Wow, QUIC Retry Packets use AES-GCM with a fixed key/nonce, empty plaintext, and associated data prefixed with a secret as a sort of MAC. That's... terrifying?
They essentially do MAC(K, v) = AES-GCM(key=const, nonce=const, plaintext=empty, aad=K||v). Does that actually hold?
@filippo I don't think a MAC is the right model since the key+nonce is public and fixed - more akin to a hash function chosen from a family of PRFs. MAC CCA security doesn't apply (since key is known). MAC Committing security is too strong (since key is fixed / not attacker controlled).
So it's more akin to whether GCM with a fixed public key and nonce is first/second pre image resistant? Even if not, it still retains some security provided the function image is large enough.
@dennisjackson The RFC claims that knowledge of the original connection ID is needed to forge packets, so the actual "MAC key" is the OCID. Ignore the actual GCM fixed key.
The OCID is just a prefix of the packet, so essentially the RFC claims that GHASH(K || v) is a MAC, which it is definitely not.
However, I generally agree that retry packets don't really need a MAC, so I think it's just a case of the RFC making too strong a claim, not of anything being broken in practice.
Filippo Valsorda
Henryk Plötz
Dennis Jackson
asante
bkk