[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
From: "Dang, Quynh (Fed)" <quynh.dang () nist ! gov>
Date: 2017-01-24 12:22:34
Message-ID: CY4PR09MB14647E9FAC808C6CEBA3BE9DF3750 () CY4PR09MB1464 ! namprd09 ! prod ! outlook ! com
[Download RAW message or body]
One way to improve the misuse of repeated nonces situation is to derive the AES \
encryption key from the S_s value, the nonce and the master key.
Quynh.
________________________________
From: Cfrg <cfrg-bounces@irtf.org> on behalf of Dang, Quynh (Fed) \
<quynh.dang@nist.gov>
Sent: Monday, January 23, 2017 1:43 PM
To: shay@math.haifa.ac.il; agl@google.com; Yehuda.Lindell@biu.ac.il
Cc: cfrg@ietf.org
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
Shay, Adam and Yehuda,
There are 2 things I hope to discuss in this email below.
1) The draft said that "We recommend a limit of 2^50 plaintexts encrypted with a \
given key. Past this point, AES-GCM-SIV may be distinguishable from an ideal AEAD. \
(This is based on standard assumptions about AES.)".
To keep the probability of having a collision among 128-bit blocks in the \
ciphtertexts below 1/2^32 (practically zero), it has been suggested that under a \
given key, the amount of ciphertexts is not more than 2^48 128-bit blocks for the GCM \
in TLS 1.3.
With 2^50 plaintexts (equivalent amount of ciphertexts) and each ciphertext can be up \
to 2^32 128-bit blocks in the GCM-SIV draft, there can be collision situations.
A. When the ciphertext size is only 1 128-bit block, the probability for a collision \
is already higher than 1/2^32.
B. The probability for a collision gets bigger when the size of a ciphertext gets \
bigger.
With the GCM-SIV, the collision issue is under multiple AES encryption keys when the \
corresponding nonces are unique which is different from the collision situation \
described at the beginning for the GCM in TLS 1.3 which is under only one key.
I can't think of a damage to the data owner who sends their encrypted data over a TLS \
session caused by collision(s) among 128-bit blocks of the ciphertexts. So, I don't \
have an opinion here.
2) The draft said that " However, we feel that the 2^32 limit for AES-GCM is too \
risky in a multi-key setting. Thus with AES-GCM-SIV we recommend that, for a \
specific key, a nonce not be repeated more than 2^8 times. (And, ideally, not be \
repeated at all.)" .
Currently, the GCM with 96-bit random nonces situation, NIST requires the number of \
encryptions to be not more than 2^32, so that the probability of a repeat of a pair \
(key and nonce) is below 1/2^32, under a given key.
With m keys, the probability for a repeat of a pair of (key and nonce) is about \
m/2^32.
Therefore, it is best to use 96-bit counter-nonces for GCM.
With the GCM-SIV, when a nonce is repeated 2^8 times, the AES-128 encryption key is \
repeated 2^8 times. The 96-bit nonces for the AES counter mode encryption are \
practically (pseudo)-random nonces (derived from plaintexts and the master key). The \
probability for a repeat of a pair of (key and nonce) is about 2^16/2^96 = 2^(-80).
If someone cares about the multi-key situation such as the amount of keys being 2^50 \
(2^50 sessions), call the number of sessions 2^x, the probability for a repeat of a \
pair of (key and nonce) is about 2^(x - 80).
The actual break happens when a pair of (key and nonce) repeats AND at least one \
32-bit counter value also repeats with this pair. This problem happens with 100% \
chance when the ciphertext size is (2^31 + 1) 128-bit blocks or larger.
Call the size of a ciphertext 2^y 128-bit blocks, the probability for having at least \
one 32-bit counter value to repeat is about 2^(y + 1)/2^32 = 1/2^(31 - y) = 2^(y - \
31).
So, the number 2^(x - 80) x 2^(y - 31) = 2^( x + y - 111) must be not greater than \
2^(-32) in order to keep the probability for a complete break to be below 2^(-32).
2^( x + y - 111) <= 2^(-32) <==> x + y <= 79.
When y = 32, x <= 79 - 32 = 47.
So, when plaintext/ciphetext size is 2^32 128-bit blocks, the GCM-SIV might be not \
good enough for 2^47 (or more) sessions when each session has 2^8 repeated nonce if a \
user's objective is to protect all of those 2^47 (or more) sessions.
In short, this condition "x + y <= 79" should be respected for the current GCM-SIV: \
draft 3 when the mode is used to protect a large number of sessions (multiple users).
To protect a lot more than 2^47 sessions when the ciphertext size is about 2^32 \
128-bit blocks, maybe it would be good to require that nonce must not be repeated. A \
specific number of repetitions of a nonce allowed can be derived from each pair of x \
and y if desired.
Best,
Quynh.
________________________________
From: Cfrg <cfrg-bounces@irtf.org> on behalf of internet-drafts@ietf.org \
<internet-drafts@ietf.org>
Sent: Wednesday, January 18, 2017 12:30:31 PM
To: i-d-announce@ietf.org
Cc: cfrg@ietf.org
Subject: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Crypto Forum of the IETF.
Title : AES-GCM-SIV: Nonce Misuse-Resistant Authenticated \
Encryption Authors : Shay Gueron
Adam Langley
Yehuda Lindell
Filename : draft-irtf-cfrg-gcmsiv-03.txt
Pages : 45
Date : 2017-01-18
Abstract:
This memo specifies two authenticated encryption algorithms that are
nonce misuse-resistant - that is that they do not fail
catastrophically if a nonce is repeated.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/
draft-irtf-cfrg-gcmsiv-02 - \
datatracker.ietf.org<https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/> \
datatracker.ietf.org
AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption (Internet-Draft, 2016)
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-gcmsiv-03
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr">
<div id="divtagdefaultwrapper" \
style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" \
dir="ltr"> <p>One way to improve the misuse of repeated nonces situation is to derive \
the AES encryption key from the S_s value, the nonce and the master key.</p> \
<p><br> </p>
<p>Quynh. </p>
<p><br>
</p>
<p><br>
</p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" \
style="font-size:11pt"><b>From:</b> Cfrg <cfrg-bounces@irtf.org> on behalf of \
Dang, Quynh (Fed) <quynh.dang@nist.gov><br> <b>Sent:</b> Monday, January 23, \
2017 1:43 PM<br> <b>To:</b> shay@math.haifa.ac.il; agl@google.com; \
Yehuda.Lindell@biu.ac.il<br> <b>Cc:</b> cfrg@ietf.org<br>
<b>Subject:</b> Re: [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt</font>
<div> </div>
</div>
<div>
<div id="divtagdefaultwrapper" dir="ltr">
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <br>
</p>
<meta content="text/html; charset=UTF-8">
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr">
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> Shay, Adam and Yehuda,</p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <br>
</p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> There are 2 things I hope to discuss in this email below. </p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <br>
</p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> 1) The draft said that "<span style="font-size:12pt">We \
recommend a limit of 2^50 plaintexts encrypted with a given key. </span><span \
style="font-size:12pt">Past this point, AES-GCM-SIV may be distinguishable from an \
ideal </span><span style="font-size:12pt">AEAD. (This is based on \
standard assumptions about AES.)". </span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">To keep the probability of \
having a collision among 128-bit blocks in the ciphtertexts below 1/2^32 \
(practically zero), it has been suggested that under a given key, the amount of \
ciphertexts is not more than 2^48 128-bit blocks for the GCM in TLS 1.3. \
</span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">With 2^50 plaintexts (equivalent amount \
of ciphertexts) and each ciphertext can be up to 2^32 128-bit blocks in the GCM-SIV \
draft, there can be </span>collision<span \
style="font-size:12pt"> situations.</span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">A. When the ciphertext size is only 1 \
128-bit block, the probability for a collision is already higher than \
1/2^32.</span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt">B. The </span>probability<span \
style="font-size:12pt"> for a collision gets bigger when the size of \
a ciphertext gets bigger. </span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">With the </span><span \
style="font-size:12pt">GCM-SIV, the collision issue is under multiple AES encryption \
keys when the corresponding nonces are unique which is different from the \
</span>collision<span style="font-size:12pt"> situation </span>described<span \
style="font-size:12pt"> at the </span>beginning<span \
style="font-size:12pt"> for the GCM in TLS 1.3 which is under only one \
key. </span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">I can't think of a damage to the data \
owner who sends their encrypted data over a TLS session caused by collision(s) among \
128-bit blocks of the ciphertexts. So, I don't have an opinion here. \
</span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">2) The draft said that \
" </span><span style="font-size:12pt">However, we feel that the 2^32 limit \
for AES-</span><span style="font-size:12pt">GCM is too risky in a multi-key \
setting. Thus with AES-GCM-SIV we </span><span \
style="font-size:12pt">recommend that, for a specific key, a nonce not be repeated \
more than </span><span style="font-size:12pt">2^8 times. (And, ideally, \
not be repeated at all.)</span><span style="font-size:12pt">" . </span></p> \
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt"><br>
</span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">Currently, the GCM with 96-bit \
random nonces situation, NIST requires the number of encryptions to be not more \
than 2^32, so that the probability of a repeat of a pair (key and nonce) is \
below 1/2^32, under a given key. </span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">With m keys, the probability for a \
repeat of a pair of (key and nonce) is about m/2^32.</span></p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt"><br>
</span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">Therefore, it is best to use \
96-bit counter-nonces for GCM. </span></p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt"><br>
</span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">With the GCM-SIV, when a nonce is \
repeated 2^8 times, the AES-128 encryption key is repeated 2^8 times. The 96-bit \
nonces for the AES counter mode encryption are practically (pseudo)-random nonces \
(derived from plaintexts and the master key). The probability for a repeat of a \
pair of (key and nonce) is about 2^16/2^96 = 2^(-80).</span></p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt"><br>
</span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">If someone cares about \
the </span><span style="font-size:12pt">multi-key situation such as the amount \
of keys being 2^50 (2^50 sessions)</span><span style="font-size:12pt">, \
c</span>all the number of sessions 2^x, the probability for a repeat of a \
pair of (key and nonce) is about 2^(x - 80).</p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-size:12pt"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">The actual break happens when a \
pair of (key and nonce) repeats AND at least one 32-bit counter value also \
repeats with this pair. This problem happens with 100% chance when \
the ciphertext size is (2^31 + 1) 128-bit blocks or larger. </span></p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt"><br>
</span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">Call the size of a ciphertext 2^y \
128-bit blocks, the probability for having at least one 32-bit counter value to \
repeat is about 2^(y + 1)/2^32 = 1/2^(31 - y) = 2^(y - 31). </span></p> \
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt"><br>
</span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span style="font-size:12pt">So, the number </span>2^(x - 80) \
x 2^(y - 31) = 2^( x + y - 111) must be not greater than 2^(-32) in order to \
keep the probability for a complete break to be below 2^(-32). </p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <br>
</p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px">2^( x + y - \
111) <= 2^(-32) <==> x + y <= 79. </span><br> </p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px">When y = 32, x \
<= 79 - 32 = 47. </span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px">So, when \
plaintext/ciphetext size is 2^32 128-bit blocks, the GCM-SIV might be not good \
enough for 2^47 (or more) sessions when each session has 2^8 repeated nonce if a \
user's objective is to protect all of those 2^47 (or more) \
sessions. </span></p> <p style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> In short, this condition "<span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px">x + y <= \
79" should be respected for the current GCM-SIV: draft 3 when the mode is \
used to protect a large number of sessions (multiple users). </span></p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px"><br> </span></p>
<p>To protect a lot more than 2^47 sessions when the ciphertext size is about 2^32 \
128-bit blocks, maybe it would be good to require that nonce must not be repeated. A \
specific number of repetitions of a nonce allowed can be derived from each pair \
of x and y if desired. </p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols"><br> </span></p>
<p style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols">Best, </span></p> <p \
style="color:rgb(0,0,0); font-family:Calibri,Arial,Helvetica,sans-serif; \
font-size:12pt"> <span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols; font-size:16px"></span><span \
style="font-family:Calibri,Arial,Helvetica,sans-serif,"Apple Color \
Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI \
Symbol","Android Emoji",EmojiSymbols">Quynh. </span></p>
</div>
<hr tabindex="-1" style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; display:inline-block; \
width:98%"> <div id="x_divRplyFwdMsg" dir="ltr" style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"> <font face="Calibri, \
sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Cfrg \
<cfrg-bounces@irtf.org> on behalf of internet-drafts@ietf.org \
<internet-drafts@ietf.org><br> <b>Sent:</b> Wednesday, January 18, 2017 \
12:30:31 PM<br> <b>To:</b> i-d-announce@ietf.org<br>
<b>Cc:</b> cfrg@ietf.org<br>
<b>Subject:</b> [Cfrg] I-D Action: draft-irtf-cfrg-gcmsiv-03.txt</font>
<div> </div>
</div>
</div>
<font size="2" style="color:rgb(0,0,0); \
font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt"><span \
style="font-size:10pt"> <div class="PlainText"><br>
A New Internet-Draft is available from the on-line Internet-Drafts directories.<br>
This draft is a work item of the Crypto Forum of the IETF.<br>
<br>
\
Title : AES-GCM-SIV: \
Nonce Misuse-Resistant Authenticated Encryption<br> \
\
Authors : Shay Gueron<br> \
\
Adam Langley<br> &nb \
sp; \
Yehuda Lindell<br> \
Filename : \
draft-irtf-cfrg-gcmsiv-03.txt<br> \
Pages : 45<br> \
\
Date : \
2017-01-18<br> <br>
Abstract:<br>
This memo specifies two authenticated encryption algorithms that are<br>
nonce misuse-resistant - that is that they do not fail<br>
catastrophically if a nonce is repeated.<br>
<br>
<br>
The IETF datatracker status page for this draft is:<br>
<a href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/" id="LPlnk127226" \
previewremoved="true">https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/</a> \
<div id="LPBorder_GT_14851876727780.2981390626859044" style="margin-bottom:20px; \
overflow:auto; width:100%; text-indent:0px"> <table \
id="LPContainer_14851876727760.5638155877889133" cellspacing="0" style="width:90%; \
background-color:rgb(255,255,255); overflow:auto; padding-top:20px; \
padding-bottom:20px; margin-top:20px; border-top:1px dotted rgb(200,200,200); \
border-bottom:1px dotted rgb(200,200,200)"> <tbody>
<tr valign="top" style="border-spacing:0px">
<td id="TextCell_14851876727760.9523046007123246" colspan="2" style="vertical-align: \
top; padding: 0px; display: table-cell; position: relative;"> <div \
id="LPRemovePreviewContainer_14851876727770.13980665690839134"></div> <div \
id="LPTitle_14851876727770.07131646564122507" style="top:0px; color:rgb(0,120,215); \
font-weight:normal; font-size:21px; font-family:wf_segoe-ui_light,"Segoe UI \
Light","Segoe WP Light","Segoe UI","Segoe \
WP",Tahoma,Arial,sans-serif; line-height:21px"> <a \
id="LPUrlAnchor_14851876727770.6733486941122127" \
href="https://datatracker.ietf.org/doc/draft-irtf-cfrg-gcmsiv/" target="_blank" \
style="text-decoration:none">draft-irtf-cfrg-gcmsiv-02 - \
datatracker.ietf.org</a></div> <div id="LPMetadata_14851876727770.4877856828459095" \
style="margin:10px 0px 16px; color:rgb(102,102,102); font-weight:normal; \
font-family:wf_segoe-ui_normal,"Segoe UI","Segoe \
WP",Tahoma,Arial,sans-serif; font-size:14px; line-height:14px"> \
datatracker.ietf.org</div> <div id="LPDescription_14851876727780.4655758567440518" \
style="display:block; color:rgb(102,102,102); font-weight:normal; \
font-family:wf_segoe-ui_normal,"Segoe UI","Segoe \
WP",Tahoma,Arial,sans-serif; font-size:14px; line-height:20px; max-height:100px; \
overflow:hidden">
AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption (Internet-Draft, \
2016)</div> </td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
<br>
There's also a htmlized version available at:<br>
<a href="https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03" id="LPlnk570119" \
previewremoved="true">https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-03</a><br> \
<br> A diff from the previous version is available at:<br>
<a href="https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-gcmsiv-03" \
id="LPlnk686843" previewremoved="true">https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-gcmsiv-03</a><br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submission<br>
until the htmlized version and diff are available at tools.ietf.org.<br>
<br>
Internet-Drafts are also available by anonymous FTP at:<br>
<a href="ftp://ftp.ietf.org/internet-drafts/">ftp://ftp.ietf.org/internet-drafts/</a><br>
<br>
_______________________________________________<br>
Cfrg mailing list<br>
Cfrg@irtf.org<br>
<a href="https://www.irtf.org/mailman/listinfo/cfrg">https://www.irtf.org/mailman/listinfo/cfrg</a><br>
</div>
</span></font></div>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
--===============5961455136692677384==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic