[TLS] Pull Request: Removing the AEAD explicit IV

Eric Rescorla <ekr@rtfm.com> Mon, 16 March 2015 23:55 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id A8F661ACD55 for <tls@ietfa.amsl.com>; Mon, 16 Mar 2015 16:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FhfVsvhzH2Ig for <tls@ietfa.amsl.com>; Mon, 16 Mar 2015 16:55:38 -0700 (PDT)
Received: from mail-wg0-f51.google.com (mail-wg0-f51.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D66941ACD4A for <tls@ietf.org>; Mon, 16 Mar 2015 16:55:37 -0700 (PDT)
Received: by wgbcc7 with SMTP id cc7so52519203wgb.0 for <tls@ietf.org>; Mon, 16 Mar 2015 16:55:36 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=OTHvYIo02Vdb0n1ervS8yz2OANQFuMV+l4cSKvJP1H8=; b=R0AziovHqAHgDTjwAVfJcI54j/vlfeqkCMlQdTNXv31WKSsCxANxJ84ndoyJpUIGA2 e5wR8A1UMvPvh0uq8dvMjBrqj0dvylnIN90oWqNkmPYf9HmwW10Bc31nOSG42plfzXs4 RBc2C1k3qsPfYczjOKJ5m+gioGXtI6GY4hw5FvT9TvTdpOFTs0r5rDk60IHhOtAqR9ti fTAYPfyu9AYftkozMG803HGbUmk72zglVTSA3q6GAH/AznCeIo4v4+2tUniFE9CuKb4U S7LfFyg7XiRM1RtdUWKhvqFRGGjuoszQO0hmaoP8vO+p3YWsG3dxggEQKPjrQORRBfJq hOfw==
X-Gm-Message-State: ALoCoQmygnSZcnJOfUme4J6nKnLhYy8wYqrU+MtEktgPPWtsTVZGEO5GY3Pu/3ia4vqf3UTINjVs
X-Received: by with SMTP id fa4mr124707608wjc.111.1426550136612; Mon, 16 Mar 2015 16:55:36 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 16 Mar 2015 16:54:56 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 16 Mar 2015 16:54:56 -0700
Message-ID: <CABcZeBPfasM5HmJaATLUHQKRgiSGCreJt1T=UoDBGCbcuzyW8Q@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7bacb11e25bf3305117096ff
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/g8pnjkAeR0sKBsXScJyHdjRBEEI>
Subject: [TLS] Pull Request: Removing the AEAD explicit IV
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 23:55:42 -0000

PR: https://github.com/tlswg/tls13-spec/pull/155
Target merge date: 3/21


- AES-GCM uses a partially explicit nonce
- The ChaCha20 draft uses the sequence number as the nonce.

As Stephen Kent has observed, the idea behind the explicit IV is to allow
cryptographic module implementing the AEAD algorithm to ensure non-reuse
of the nonce. However, for ChaCha I believe we came to the conclusion that
was acceptable to use the sequence number as the nonce, as the module can
check for sequential usage. This saves 8 octets on the wire.

In the interim in Seattle, we came to the conclusion that we should make
all AEAD algorithms behave this way, which also simplifies the spec some.
I've formatted this into a PR to verify the consensus on the list. Please
here if you object and on the PR if you have editorial comments.