Re: [Cfrg] Do we need a selection contest for AEAD?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 19 June 2020 18:29 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6673E3A0D3F for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 11:29:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CnOaCvgB; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=a9WDoTKN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjpmYIO-GQil for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 11:29:52 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEEE33A0D72 for <cfrg@irtf.org>; Fri, 19 Jun 2020 11:29:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20556; q=dns/txt; s=iport; t=1592591377; x=1593800977; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=em+KcW9FQr0HOHde2rC/sZ1dO5fkqdR0akbqbrpzKdw=; b=CnOaCvgBpDfiOA1BgRPgraIDY3d1ySs44RGGqJlky7l3eBv7Xv30ATTW 3u+zGyQ4zrxLTlgNRdeDsX89KFcVQVmQH/SH/xjf3GLPQ4XjLQNlWNDCB /+ir6IlA+ej1ZhBryu770gb24FIcJff28i99foGVJkFz3NrR1XwcHO+hn 4=;
IronPort-PHdr: =?us-ascii?q?9a23=3AlCe7EBb0kWGnA24w+ok2+Vb/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el21QaXD4HfrfdFl6zbv72zEWAD4JPUtncEfdQMUh?= =?us-ascii?q?IekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutY1mUp3yuqzMeB0?= =?us-ascii?q?a3OQ98PO+gHInUgoy+3Pyz/JuGZQJOiXK9bLp+IQ/wox/Ws5wdgJBpLeA6zR?= =?us-ascii?q?6arw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C9BQBVA+1e/4kNJK1mDg4BAQEBAQE?= =?us-ascii?q?HAQESAQEEBAEBggqBIy9RB29YLywKhBqDRgONQIoAiWwthDuBQoEQA1UBCgE?= =?us-ascii?q?BAQwBARgBCgoCBAEBhEQCF4IRAiQ4EwIDAQELAQEFAQEBAgEGBG2FWwyFcgE?= =?us-ascii?q?BAQEDAQEQEQoTAQEsBAcBDwIBCBEDAQEBFhIDAgICHwYLFAkIAgQBDQUIGoM?= =?us-ascii?q?FgX5NAy4BDqx5AoE5iGF2gTKDAQEBBYUoDQuCDgMGgTiCZ4ldAR0agUE/gRF?= =?us-ascii?q?Dgh8uPoIaKxcBgRkNESseDQkJglUzgi2PGYMQhjqBGIk2W49/TAqCWpE5gwW?= =?us-ascii?q?FC4JxiSSSZpErjG2RWwIEAgQFAg4BAQWBaiKBVnAVO4JpUBcCDY4eCRqDToU?= =?us-ascii?q?UhQQ+dDcCBgEHAQEDCXyNPYE1AYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.75,256,1589241600"; d="scan'208,217";a="528325649"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Jun 2020 18:29:36 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id 05JITZAH026463 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 19 Jun 2020 18:29:36 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 19 Jun 2020 13:29:35 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 19 Jun 2020 13:29:35 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 19 Jun 2020 13:29:35 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S+lcZ49xFNnOrWl1JCXqrc0yRIO8vGRHJHi2FPL1pKz1xDf+QrI3o5S79ugoVi0aHNTqLYdpVDOWCSIwy4nihPbnlR7bBEKvPBSeVFul3K9jHcPSpr/E8VlmdPHqyyqvvY7j9bdzBbGdftDHJb1phx298FceAAUf1+UYANBbdPyIen+vrqoauqJKmv8gxelGrfOfzePLJ2vQi/0X0dYAXG7iucN7E07WwvkaLlvvNBok2OCkgTXCdZdnEA9TBo4050vHfuFn02R357GhAgmnxhpzYLQs9mdQfJ8hr6g2RmtiBM02gFXC5BugZA74ntYhBeOnceXfSAWDhXzJhCs9vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=em+KcW9FQr0HOHde2rC/sZ1dO5fkqdR0akbqbrpzKdw=; b=cEkM+USN2vCVHBTru2JvcoA9709js0OKWmTfgJ4vgKdzB+QC8bjxGPR0bVbMHSV7wkW2w7bZFRc+XoClKtaIzX4DYLCpEiMpEOJQ8WW3BdVCPy9PZGU4eaiHmPzAO+Yrlcw/z/Pbf2T1BC/p/5rXlhJKggmXLrFpbWu1EOffjiw8AgU8sIuWieDtUgbP4scHY3YSSCtIciTkZtYgVIcJC9627/7AW/0lKBfK049CrYUvShwZFmtG75SNXr2eDaiFWtFkgIOktxbWuRXd52oOkLSW7OCMOdRl2y4Z0raTgE1RDngvODersr6ol1+xUeziCIypDPELrdBhEoWcJoCsTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=em+KcW9FQr0HOHde2rC/sZ1dO5fkqdR0akbqbrpzKdw=; b=a9WDoTKNyoCI/b2laY89XK1aHUCissiqh5TlpnpjOvAHz/4eJ8P3gR2kwCpXc2e6mJVblwGDn6YRCebrU1ZF8kQs/MjFrS897n60qifZ3lXl5Jg9A11bXVgkEe3qzBRJpagkLECNueXDZ3msw/X1yzppbg+w9BnnWUBB19fUdTE=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN8PR11MB3650.namprd11.prod.outlook.com (2603:10b6:408:8f::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.22; Fri, 19 Jun 2020 18:29:34 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::35bd:ecae:1e28:58f5%5]) with mapi id 15.20.3109.021; Fri, 19 Jun 2020 18:29:34 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Thomas Peyrin <thomas.peyrin@gmail.