Re: [Cfrg] Streaming AEAD
Mridul Nandi <mridul.nandi@gmail.com> Wed, 19 February 2014 05:09 UTC
Return-Path: <mridul.nandi@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0258B1A0558 for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2014 21:09:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.378
X-Spam-Level:
X-Spam-Status: No, score=-0.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, MISSING_HEADERS=1.021, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hfh75f6Zw-wS for <cfrg@ietfa.amsl.com>; Tue, 18 Feb 2014 21:09:18 -0800 (PST)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) by ietfa.amsl.com (Postfix) with ESMTP id C6A871A04B7 for <cfrg@irtf.org>; Tue, 18 Feb 2014 21:09:17 -0800 (PST)
Received: by mail-lb0-f178.google.com with SMTP id u14so12822319lbd.37 for <cfrg@irtf.org>; Tue, 18 Feb 2014 21:09:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:cc :content-type; bh=C65blrJiGeTMqrHkva9ZrzzT0kZSh9tIO7N6iZrwbuU=; b=cebjFcp82/YIzzXRoVQObuaC1yU2v9qwkKFZ5tuUQnDc2YtQE2hB+wv3XQVieQUtRe t9OG2VPejJLBZya7UVdGlkfTKtGlPF7dPD7J/1/Cu3DVkUpuGto6/ALQlmnLJrhi/I/c WYB+pUYcfAUU7I6U19P8yG/GPKcgBT3AS9G9dWjce/OBcrWMA5NWelY9WzsqlmZR0eM4 cNtjyu+DvgKgSTGuaUPyP3CvbvwTJPdOGz+tSWZr1j4vnlRk3sOr8uaKp4R3Zf0nSrV3 nWQzEs5WCCEDkIkLBpJNVBvW3GRjV/CoJFaBdCHgdPIw7z2XcVjlPRXl+A7ZrGylHL4e RAnA==
X-Received: by 10.152.22.1 with SMTP id z1mr962539lae.39.1392786553869; Tue, 18 Feb 2014 21:09:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.114.217.231 with HTTP; Tue, 18 Feb 2014 21:08:53 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com>
References: <9A043F3CF02CD34C8E74AC1594475C7372375D64@uxcn10-tdc06.UoA.auckland.ac.nz> <53035EC7.8010607@cisco.com> <255B9BB34FB7D647A506DC292726F6E1153B6AA83D@WSMSG3153V.srv.dir.telstra.com>
From: Mridul Nandi <mridul.nandi@gmail.com>
Date: Wed, 19 Feb 2014 10:38:53 +0530
Message-ID: <CAJBmYM9ED6NUjNPWBQLdjsztjVv41G4Aq-H5aQxysf2tv1Qc0w@mail.gmail.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="089e0158b938ca97da04f2bb6346"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/-gqzHO02mQh0abi0eDgMdHR16-o
Subject: Re: [Cfrg] Streaming AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2014 05:09:21 -0000
Dear ALL, When we have limited buffer or we need to release the computation of message and ciphertext in a regular interval, we can go for AEAD which supports intermediate tag. You may have a look on section 6 of our paper http://eprint.iacr.org/2013/767.pdf which talks about intermediate tag. Computation of intermediate tag in our construction is very less. Thanks and regards, Mridul Nandi Assistant Professor Indian Statistical Institute Kolkata On Wed, Feb 19, 2014 at 9:29 AM, Manger, James < James.H.Manger@team.telstra.com> wrote: > > >> What is needed is a way to use an AEAD algorithm to secure a message > in > > >> chunks. Streaming-AEAD would allow a recipient to know they have > received an > > >> authentic prefix of a message. It would allow crypto APIs to support > > >> streaming modes while never returning unauthentic plaintext. > > > > I think the means of doing this is going to be protocol-specific, > since it > > > depends on the PDU format being used. > > Not necessarily. > I was thinking we could define a new alg identifier such as > "AEAD_AES_128_OCB_TAGLEN96/10K", meaning OCB on 10 KB chunks. > Once the 10228th byte (10KB - 96 bits) of plaintext is streamed > to the encrypt function, it finishes the first AEAD operation and > inserts a 96-bit tag into the ciphertext. A decryption function > caches the ciphertext it is streamed until it reaches a 10KB > boundary then it returns 10228 bytes of plaintext. > > An app sees a different alg id, but doesn't need to notice that > the ciphertext PDU is actually ct tag ct tag ct tag... > [It might need to know which nonces have been used internally though!] > > > > I think that's right. It still makes sense to consider what should be > > going on above the AEAD layer, in a generic sense. > > > > > For things like SSL/TLS and SSH the > > > problem is already solved since data amounts are quantised to the > > protocol > > > data packet size, > > > > I hope that's right. I am not sure that SSL/TLS implementers would be > > comfortable if they could never use the decryptUpdate function though. > > > > > for store-and-forward protocols like PGP and S/MIME you'd > > > need to add a mechanism for it in a PGP/SMIME-specific manner, but > > then you'd > > > also need to figure out how to communicate it to the other side... > > and then > > > you're back to relying on ad-hoc mechanisms. > > > > > > When I had to do this years ago I used something like: > > > > > > len1 || data1 || h1 = HMAC( len1 || data1 ), > > > len2 || data2 || h2 = HMAC( h1 || len2 || data2 ), > > > len3 || data3 || h3 = HMAC( h2 || len3 || data3 ), > > > ... > > > > > > A length of 0 indicated end-of-contents. > > > > Interesting, is there a writeup? > > > So for packetizing plaintext for ~AEAD chunks: > * TLS puts a sequence number in the AAD; > * Peter (sort of) puts a tag for the previous prefix in the AAD; > * I suggested using sequential nonces and a start/middle/end flag; > * AERO hides the details in state; > * Pipelineable On-Line Encryption randomizes unauthentic plaintext. > > > My only concern with putting state (eg sequence number, byte count, > previous hash) into AAD is that you need something at a higher layer to > ensure that AEAD(X||Y,P) is always interpreted as "chunk mode with state=X, > user-provided-AAD=Y", and never as "non-chunk mode with > user-provided-AAD=X||Y". You probably cannot safely use 1 key in chunk and > non-chunk modes. > > -- > James Manger > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- Re: [Cfrg] Streaming AEAD Peter Gutmann
- [Cfrg] Streaming AEAD Manger, James
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD Jean Paul Degabriele
- Re: [Cfrg] Streaming AEAD Manger, James
- Re: [Cfrg] Streaming AEAD Mridul Nandi
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David McGrew
- Re: [Cfrg] Streaming AEAD David Jacobson