Re: [TLS] Pull Request: Removing the AEAD explicit IV

Yoav Nir <> Tue, 17 March 2015 20:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 768B21A88E0 for <>; Tue, 17 Mar 2015 13:19:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 23C_cqW6UGma for <>; Tue, 17 Mar 2015 13:19:58 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A34621A88DE for <>; Tue, 17 Mar 2015 13:19:57 -0700 (PDT)
Received: by wixw10 with SMTP id w10so21026575wix.0 for <>; Tue, 17 Mar 2015 13:19:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=744jaDWuYdf+b2mZa2CYI8RYxZ8eJjasEV+g2LyyxOM=; b=jxizks1D4OXLhnTwVws3yF5kHOb+Ckfi9l67+uNv2Zj6ljQtrMMQNscyNIf+VTAKa8 cT1nyZ4M80xEroo7Pnw0yyrDNNr/HsUDB6IA2XNb4ljQrsRuGWfKA4HIuF0eR3zblWjM I6fNyu8Ys3kaqsOSkSeaNyTn04U/QgKmwOQtJltXOKlUIekzbyLUV4Le1g2JCUGrathd D2b0JFDvggX91TDIQaq1oUld4RVifs5a4Iko4LlYQkEZssZy4HD1eXfBn9t478c9MOEi PaGtekdzGuQaJnTfPBHLgCs5y+4YXfJNgKVd8MqubKpB3ld5uT4LTKst/Z4lgkws4XRj JJxg==
X-Received: by with SMTP id cy1mr132883554wjb.127.1426623596400; Tue, 17 Mar 2015 13:19:56 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id q6sm119298wix.3.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 13:19:55 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Tue, 17 Mar 2015 22:19:53 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Adam Langley <>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Mar 2015 20:19:59 -0000

> On Mar 17, 2015, at 8:21 PM, Adam Langley <> wrote:
> On Tue, Mar 17, 2015 at 11:06 AM, Michael StJohns
> <> wrote:
>> That works for the currently defined pure AEAD modes (CCM/GCM at least,
>> haven't looked at chacha).   Will that work in all cases for constructed
>> AEAD modes?  (e.g. where we build an AEAD mode out of an encryption mode and
>> an integrity mode and derive the E and I keys from a single key internal to
>> the constructed mode - say  AES-CBC with CMAC for example).  Short answer is
>> probably not.
> I believe that it will, although I welcome counterexamples.
> The AEAD interface requires only an nonce (i.e. unique, but not
> unpredictable) and, under this proposal, that's all that TLS will
> provide.
> CBC modes require an IV (i.e. unpredictable). If you wished to make an
> AES-CBC-HMAC-SHA256 AEAD, for example, then you would do something
> like this:
> Define the key length to be twice as large as the AES key and split it
> internally into a CBC key and an IV key. For each record, generate the
> IV by AES(key = IV_key, block = nonce) then encrypt the plaintext
> using CBC with that IV and the CBC key. (And you might need extra key
> bytes for the HMAC too, but that's beside the point here.) Basically
> you can generate the IVs using AES-CTR as a PRNG.

Right. Or you could do like in , generate the IV randomly and locally and call it part of the ciphertext (see appendix A). The AEAD interface has no requirement that the ciphertext have the same length as the plaintext. In fact CBC requires padding, so the ciphertext is larger anyway.

I do like your way better, but it requires a larger state on both client and server. 

I’m also wondering if we can mass convert all the existing CBC ciphersuites for TLS 1.3, so that ciphersuite 0x00,0x0a could be TLS_RSA_WITH_3DES_EDE_CBC_SHA in TLS 1.2, but transform into one of these AEAD constructions for TLS 1.3 without having to allocate new identifiers.