Re: [Cfrg] ISE seeks help with some crypto drafts

mcgrew <mcgrew@cisco.com> Mon, 08 April 2019 13:32 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9DA9120309 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 06:32:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivevgz4VUnsM for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 06:32:25 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4ACE120302 for <cfrg@irtf.org>; Mon, 8 Apr 2019 06:32:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12541; q=dns/txt; s=iport; t=1554730344; x=1555939944; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=ggjtacdMWujc/LMtmxO226jFrlIgKK4WqTnjhZBxbQg=; b=OeMMnjpn3Z4piMfUDQm0Yn/+bsOyxpVuMbq4y6JQyCqWWDH+P93GIdbv HHSqFSBibQIi9vYKvbXBmHZc4sxYjn7aCvad6OiJIk2X1fFca6yt2wiya q/1CcVCK1I4QWLzqSFvxCy4T5paz7F4eGThhf7BxnJKEbkT805ZvTr960 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAABGTKtc/5FdJa1lDgsBAQEBAQEBAQEBAQEHAQEBAQEBgVEEAQEBAQELAYIQaIEDJwqEBIgcjSt+kVCFeIF7DgEBGAEMhEcChWUiNAkNAQEDAQEJAQIBAm0cDIVKAQEBAQIBAQEhSwYFBQsLCQ8nAwICJx8RBg4FgyIBgW0ID61SgS+ERQMPL0CEWQWBMAGEXIUmgUQXgT9AgREnH4FOSQcuPoJhAQECAQGEZzGCJgOKUYIWLIY3kjwJg06ENYwAGoIFhhaJWIJpjG2FCIppgnMCERWBTziBQgwIcBU7KgGCDQEzPoU7hRSFBFcjAQExAY9MAYEfAQE
X-IronPort-AV: E=Sophos;i="5.60,325,1549929600"; d="scan'208,217";a="545130140"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Apr 2019 13:32:23 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x38DWNhl005130 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Apr 2019 13:32:23 GMT
Received: from rtp-mcgrew-nitro2.cisco.com (10.117.145.147) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 8 Apr 2019 08:32:22 -0500
From: mcgrew <mcgrew@cisco.com>
Message-ID: <3D2D9C29-6FBB-45F5-ABA8-C52D3583C273@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1F7E2104-EE71-4103-AEA6-C986148B9030"
MIME-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Mon, 08 Apr 2019 09:32:08 -0400
In-Reply-To: <35FC8AD5-BF45-4C3E-A0A8-0EA426970DEA@ll.mit.edu>
CC: Eric Rescorla <ekr@rtfm.com>, "<sec-ads@ietf.org>" <sec-ads@ietf.org>, cfrg <cfrg@irtf.org>, Nevil Brownlee <rfc-ise@rfc-editor.org>, "secdir@ietf.org" <secdir@ietf.org>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com> <CABcZeBNxgUsWpgWkUQPVrnaKYRCZud1LvkvQgt_5KX7ZhQ3sSQ@mail.gmail.com> <35FC8AD5-BF45-4C3E-A0A8-0EA426970DEA@ll.mit.edu>
X-Mailer: Apple Mail (2.3445.104.8)
X-Originating-IP: [10.117.145.147]
X-ClientProxiedBy: xch-rtp-001.cisco.com (64.101.220.141) To XCH-ALN-004.cisco.com (173.36.7.14)
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0Lu9nZ9mu2xKAJedux5KYYVEnJc>
Subject: Re: [Cfrg] ISE seeks help with some crypto drafts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 13:32:28 -0000

Hi Uri,

> On Apr 8, 2019, at 8:30 AM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
> 
> Well, we *are* interested in OCB and ciphers with block size != 128 bits, even if we won't necessarily document our use in another RFC.

The draft on OCB with general block size needs more usage guidance, as I discussed with Ted and you when the drafts were first discussed last year (please see https://cfrg.irtf.narkive.com/QRDFp12y/rfcs-for-wider-block-rc6-and-ocb#post5).   It is really important that an RFC provide strong guidance to users, as their target audience is implementers and users that might not understand the security ramifications.   I am not opposed to publishing this draft, but I see it as a critical next step to fully document the interest that you mention, either in draft-krovetz-ocb-wideblock or in a document that can be referenced by that one, along with usage guidance on when it is a good idea to do AEAD with a wide block cipher or a small block cipher.   

The general block size draft would be more appealing if it could be tied to a w != 128 cipher that has withstood significant significant cryptanalysis.   For smaller block sizes, this could be one of the modern 64-bit ciphers like PRESENT, SIMON, or SPECK, though I don’t think we should be promoting the use of 64-bit modes of operation for general-purpose use.   For implementation environments where a 64-bit cipher fits better than AES, it would be really attractive to use an AEAD mode that is secure beyond the birthday bound, as a way to compensate for the significant security degradation due to short blocks.   It would be great if we could leverage whatever interest there is in small block ciphers into some momentum towards higher-security modes of operation.  

It looks like the drafts haven’t been updated since they were first posted, though Ted expressed a willingness to update them.

Thanks

David

> 
> Thus, I see your point but disagree with it's apparent conclusion. IMHO the OCB draft should be published. 
> 
> Not sure about RC{5,6} - not my cup of tea.
> 
> Regards,
> Uri
> 
> Sent from my iPhone
> 
> On Apr 8, 2019, at 08:21, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
> 
>> These drafts seem quite low value to publish:
>> 
>> The existing OCB document [RFC 7253] is cited by exactly zero RFCs (https://datatracker.ietf.org/doc/rfc7253/referencedby/ <https://datatracker.ietf.org/doc/rfc7253/referencedby/>), so having a specification for ciphers with block size != 128 seems of particularly low value. 
>> 
>> The existing RC5 document [RFC 2040] has 6 RFC-level citations, but as far as I know, RC5 has practically no usage in IETF protocols. AFAICT, RC6 isn't even specified in an RFC. Thus, test vectors for these algorithms don't seem that interesting.
>> 
>> -Ekr
>> 
>> 
>> 
>> 
>> 
>> On Fri, Mar 8, 2019 at 9:20 AM RFC ISE (Adrian Farrel) <rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org>> wrote:
>> Hi CFRG and SecDir,
>> 
>> Ted Krovetz has asked for publication of ...
>> 
>> https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/ <https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/>
>> ....and...
>> https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/ <https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/>
>> 
>> ....in the Independent Stream.
>> 
>> These are both currently in expired state, but available in the archive.
>> 
>> At this stage I am looking to know whether anyone feels that publication
>> would be a bad thing:
>> - at this stage
>> - ever
>> 
>> Please send me your opinions direct (I am not subscribed to this list, but
>> will check the archives).
>> 
>> Please also let me know if you would be willing to be a detailed reviewer
>> of this work.
>> 
>> Thanks,
>> Adrian
>> -- 
>> Adrian Farrel (ISE),
>> rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org>
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg