[Cfrg] AES GCM SIV analysis

"Cooley, Dorothy E" <decoole@nsa.gov> Wed, 18 January 2017 16:49 UTC

Return-Path: <decoole@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B24CE129525 for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 08:49:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.398
X-Spam-Level:
X-Spam-Status: No, score=-7.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvuR6Hwdbzr5 for <cfrg@ietfa.amsl.com>; Wed, 18 Jan 2017 08:49:23 -0800 (PST)
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C82F91294E2 for <cfrg@irtf.org>; Wed, 18 Jan 2017 08:49:21 -0800 (PST)
X-Attachment-Exists: TRUE
X-IronPort-AV: E=Sophos;i="5.33,249,1477958400"; d="pdf'?p7s'?scan'208,217";a="2377574"
IronPort-PHdr: 9a23:qroRXhGU5IzwwONUH2dTb51GYnF86YWxBRYc798ds5kLTJ7zpc6wAkXT6L1XgUPTWs2DsrQf2raQ6PGrCDdIyK3CmUhKSIZLWR4BhJdetC0bK+nBN3fGKuX3ZTcxBsVIWQwt1Xi6NU9IBJS2PAWK8TW94jEIBxrwKxd+KPjrFY7OlcS30P2594HObwlSijewZbx/IA+4oAjVucUbhYVvIbstxxXUpXdFZ/5Yzn5yK1KJmBb86Maw/Jp9/ClVpvks6c1OX7jkcqohVbBXAygoPG4z5M3wqBnMVhCP6WcGUmUXiRVHHQ7I5wznU5jrsyv6su192DSGPcDzULs5Vyiu47ttRRT1higHLTo5+3zJhMJ2gqxQvRatqwViz4LIZY2YMud1cKHActMAXWdPXthfWTFdAo2ybIUPAegOPedEoIbyvFYOogeyCBO2Ce/z1jNEm3n71rA63eQ7FgHG2RQtE9wQvXTTq9X1MLkdUOCtwKLVwzvDaOlW2TDh6IjIchEqvP6CUbxtesfW1EYgCR/KjlKXqYzhITyYzeINs3OB4OZ6WuKvjHAnphh3rzOyyMksjYzJiZgUylDC7Sh5wZg6JcG2SEJhZt6kCodQuieHPIV1WsMvW3xktDogxrEYpJK2fDIGxIo5yxPdcfCLbouF7gr+WOqNOzt0mm9pdbKlixqs70StyffwWtS03VtEqCdOj8PCuWoX1xPJ78iKUv59/kC81jmRzw3T8eREIVwslarcNp4h3qY8lpoNvkTHGS/7gEL4grKUeEs64+Sm6ubpbqj/qpCSOIF5lh3yPrk0lsOjBuQ4KBAOU3Kd+eSnzrLv50L5QLJUjvEuk6nZto7VJdgDq6KkHwNZyJgv5wu/Aju8ztgUg3sKIEhYdB+El4TpPkvBIPH8DfexmVSslzJryujbMbL/HprNKX/DkLP/crtm7U5c0xA8wcpQ55JTFLENOOjzVVPptNzEEh85NBS5zPrpCNVn2YMTQmOPArWFMKPcq1OI4fgvI+bfLLMS7Xz2JeIqz//0kXF/nkUSN+H91pUNZ1i5BOhoZUKDbiy/rM0GFDJAlQ05SOH7zBWuViRUe3ajF492rmU3BYmhCoPOboa2ifqO2zntTc4eXXxPFl3ZSSSgTI6DQfpZLXvKLw==
X-IPAS-Result: A2F7BABOnH9Y/xLj1wpdHAEBBAEBCgEBFwEBBAEBCgEBgkRKAQEBAQF/gQkHtwsqB4VxAhqCPgEBAQEBAQEBAgECfQuCMxuCHAIBA0VEAgEMQgIYGCUBAQQTCAaJA7ImijkBAQEBAQEBAQIBAQEBAQEBAREKBQkBj3qDMYIxBY9ni1oBg2mCdYx6jnaIHIZAhBOBZwgzD30BAYNyHIFgc4d0gQ0BAQE
Received: from msht-gh1-uea01.corp.nsa.gov ([10.215.227.18]) by emsm-gh1-uea11.nsa.gov with ESMTP; 18 Jan 2017 16:49:17 +0000
Received: from MSMR-GH1-UEA10.corp.nsa.gov (10.215.228.27) by MSHT-GH1-UEA01.corp.nsa.gov (10.215.227.18) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 18 Jan 2017 11:49:17 -0500
Received: from MSMR-GH1-UEA07.corp.nsa.gov ([10.215.224.5]) by MSMR-GH1-UEA10.corp.nsa.gov ([10.215.228.27]) with mapi id 14.03.0319.002; Wed, 18 Jan 2017 11:49:13 -0500
From: "Cooley, Dorothy E" <decoole@nsa.gov>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: AES GCM SIV analysis
Thread-Index: AdJxpsd4XptcpHspSrmRb4tIGlxjEwABD2ML
Date: Wed, 18 Jan 2017 16:49:11 +0000
Message-ID: <D120A224329B7F4CA6F000FB5C0D964C01EBE26FEA@MSMR-GH1-UEA07.corp.nsa.gov>
References: <D120A224329B7F4CA6F000FB5C0D964C01EBE26F73@MSMR-GH1-UEA07.corp.nsa.gov>, <D120A224329B7F4CA6F000FB5C0D964C01EBE26F86@MSMR-GH1-UEA07.corp.nsa.gov>
In-Reply-To: <D120A224329B7F4CA6F000FB5C0D964C01EBE26F86@MSMR-GH1-UEA07.corp.nsa.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.228.153]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha1"; boundary="_BA08E5B5-868E-44DA-9C24-34BD41E0BD28_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/k2mpWgod4mbdOxsvN6EtXHb0BAg>
X-Mailman-Approved-At: Wed, 18 Jan 2017 08:59:17 -0800
Subject: [Cfrg] AES GCM SIV analysis
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 16:49:26 -0000

P { MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px }   

NSA's Information Assurance organization did some analysis of AES-GCM-SIV, as described in "AES-GCM-SIV:  Nonce Misuse-Resistant Authenticated Encryption", dated August 29, 2016 [1].  We shared this analysis privately with the three authors of AES-GCM-SIV, who requested that we post it to the CFRG forum. The attachment describes the results of the analysis. We believe the authors will be posting an update shortly.








 

Any comments on this work can be directed to me.  But I will note that I didn't do the actual analysis (I can't claim to be a 'real' cryptographer these days).

 


Deb Cooley

NSA Information Assurance Standards.

decoole@nsa.gov

 

 

[1]  https://tools.ietf.ort/html/draft-irtf-cfrg-gcmsiv-02