Add AES-GCM-SIV Nonce-Misuse-Resistant AEAD #412
Comments
briansmith
changed the title
|
See also RIV for Robust Authenticated Encryption. |
|
See also Stronger Security Variants of GCM-SIV. |
|
See these threads:
Also, I'm curious if the idea from https://eprint.iacr.org/2016/564.pdf can be used in some way here, and/or if there are ways of strengthening the nonce construction. |
|
Hey, AES-GCM-SIV uses nonce in its key calculation and the current SealingKey/OpeningKey creates the key in its init function where as in AES-GCM-SIV the key has to be created when you call seal/open. What is a good way to write AES-GCM-SIV impl with being backwards compatible (or) do you suggest writing a new API here like create NonceMisuseResistantAlgorithm and AES-GCM-SIV-128 AES-GCM-SIV-256 being its implementations |
Actually, it is quite similar to ChaCha20-Poly1305, right? In ChaCha20-Poly1305 we derive a new Poly1305 key for each seal/open operation (from chacha20_poly1305.rs): So, I suggest structuring this more like the chacha20-poly1305 code.
If you want to start implementing AES-GCM-SIV as a part of the |
|
Thank you for the pointers and I will implement it similar to chaha20-poly1305. I will implement it and send a PR soon |
|
Hi Brian, |
|
Are the initial users of this going to use it with random nonces? If not, how is the nonce going to be formed? It would be good to learn more about the applications as we consider the implementation. |
|
Yes, the users will use random nonces. In our use case we send the nonce during initial handshakes |
Add a negative ENUMERATED. This is redundant with ASN1Test.NegativeEnumeratedMultistring, but once we fix the X509_NAME value representation, d2i_ASN1_PRINTABLE will be gone. In doing so, I noticed that we weren't really testing re-encoding, so fix that. Also add some negative tests, both capturing actual invalid values, and values which should be valid but aren't due to issue #412. Bug: 412 Change-Id: Iba7f2869607e6361d6cb913416de21a19cdd6275 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/63527 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
The draft spec is at https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv. One version of the paper describing one version of the construct (which might not be what's in the draft) is at https://eprint.iacr.org/2015/102.pdf. Note that the draft is almost definitely going to be updated in a significant way as foretold in https://www.ietf.org/mail-archive/web/cfrg/current/msg08853.html.
BoringSSL and Shay Gueron appear to be working on a highly-optimized implementation. Hopefully we can just take the BoringSSL asm code as-is, so we'd just have to write the upper layer in Rust. With this in mind, we should land changes prototyped in #369 first.
This would be the first purportedly-nonce-misuse-resistant AEAD in ring. We may also need to do additional work, e.g. defining a trait for nonce-misuse-resistant AEADs that is implemented by
AES_128_GCM_SIVandAES_256_GCM_SIVbut not by other AEADs. In order for that to work, we may also need to add an AEAD algorithm trait and hide the struct that's currentlyring::aead::Algorithm.We should do a literature review of papers analyzing the AES-GCM-SIV construct, including in particular whatever new paper Shay will probably write to describe the final version.
The text was updated successfully, but these errors were encountered: