Re: [Crypto-panel] Review of AES-GCM-SIV
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Mon, 19 June 2017 16:41 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7B01316C5 for <crypto-panel@ietfa.amsl.com>; Mon, 19 Jun 2017 09:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NkT0WXGTRK6A for <crypto-panel@ietfa.amsl.com>; Mon, 19 Jun 2017 09:41:18 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10075.outbound.protection.outlook.com [40.107.1.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AF341315A9 for <crypto-panel@irtf.org>; Mon, 19 Jun 2017 09:38:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LCpw2tF/a1JCKkudY+LM2+Oixvp3fxU8NOdVvKXhYj0=; b=ln49qAII+0Z1fNV9gqWU5RmSAx1t1vfb9p0+S8HpPPIvvJsBS9vqcjhWiXyAJ5/vQnBCUwPwerTOBauZpYTid/arfg/NOPSub6aInhRbGRXHvsL2ydfTylldNXfcBsyRYUGT8G8CpjpTa1pF2EoA9p4aTrN/VAX1SiW11ZlUD7I=
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1178.14; Mon, 19 Jun 2017 16:38:34 +0000
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::a0cf:ee9d:63a3:d1ab]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([fe80::a0cf:ee9d:63a3:d1ab%14]) with mapi id 15.01.1178.018; Mon, 19 Jun 2017 16:38:33 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>
CC: "alexey.melnikov@isode.com" <alexey.melnikov@isode.com>
Thread-Topic: Review of AES-GCM-SIV
Thread-Index: AQHS5eUMXPqksT4BkEOlrKXEsk18RKImD/sAgAYnq/CAAEI6AA==
Date: Mon, 19 Jun 2017 16:38:33 +0000
Message-ID: <D56DBC78.96A7D%kenny.paterson@rhul.ac.uk>
References: <D5685A61.9675F%kenny.paterson@rhul.ac.uk> <D5685B25.96765%kenny.paterson@rhul.ac.uk> <c1299ee52c524040ac0b2d2041eeb759@XCH-RTP-006.cisco.com>
In-Reply-To: <c1299ee52c524040ac0b2d2041eeb759@XCH-RTP-006.cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=rhul.ac.uk;
x-originating-ip: [134.219.227.30]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1906; 7:ouq3VwrICv6Q1mF8xjZA11oMoEnr5NTwqB+gVHZPnK1PzvyfftIx/hXdIosVkrryYAnZceoDdaoufDuz8CZIgWzYiFQ6rYmLiGrRLUhkepVKGTGohCdvra+7NANydXyQYDEDW7ASOAJpekbVQ6z25srbzOPiPudDJEVV5biMnGEcumfA6i56luX5Tr5c+FTjxWLJpDMzwbavRIuegH7CVGosb/ah129XKAky+ZqdSVCTOy0SEfA0K4bRVbeBYRZJHwRIIwfLDOqf49Tb/0R/oa+vDbbvA02XNXttLKvXvsIoZKNdJ9SyDJtcJoj3w1e4o6idmpsPxSvce3r4MFwaCG3JLwlDoKPx6rQAhIkkXPOtpHvM3aWftwGwTtoQIHMiwe/vn4X0y/JGC3uCZDGIeJiZ1dgf6UPcNifK/CIJRUMFsAdlKfC0E6LKh0YQstwFHhTTxflkVX9jsU/SAYSf57xN4jM+mXt/lQRzZjkjAgeapYe1vlB09ielBkILazY1rRr/z8rD+PdtlTM71koPmUrC5YtgxSEaGgF64E5tMnKMyo2zFX/misz5htfHhiryqdNYNF6nTLM+6gN6cDhSjdwJinBQk+PcaNdwojr9qxz/nOobjyFGi1HHOBdZcMobJJShQrb7/A4yYAcLUji/KwPQYbh2+LIKrRyQie9G6kImhqBZAg8l+duzIe6xRBPpzQwjqjVJlaFLhO+Y/kGKC/Y7Bw5zc28RFHXmS1sXvM+iS8DDiu/qb5BtOEwRu4vAGdvsRp8DJ3yTcu1ZoqvNxyfyJdLed1sk509fgKM+nNc=
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(39450400003)(39410400002)(39850400002)(39400400002)(39840400002)(24454002)(377454003)(13464003)(53936002)(5250100002)(6512007)(99286003)(6306002)(305945005)(14454004)(72206003)(2906002)(25786009)(3660700001)(53546009)(478600001)(8676002)(6246003)(54356999)(38730400002)(966005)(76176999)(81166006)(50986999)(66066001)(4001350100001)(6486002)(83506001)(8936002)(229853002)(74482002)(189998001)(2950100002)(2900100001)(42882006)(36756003)(86362001)(102836003)(3846002)(6116002)(6436002)(7736002)(5660300001)(230783001)(6506006)(3280700002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1906; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-ms-office365-filtering-correlation-id: a101fd50-6902-45cd-e122-08d4b731a05f
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:AM4PR0301MB1906;
x-ms-traffictypediagnostic: AM4PR0301MB1906:
x-microsoft-antispam-prvs: <AM4PR0301MB1906448E9EDCF69BC80AF9EEBCC40@AM4PR0301MB1906.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6041248)(20161123555025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123560025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:AM4PR0301MB1906; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:AM4PR0301MB1906;
x-forefront-prvs: 0343AC1D30
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <21896114D8CB224D9F65400080682D41@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2017 16:38:33.6907 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1906
