Re: [Crypto-panel] Review of AES-GCM-SIV

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Tue, 04 July 2017 13:53 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0B5132093 for <crypto-panel@ietfa.amsl.com>; Tue, 4 Jul 2017 06:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0lM26Zx73bv for <crypto-panel@ietfa.amsl.com>; Tue, 4 Jul 2017 06:53:51 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0070.outbound.protection.outlook.com [104.47.1.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B91071320B4 for <crypto-panel@irtf.org>; Tue, 4 Jul 2017 06:53:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OcxRCbgQoLvc+aaKIEs+7Oz/+H7Gtt6wBo90t0yPTUo=; b=mf4SpPuMh39ir5VPju8BY8F0ukQkmtjUESCfX5th42hA8OcyN5UBnQY7nV10P0wl3N5ZHuo5JA7V75UbhaK2gm6gDgcOyCrPgaf/ZGPparQvFR7Htb2V7d4gMlXPC8CsbutUHOsvr7ULpt0/How5tXP+aVxN2BLb2bYcGHLqoos=
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1220.11; Tue, 4 Jul 2017 13:53:48 +0000
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::482:61a:3f1b:be7a]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::482:61a:3f1b:be7a%14]) with mapi id 15.01.1220.018; Tue, 4 Jul 2017 13:53:47 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Bjoern Tackmann <bjoern.tackmann@ieee.org>, Tibor Jager <tibor.jager@upb.de>
CC: "crypto-panel@irtf.org" <crypto-panel@irtf.org>
Thread-Topic: [Crypto-panel] Review of AES-GCM-SIV
Thread-Index: AQHS5eUMXPqksT4BkEOlrKXEsk18RKI/ZZ4AgAEupACAAyHcAIAAKM+A
Date: Tue, 4 Jul 2017 13:53:47 +0000
Message-ID: <D5815C4F.97F0D%kenny.paterson@rhul.ac.uk>
References: <D5685A61.9675F%kenny.paterson@rhul.ac.uk> <CAFr4q=D8tm362WTQdZ97U93eavOafYwyLOFWTD2jK8YR2B+X-w@mail.gmail.com> <ab2e806f-e9aa-9bb5-2a12-f55f4a005fe8@upb.de> <CAFr4q=CA4OhcYA8u6VVb4Hx3+_AN9VeWZN30HOPO-jgvadt4RQ@mail.gmail.com>
In-Reply-To: <CAFr4q=CA4OhcYA8u6VVb4Hx3+_AN9VeWZN30HOPO-jgvadt4RQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: ieee.org; dkim=none (message not signed) header.d=none;ieee.org; dmarc=none action=none header.from=rhul.ac.uk;
x-originating-ip: [134.219.227.30]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1906; 7:aDBf1V1E79hwh/ZRRGiXeBvdkaesIylbcUGj3v9/mzxo/wsAOL3R8n5fquQhcZ2ZXgZkO9sc0s5mbmYjc5NdnIfdOwmWTKRP/Ay/+TUUMTzpM3wGTMia4+VmzxdL64pU7fDXEoxcpF7GfFEluElQzNIGdk5GQGVryOc1VNQPtoztL6+UkGTJAnZYJIp3f9DIaa0BpxdMa/KoDWD01DfvUavFw2BB9+e3hn72NvFql4qE4UqQmXBmxw9QmKDhuJAQ7+MnyloSZrFa3j4nIG6n+ngFwMwmA9CvN5xgSXQQqYtLBQoqqQp4QzdAqbjIRUDdEQOC3eS3V+br0Cu/FS3Z0ki/XlrPCtzYRsuLwL2o9CSV6R4QNHDnMIT73kI3tjeoW+pcdK3PRy4BSwpII8qCiWDHUg1VdpB9g8WRFf4MvFQK4kngdCxrJR1Km3ACaJGUTpVqBnrkOkIlZlHnZfBLmqX/1NnzYycTGvabTWK+Bk4mrvDSkDSN8KaNcTOX/0wYRphKg0qCwJmTOWSeHjAfhPi7FvAf2yJTRsSyz2l0ic1CVpAfzait7VmysLVpMvrOV2WGQV68vSkeJXk/ov22NGliqX6A28jmQmOnlafAMPXlIBAKR2gMOjafBkho+byQCtXVePARv0ImFDiwOXzfZy1LP/uED4YyWnVrJhfJE/GXGlKYucM5GejoIS5a0RoxAFT9lZgfFkNJRVbR12VLfuVz1gnDe5u1J7GvSDsOzaXmVZK8Iah1diffFIP5Hr+amxJvR86uJW/meEIaMl2TgNDytRy55ztNIxKM74aYsww=
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(39840400002)(39410400002)(39400400002)(39450400003)(39850400002)(377454003)(24454002)(53754006)(6246003)(99286003)(93886004)(230783001)(50986999)(66066001)(54356999)(42882006)(2950100002)(76176999)(36756003)(7736002)(38730400002)(305945005)(6512007)(81166006)(8936002)(2906002)(8676002)(74482002)(53936002)(4326008)(3660700001)(3280700002)(6116002)(2900100001)(3846002)(102836003)(6436002)(25786009)(14454004)(189998001)(478600001)(53546010)(72206003)(229853002)(6486002)(6506006)(5660300001)(86362001)(5250100002)(4001350100001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1906; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-ms-office365-filtering-correlation-id: 44e32f9b-b036-4e66-8b28-08d4c2e41827
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:AM4PR0301MB1906;
x-ms-traffictypediagnostic: AM4PR0301MB1906:
x-microsoft-antispam-prvs: <AM4PR0301MB1906F89CDF767B4585893731BCD70@AM4PR0301MB1906.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(236129657087228)(48057245064654)(167848164394848)(247924648384137);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(3002001)(10201501046)(93006095)(93001095)(6041248)(20161123555025)(20161123558100)(20161123564025)(20161123562025)(201703131423075)(201702281528075)(201702281529075)(201703061421075)(201703061406153)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0301MB1906; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0301MB1906;
x-forefront-prvs: 0358535363
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A40C77024107294490E4B2EE332893C5@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2017 13:53:47.8409 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1906
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/XsFMojjCstcGeARKJbN2-r6XO_Y>
Subject: Re: [Crypto-panel] Review of AES-GCM-SIV
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 13:53:54 -0000

Thanks everyone for this helpful discussion.

If you want to update your reviews in the light of it, please go ahead and
resend your reviews here. I'll then collate the three reviews we have to
the CFRG list.

Cheers

Kenny 

On 04/07/2017 13:27, "Crypto-panel on behalf of Bjoern Tackmann"
<crypto-panel-bounces@irtf.org on behalf of bjoern.tackmann@ieee.org>
wrote:

>Hi all,
>
>On Sun, Jul 2, 2017 at 2:37 PM, Tibor Jager
><tibor.jager@upb.de> wrote:
>
>
>On 01/07/2017 20:34, Bjoern Tackmann wrote:
>> Please find my review below. It's a nice piece of work and overall in
>> quite good shape.
>>
>> After looking at the other reviews: I do not quite understand Tibor's
>> comment on the bit-length vs. byte-length, given that the draft states
>> that the scheme takes "arbitrary-length plaintext & additional data
>> byte-strings" -- and for me the term "byte-strings" means that the
>> byte-length of the strings is an integer.
>
>Indeed, this is one of the sections that suggests that it is implicitly
>assumed that "valid" plaintexts and AD have always a byte-length which
>is an integer.
>
>What I found *potentially* confusing is:
>
>- Then it would also be somewhat more intuitive/consistent to include
>the byte-length of plaintext and AD in the length block. The current
>draft includes the bit-length. (This is of course technically fine and
>essentially just a different notation, but *could* be confusing.)
>
>- Also the example in Section 8 mentions the bit-length.
>
>
>
>
>I fully agree that it would be less ambiguous to do these computations in
>terms of byte-length. I do not see any advantage of having the scheme
>operate internally in terms of bit-length, when only byte-length strings
>are allowed.
>
>
> 
>
>- It would also make sense to let the encryption algorithm abort, if the
>lengths of plaintexts and AD are not a multiple of 8 bits (and one could
>ignore this check in applications where this is guaranteed by the
>environment - but this is of course something that only the application
>developer can decide).
>
>
>
>
>Agreed.
>
>
>
>
>Best,
>Björn 
>
>
>
>
>
>