IETF Logo Mail Archive

Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms

Neil Madden <neil.e.madden@gmail.com> Thu, 04 October 2018 14:15 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98901130E0C for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 07:15:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVDck2uK9iWz for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 07:15:04 -0700 (PDT)
Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D1C128CE4 for <cfrg@ietf.org>; Thu, 4 Oct 2018 07:15:04 -0700 (PDT)
Received: by mail-wm1-x32c.google.com with SMTP id 185-v6so9247702wmt.2 for <cfrg@ietf.org>; Thu, 04 Oct 2018 07:15:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cVKv4cWCOEdnw8gX1ssFh6TfzvjrBhwNE2x9JhG+Neo=; b=lG+FOhIH+gif0k9LAbeRT75ELknwHQlOLPk7aK1MhjOqH+O64aqkrTTPXePso9z1dy CdTBfzexyOMmh85SFbfuC9/bHFNkvR9ka96nEfym9rl8HtnXDhzj36xjZZDI6YjzecR8 CoF4YNNKj4DIpmcrd+2TDlOFApY/hq/hDCh8ktiTn9/CbaroOlfL63fFUwYsU2b6Zf6p fzW5VI8DRH1BllZDwc7n+zo9Vd+sajPW6qzja6zd8fkXPO+GiESwE6hiYhcUb7Dt4ugn y/uiQy9cfwW3twII2RytzH1cSCB5V3noTVFGpTs0kguK/49l06LPTMTeaTIYFIae2Kzr 4L/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=cVKv4cWCOEdnw8gX1ssFh6TfzvjrBhwNE2x9JhG+Neo=; b=UMV3ZHxBG/Jg0Eh6HSY7MIKfPdQ7CTw/PcAYdPti92g0zHTTqjFNhxdgRyO5unqQr1 GmChg4eg6BB8uE/tvRJd+ZWzmTJ1+iM7UoFUDPhHzugQ8b97aElEqrsYDDVMd04P/AFV jJ+wZ8BFgpA+u36Kzvg/A8SuOfPANcYuY1OCJ4OYuvUtfE/7Gzxjn2lVysSbUfvg2viZ MqcAOJkvuYzcuiLoLJFvH2XhVKdNZPTF2ynYwOWlnLPNnlTCwzR+TwXFueWaeaHujCL0 fsZWpIA2N1fKqZuL0IKJsGEGEWkgLq2pDr72bnH01T3avhGAZOGb8sUXcxoXWWpiDFb7 UPCA==
X-Gm-Message-State: ABuFfog2z0PgMlLsbvIARSXVPsXXoCRMKgKaKuink9ZPSQtzakkAY0sC 26GVdbFqSivMTo8icN5E8Ps=
X-Google-Smtp-Source: ACcGV610Rv8wauo1d5A1eDJpjhfIyS5/ZEqtRZJjjQqrF1MWt4WbtxZlJLS47ghXAnfdqTceADOotA==
X-Received: by 2002:a1c:f4e:: with SMTP id 75-v6mr4727729wmp.79.1538662502909; Thu, 04 Oct 2018 07:15:02 -0700 (PDT)
Received: from [172.16.107.230] (188-39-235-130.static.enta.net. [188.39.235.130]) by smtp.gmail.com with ESMTPSA id j66-v6sm5129972wrj.28.2018.10.04.07.15.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Oct 2018 07:15:02 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Neil Madden <neil.e.madden@gmail.com>
In-Reply-To: <987DD4D3-7D55-439C-A2A8-36612F8388FA@rhul.ac.uk>
Date: Thu, 04 Oct 2018 15:15:01 +0100
Cc: "cfrg@ietf.org" <cfrg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <14F5B241-C18B-4FE3-8986-D9DD139EEEF8@gmail.com>
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com> <987DD4D3-7D55-439C-A2A8-36612F8388FA@rhul.ac.uk>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0IjZUTirjOfhNj41rYlIGaDSLPU>
Subject: Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 14:15:07 -0000

I have had a look. As I understand it the only MRAE design still in the finalists is Deoxys-II, which is itself based on the AES round function.

— Neil

> On 4 Oct 2018, at 13:05, Paterson, Kenny <Kenny.Paterson@rhul.ac.uk> wrote:
> 
> Dear Neil,
> 
> Speaking without my co-chair hat on: I think this could be interesting and useful. Have you by any chance looked at the portfolio of AEADs that has come out of the CAESAR competition to see if any of them would meet your needs?
> 
> https://competitions.cr.yp.to/caesar-submissions.html
> 
> Best wishes,
> 
> Kenny
> 
> 
> -----Original Message-----
> From: Cfrg <cfrg-bounces@irtf.org> on behalf of Neil Madden <neil.e.madden@gmail.com>
> Date: Thursday, 4 October 2018 at 11:12
> To: "cfrg@ietf.org" <cfrg@ietf.org>
> Subject: [Cfrg] Extending SIV to other ciphers and MAC algorithms
> 
>    Hi,
> 
>    I am interested in adapting the SIV construction to other ciphers and MAC algorithms. As currently specified in RFC 5297, the mode is only defined for a MAC (AES-CMAC) that produces a 128-bit tag length. Furthermore, it assumes that the tag length is exactly the same as the nonce/IV required by the cipher (i.e., also 128-bits for AES-CTR). This restriction to limit the authentication strength of the AEAD based on the length of the required nonce for confidentiality seems somewhat artificial to me.
> 
>    As a concrete example, I am interested in SIV constructions based on XSalsa20 (or XChaCha20 as recently proposed on this list) together with some keyed hash MAC, such as HMAC-SHA256 or Blake2. XSalsa20 requires a nonce of 192-bits, while HMAC-SHA256 produces a MAC tag of 256 bits. I have a draft recommending MRAE modes for JOSE, and would like to include one non-AES algorithm that can be implemented well in software on platforms without AES hardware acceleration.
> 
>    I believe that there are just two adaptions needed to make this work:
> 
>    1. Adjusting the conditional XOR constant used in the doubling operation in s2v (https://tools.ietf.org/html/rfc5297#section-2.3) to account for other field sizes.
>    2. Defining the nonce used as input to the cipher as the left-most n bits of the authentication tag returned from s2v, where n is the size of the nonce required by the cipher (i.e., the full tag is output, but a truncation of it is used as the nonce).
> 
>    For step 1, based on the comments in [1] and the table of primitive polynomials from [2], I think the polynomials and corresponding constants to use for different values of n (bit length of MAC output) are:
> 
>    n = 128 gives x^128 + x^7 + x^2 + x + 1 and constant = 0^{120}10000111 (= 0x87 with leading 0s)
>    n = 192 gives x^192 + x^7 + x^2 + x + 1 and constant = 0^{184}10000111 (= 0x87 with more leading 0s)
>    n = 256 gives x^256 + x^10 + x^5 + x^2 + 1 and constant = 0^{245}10000100101 (= 0x00..0425)
> 
>    Is this something that CFRG might support if I submitted a draft?
> 
>    Regards,
> 
>    Neil
> 
>    [1]: http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf
>    [2]: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.365.1806&rep=rep1&type=pdf
>    _______________________________________________
>    Cfrg mailing list
>    Cfrg@irtf.org
>    https://www.irtf.org/mailman/listinfo/cfrg
> 
>

v2.23.0 | Report a Bug | By Email