identical ciphertexts because the nonce is xored into S_s,
> which ends up controlling the tag and thus the initial counter.
> 
> Still, Shay and I chatted and the idea to XOR the nonce with 1 for the
> second half seems like it might be cleaner. I believe that Shay and
> Yehuda are working on updating the analysis and may incorporate this
> change.
> 
> 
> Cheers
> 
> AGL
> 
> -- 
> Adam Langley agl@imperialviolet.org https://www.imperialviolet.org

While it probably wouldn’t lead to an attack, I have some hesitation about encrypting the first packet with (K0,K1) and the second packet with (K1,K0).

Too bad AES predates tweakable ciphers.  Then the solution would be easy.

— Mike