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Do we need a selection contest for AEAD?
Thread-Index: AQHWRl+ssZd87OjcSEW27ix99LDelKjgNnkAgAABPQCAAAc5gIAAALCAgAABvxA=
Date: Fri, 19 Jun 2020 18:29:34 +0000
Message-ID: <BN7PR11MB2641312028C25C3E71713065C1980@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com> <CAA0wV7TXftZXeteCy3=N_4ezXRTL852_R1kCCPYGFEhQNHGw2Q@mail.gmail.com> <4CFDB50C-6281-4AC8-A9DF-D0F79BF58C5C@ll.mit.edu> <CAA0wV7SjS8OA+QEPN6Dip09Y2Sp5=4WJkTVkRa2O0gnZf_m54w@mail.gmail.com> <924F2899-4D89-4691-80DD-73FD9EDAA520@ll.mit.edu>
In-Reply-To: <924F2899-4D89-4691-80DD-73FD9EDAA520@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ll.mit.edu; dkim=none (message not signed) header.d=none;ll.mit.edu; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e62cc44b-0b2a-439e-9976-08d8147eb71c
x-ms-traffictypediagnostic: BN8PR11MB3650:
x-microsoft-antispam-prvs: <BN8PR11MB3650D04FC57FA3CBA59A69EEC1980@BN8PR11MB3650.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0439571D1D
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QSg9a5XI8JC1jTh7HI3XjU65jwQ6P+dpMyLrB2PfM3gyl5UpekjE+gvlTy5XIO3UwfFLEWVI7/jsiWvq666MDbDk3NHs3hzweTprX6Dn0d0H7tRURqQ+SofkNUZLuaJ8VhKl+eUK5sT9vZYQqxUJI7ai8F7NmFOiwBaM8NQw9hSBRcD1EWKp9XSFgsjoiqn3oK9wansQeKB8rbeNkHUo9YzeA8pOp+MAHPX7pwqPRI+f9G3CQb3Comi5w6aWhW/ja7ZEFkRES77aOvnUJRAfS++uNpo+yB41O4XA0oqVJME3NKNe0OZ7IdRjHHXgmNJksA7xMZwBSAcSXvUr2pMIJn6SsYpsNcRN1TKCDQolNqZ5uFNtAT0nvVRbC0C8z2h94Hcp8OTIVBU++ebyeaGRn2WJR1SjFp0ch24Th7E0kmNvE7jA0rqIrSo0afgb5eaOBQD4PXcMZbo6OdcmdhLfGw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(396003)(136003)(366004)(346002)(76116006)(66946007)(66476007)(66556008)(64756008)(66446008)(26005)(7696005)(186003)(33656002)(83380400001)(316002)(86362001)(166002)(66574015)(53546011)(6506007)(52536014)(71200400001)(8936002)(478600001)(110136005)(8676002)(2906002)(5660300002)(4326008)(55016002)(9686003)(966005)(23603002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: XSO0nj8MJ12PAnr3lf8tjVPkVoIdst/6pC0oemeZL2oNfLMODkaf4CPxQWIXrO4k2/zOkGpFJblGbARu+0J+Zs8MUGzOM+iO0f46OOtidu1skKc2BvFPd69Hc0RU5Ssu7rTE1sv32AK6W6/u/9XR3deeJQ60wwR02L/CC4X8v5cyz4l3DETPWOFPIt3evbhzy4JwzH56SD93N/DHv01bWXu0kWBxFIxu9ADs3Wm6tT9+f7Udlz4ZvxAzeplNmnhVfvu5sNR2HNUTVsyHSsYaX1HvnNnosFsixBSgBG2TGPxB27uNd3/Ojeu4gyTdFYBWEsFvJtzvfpZGUn9cYWTQbWd43iW1MorQz+CogljBufc9jnh1dXndcMnwOZLUOqjnA8gkvzR168HMtZ4sxQaoSH22NXVdmd7i2s7lXkywvG7dOyRoDKf5+HPMKShqbv5KTFjWNdxIUJsj7GsabtjXMy3ifRkyGiGzYoiZMu8R3rY=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641312028C25C3E71713065C1980BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e62cc44b-0b2a-439e-9976-08d8147eb71c
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2020 18:29:34.2165 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uo5MEoir1JUuNOucguidPsglukuXSX5t2UCFXJPHwolGnpXEnG42dU3F1idDzs7wNSrp8tRXNZXWgBbuaoSnKg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3650
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1B8a6o2eT8wj1dwhHKoSQE91R-M>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 18:30:04 -0000

The other thing of concern is “once you’ve found one forgery, how difficult is it to find another?”  For some AEAD’s (GCM, Poly1305-based), it’s easy; for other AEADs (HMAC-based), it’s not.

From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
Sent: Friday, June 19, 2020 2:20 PM
To: Thomas Peyrin <thomas.peyrin@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?

Yes. We recommend to use a tag size of 128 bits for our mode,

Yes I realize that. ;-)

but in case a smaller tag size \tau is required, the security claims will drop according to \tau.

Could you please provide the exact relationship between \tau, number of messages (or encrypted blocks), and, e.g., the probability of collision? I’m looking for the formulas binding those together.

Thanks!


---------- Forwarded message ---------
De : Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu<mailto:uri@ll.mit.edu>>
Date: sam. 20 juin 2020 à 01:51
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
To: Thomas Peyrin <thomas.peyrin@gmail.com<mailto:thomas.peyrin@gmail.com>>, Stanislav V. Smyshlyaev <smyshsv@gmail.com<mailto:smyshsv@gmail.com>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>

Can you provide/compute security bounds for truncated synthetic IV?  Some (niche) use cases require it.

From: Cfrg <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Thomas Peyrin <thomas.peyrin@gmail.com<mailto:thomas.peyrin@gmail.com>>
Date: Friday, June 19, 2020 at 1:47 PM
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com<mailto:smyshsv@gmail.com>>
Cc: CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?

Dear all,

I will be actually sending an RFC draft of Deoxys in the coming weeks like I promised a few months ago (really sorry, with the COVID-19 confining with young kids at home, I couldn't advance on it). It will contain misuse resistant mode (with stronger guarantees than AES-GCM-SIV), leakage resilient mode with different levels of resilience, the possiblity to encrypt 2^124 bytes per key. We are currently analyzing the INT-RUP security of it. All this for about the same efficiency as AES-GCM-SIV.

Regards,

Thomas.


Le sam. 20 juin 2020 à 01:32, Stanislav V. Smyshlyaev <smyshsv@gmail.com<mailto:smyshsv@gmail..com>> a écrit :
Dear CFRG,

The chairs would like to ask for opinions whether it seems reasonable to initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes and recommend a mode (or several modes) for the IETF.

We’ve recently had a CAESAR contest, and, of course, its results have to be taken into account very seriously. In addition to the properties that were primarily addressed during the CAESAR contest (like protection against side-channel attacks, authenticity/limited privacy damage in case of nonce misuse or release of unverified plaintexts, robustness in such scenarios as huge amounts of data), the following properties may be especially important for the usage of AEAD mechanisms in IETF protocols:
1) Leakage resistance.
2) Incremental AEAD.
3) Commitment AEAD (we've had a discussion in the list a while ago).
4) RUP-security (it was discussed in the CAESAR contest, but the finalists may have some issues with it, as far as I understand).
5) Ability to safely encrypt a larger maximum number of bytes per key (discussed in QUIC WG)..

Does this look reasonable?
Any thoughts about the possible aims of the contest?
Any other requirements for the mode?
Regards,
Stanislav, Alexey, Nick
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg