Re: [TLS] Pull Request: Removing the AEAD explicit IV

Michael StJohns <> Wed, 18 March 2015 22:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 632C01A8905 for <>; Wed, 18 Mar 2015 15:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XNO8vnUWVPL8 for <>; Wed, 18 Mar 2015 15:36:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE0F11A8904 for <>; Wed, 18 Mar 2015 15:36:56 -0700 (PDT)
Received: by qgfa8 with SMTP id a8so50985687qgf.0 for <>; Wed, 18 Mar 2015 15:36:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=kIANId1lnyzz1KR+hhzUOVETs/MKkH3zoOuYTQn0WJ0=; b=fKUtZS1irH9MPgRrCVrPWXCwfxtN0D/BSe1BNvsDoOmv5V4JPrvEyJLmboHHf+aVqJ PqCecqeE+lYNMwnqoW7zI08b0vv0fpBBK/RNYj/+Y9RCN4PU2qZaiMVoUaBVdEwr7UEh Xxdht2nKs88WId+z6dLD/IATyDujkKpojjm4R0A2KnxWFbnx//5yhpeHeNM9t5vAA/vu i/+OWzZs5/i5D2+/5vwXafXftoLqyxX2bEOmI8pvqnDfQu65hpeX784Xosov0FGCWImc 3B23EEvH5h1Xj/CBs7XneCjeiiOuD51odVlVdOILW53XM+74Wrj2IbZ2tGCzUqjZSmuN RRzw==
X-Gm-Message-State: ALoCoQkT/bk0Vodxx3JKDkfwH8vind3BnN3GAlVv7HPklxq/2YP9cFJaMA9n5br51FDfqi3ytRw2
X-Received: by with SMTP id r3mr91730880qck.23.1426718215958; Wed, 18 Mar 2015 15:36:55 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:381:1ca7:409d:c366:febf? ([2601:a:2a00:381:1ca7:409d:c366:febf]) by with ESMTPSA id 9sm12812841qgo.38.2015. (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Mar 2015 15:36:55 -0700 (PDT)
Message-ID: <>
Date: Wed, 18 Mar 2015 18:36:58 -0400
From: Michael StJohns <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Eric Rescorla <>
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------070007060708080001060901"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Pull Request: Removing the AEAD explicit IV
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Mar 2015 22:37:01 -0000

On 3/18/2015 11:58 AM, Eric Rescorla wrote:
> On Wed, Mar 18, 2015 at 8:48 AM, Michael StJohns 
> < <>> wrote:
>     David used Nonce properly here, but it becomes confusing when
>     taken to using the same key with multiple messages.
>     Each message ALSO needs a Nonce - e.g. a unique value. But the
>     other term for a per-message nonce is generally an IV.  At the
>     message level a nonce is always an IV but an IV isn't always a nonce.
> The term in RFC 5116 uses for this input is "nonce". I don't think 
> it's helpful
> to use a different term here than is used in RFC 5116. Please note that
> all the ciphers here need to conform to the RFC5116 interface, so whatever
> the individual ciphers call their nonce inputs is not relevant here.

David used David's language for 5116.  It's instructive to note Russ's 
language in the CCM RFC matches what ended up in the NIST version, but 
that David's language in his GCM RFC didn't match what ended up in the  
document he sent proposing GCM to NIST nor what NIST finally published 
as the mode.  I'm not sure why that is. From David's GCM submission:

> The primary purpose of the IV is to be a nonce, that is, to be 
> distinct for each invocation of the encryption operation for a fixed key.

Then there's the mixture of the IV with the salt to form a nonce in the 
GCM IPSEC document that's yet another different way of putting it.

If you say "IV" or Initialization Vector - I know that's the value I 
need to begin encryption or decryption of a message.  If you say Nonce, 
I have no idea of whether its an IV, a value mixed in to indicate 
timeliness (e.g. a challenge nonce), a per-session/per-sender nonce 
that's used as part of the IV to allow the same key to be used by 
multiple senders or what.

Ah well....

>     We form the per-message nonce (e.g. the IV) from the per-session
>     nonce and the per-message sequence number and a fixed value. 
>     That's also the per-block nonce for the first block.
> In this PR there is no fixed value. We simply use the sequence number 
> and pad to
> the left as required, so I don't think there should be much room for 
> confusion.

This is kind of sophistry.  Padding to the left is exactly equivalent to 
"fixed nonce of zeros".

> -Ekr