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/bRt501HkwIkAIj7A4vZNiNT7f4w>
Subject: Re: [Crypto-panel] Review of AES-GCM-SIV
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jun 2017 16:41:21 -0000
Thanks Scott. Once all the reviews are in, we'll collate them and post them to the list. On 19/06/2017 15:05, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> wrote: >My review: > >Summary: Almost Ready > >Major Concerns: > >None - from a security perspective, it looks pretty good > > >Minor Concern: > >One thing that may be problematic to an implementor was the nonces listed >in the test vectors. AES-GCM-SIV takes 12 byte nonces, the nonces listed >are 16 bytes long. While this is unlikely to be a major source of >confusion for an implementator, I suggest that the nonces be trimmed down >before publishing. > > >Nits: > >The encryption/decryption algorithms are given using fairly terse English >descriptions. While they are moderately clear to me, I wonder if they'd >be as clear to someone else; I'm wondering if a pseudocode description >would work better? On the other hand, the test vectors give intermediate >cipherstates (which would help a lot). > >While the test vectors are quite good in general, they use only one >nonce, and two keys (one for each key length). While there is certainly >value in reusing the same key and nonce for slightly different >plaintexts/AADs, I believe there would also be value in showing how >different keys/nonces work. One example: at one point, AES-GCM-SIV >xor's in the nonce into the POLYVAL result. If someone did an incorrect >implementation where (say) they exclusive-or'ed only the first 4 or 8 >bytes of the nonce, the current test vectors would still pass. > >The bytes in the test vector are listed LSB to MSB. This rather assumes >that the implementor is using little-endian byte ordering; I would >suggest that this be changed to a more endian-neutral notation (possibly >by just omitted the LSB and MSB labels). > > > >> -----Original Message----- >> From: Crypto-panel [mailto:crypto-panel-bounces@irtf.org] On Behalf Of >> Paterson, Kenny >> Sent: Thursday, June 15, 2017 10:43 AM >> To: Paterson, Kenny; crypto-panel@irtf.org >> Cc: alexey.melnikov@isode.com >> Subject: Re: [Crypto-panel] Review of AES-GCM-SIV >> >> Sorry, that should be >> https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-05 (and not -04). >> >> On 15/06/2017 15:38, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> >> wrote: >> >> >Dear CFRG panel members, >> > >> >Any volunteers from the panel to perform a review of: >> > >> >https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-04 >> > >> > >> >I'd like to move it towards last call, and having a couple of reviews >> >from you fine people would help give us the confidence to do so. >> > >> >The draft might be best read in conjunction with the technical paper: >> > >> >https://eprint.iacr.org/2017/168 >> > >> > >> >though of course it needs to stand alone as an RFC. >> > >> >Let me know. >> > >> >Cheers, >> > >> >Kenny >> > >> >> _______________________________________________ >> Crypto-panel mailing list >> Crypto-panel@irtf.org >> https://www.irtf.org/mailman/listinfo/crypto-panel
- [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Tibor Jager
- Re: [Crypto-panel] Review of AES-GCM-SIV Scott Fluhrer (sfluhrer)
- Re: [Crypto-panel] Review of AES-GCM-SIV Russ Housley
- Re: [Crypto-panel] Review of AES-GCM-SIV Bjoern Tackmann
- Re: [Crypto-panel] Review of AES-GCM-SIV Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Scott Fluhrer (sfluhrer)
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Review of AES-GCM-SIV Tibor Jager
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Bjoern Tackmann
- Re: [Crypto-panel] Review of AES-GCM-SIV Tibor Jager
- Re: [Crypto-panel] Review of AES-GCM-SIV Bjoern Tackmann
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Bjoern Tackmann
- Re: [Crypto-panel] Review of AES-GCM-SIV Tibor Jager
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny
- Re: [Crypto-panel] Review of AES-GCM-SIV Paterson, Kenny