Re: [TLS] Consensus call on Implicit IV for AEAD

Brian Smith <> Fri, 17 April 2015 21:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D1AF91B2CE0 for <>; Fri, 17 Apr 2015 14:30:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JNfG2m3vqRb5 for <>; Fri, 17 Apr 2015 14:30:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DDE751B304C for <>; Fri, 17 Apr 2015 14:30:31 -0700 (PDT)
Received: by obbfy7 with SMTP id fy7so78920257obb.2 for <>; Fri, 17 Apr 2015 14:30:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=NP66597PJv3Qcj8F6oZPfKFY4o7ftg1fz4MHqif4nms=; b=Lr9IhOE/0HcC55slwGUZ2tpTticm/HewGXxS6tnk3o9xIK9A7ut2/LONf6TyqWYj1i bJFjX3TP6xJjeu9bTNuXeQYGkvSFp4LL1Nkew5XkApz78fNZfiY50lQHpalQH/gwAnco psW9DbS858yrBnpHjt7eDNTe0BOT5BVgjF4DWDgACqcCczcME6xuuwYsX5AGLFIR9HaX lz1sxz6VsdbleH7R+6+/32/62uqrupcgDaL88s1/nYNkhECUXtNdtIPhdDKSVHl+f11O LvgvuHfI/hYQwW8UsPy4Pl9oY84BSbfOqrEnLpFdOaZvV9KuvCAsq2vyhjRWS/iLEHxH JBEw==
X-Gm-Message-State: ALoCoQnaosDQsmJTWjkyEMqGH3vZUtRXyESfyxY9EMZhgu7vkDFYOnZUzqIckbiIstseuj38Rxi9
MIME-Version: 1.0
X-Received: by with SMTP id qu1mr4771180oeb.83.1429306231367; Fri, 17 Apr 2015 14:30:31 -0700 (PDT)
Received: by with HTTP; Fri, 17 Apr 2015 14:30:31 -0700 (PDT)
In-Reply-To: <>
References: <> <20150417124739.GA30086@LK-Perkele-VII> <>
Date: Fri, 17 Apr 2015 11:30:31 -1000
Message-ID: <>
From: Brian Smith <>
To: Michael Hamburg <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Consensus call on Implicit IV for AEAD
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 17 Apr 2015 21:30:34 -0000

Michael Hamburg <> wrote:
>> Ilari Liusvaara <> wrote:
>> [2] Substantial weakening happens far before collisions become
>> likely. So much less than AGL's "2^60" mentioned in the meeting.
> Really?  Can you provide a citation?  Because if I’m reading it correctly, this is a claim that AES-128 is not a secure PRP, with significantly less than 2^60 known/chosen plaintexts, keys and compute time.

It is a claim that AES-128-*GCM* *may* (emphasis on *GCM* and *may*)
not be a perfectly secure PRP, and/or that the key agreement scheme to
be used in TLS 1.3 *may* not not be perfect. I think those are
reasonable things to doubt, absent a proof to the contrary.

>> [4] Secret meaning those are derived from the main key block.
> … and this is a claim that adding an extra key, which is in the nonce instead of an actual key to the cipher, makes it more secure.
> All this said, I agree that it’s wise to reduce the amount of cribtext you give an attacker, so long as it doesn’t cost too much complexity.  If we are really providing a fatal amount of cribtext, then we need to fix that, but then again, we should probably toss the cipher out at that point.

The argument I was making is that (a) it seems unreasonable to assume
AES-128-GCM is perfect and that they key agreement scheme is perfect,
and (b) the cost of randomizing the starting point of the nonce
counter is so low that it is worthwhile to do it just in case.

I recently read the FIPS 140-2 implementer's guidance at [1]. I think
it is worthwhile for people discussing this to read what it has to say
about AES-GCM nonce handling, which starts on page 138. It recommends
an even more stringent handling of nonces for AES-GCM, summarizing the
approach proposed for TLS 1.3 as follows:

    It may be tempting to avoid meeting the IV generation
    requirements stated in this IG if it could be guaranteed
    that any key was used only once thus avoiding the (key, IV)
    collisions regardless of the method used to generate the
    IVs. The problem with this approach is that within the
    scope of the CMVP validation neither the module itself
    nor its Security Policy can enforce the single-use-key
    condition. The risk of introducing the identical (key, IV)
    pairs outweighs the possible benefits of relaxing the IV
    generation rules."

Where the "IV generation rules" are paraphrasing, "do it the way TLS
1.2 does, or else ensure every peer uses a unique identifier as a
prefix on nonces it uses for encryption."

No matter what we do, we should address this concern in the security
considerations of the TLS 1.3 spec by stating the assumptions we are
making and guarantees we are providing regarding (key, IV) uniqueness.