IETF Logo Mail Archive

[CFRG] Re: RGLC on draft-irtf-cfrg-aead-limits

Martin Thomson <mt@lowentropy.net> Tue, 11 March 2025 06:48 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E71EA9DE450 for <cfrg@mail2.ietf.org>; Mon, 10 Mar 2025 23:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="emewFl0s"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="8Z5sV55z"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPCELjeDYFlD for <cfrg@mail2.ietf.org>; Mon, 10 Mar 2025 23:48:04 -0700 (PDT)
Received: from fout-b8-smtp.messagingengine.com (fout-b8-smtp.messagingengine.com [202.12.124.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 89CD79DE430 for <cfrg@irtf.org>; Mon, 10 Mar 2025 23:48:04 -0700 (PDT)
Received: from phl-compute-07.internal (phl-compute-07.phl.internal [10.202.2.47]) by mailfout.stl.internal (Postfix) with ESMTP id 15BF111401E8 for <cfrg@irtf.org>; Tue, 11 Mar 2025 02:48:04 -0400 (EDT)
Received: from phl-imap-01 ([10.202.2.91]) by phl-compute-07.internal (MEProxy); Tue, 11 Mar 2025 02:48:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1741675683; x=1741762083; bh=QoAYSdcVOW2y40oghAIk33Lo8T+bbnFz0XY/P5G4pL8=; b= emewFl0sElkB86mAH2EouqUnO9WQUkIITmkrpiKuLLyiIWC992b4sci3YBC4oavl PigeM8fLtCFcV8s+bY+zEQunsdTJL8EQH9q8AOf1JMD79O/aeQexK2ni9bfgck/0 olfjuj2FazEmv9VEhVRZRaBQRyPQr8CgGF/E0dlXoq0N2JUV6tnmOlGQ3cdTxUTF g6L0Cyg1IWE2oQAbBRvpSY83p8Z5kxqtLS1dz/Avz5fjHBKsPVl2rO7v5GX0vWKi qYP610nLjQ8IdfURWVMzcK7C0sCuZPE6J+tD7++j8Z+RWfAj6KIu3tR+F/HXnme/ QhhzLewR67ktgR9k405PYw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; t=1741675683; x=1741762083; bh=Q oAYSdcVOW2y40oghAIk33Lo8T+bbnFz0XY/P5G4pL8=; b=8Z5sV55zUKOIjlazN Ozyz2xljo6D7cXkodNIPSLBStQ+mb8Dr+Uhk9o7tZe+lDtyijlAAhxK+3XraDVd1 UwOIA8/VzjozZ15MiUPKIxoI+HllpZOEcHyuzJ1VkErtV9qH6WJJ3hBimYmiRRds hQ3TRvSM4Rtpp01SB/qs+wKpC8Q6QoMNJT1alBN0k4UHLMmWXS+ATVcklKNt8vEi nUbdN4dksDhRTDMernvfwbIqK8Wguh26//ayh1OGVSsl6QbH6dJVTRfe3Mvxssoe HAZVhUuf4/1YKWGIlgBzoEtcEV1qn6SScyQB2vL+AjBfrh27UtK1FP77DVAsk0GN Qr6EQ==
X-ME-Sender: <xms:o9zPZxbUcZUgwhCm3bgzoMdNGjWBSfyl-WWuW8PvLJO7x1Afgr8JUQ> <xme:o9zPZ4YtQcZcPy49u4pen6L8kJUOKnNofHXsW0fTfTLOSPN-3MviuOijXwMNNec0b WwYFs06mwvaBZh5maQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduvdduheehucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkfgjfhfutgfgsehtjeertdertddtnecuhfhrohhmpedfofgrrhhtihhnucfvhhho mhhsohhnfdcuoehmtheslhhofigvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrh hnpedtffevieefvddviefhudefleeggfeggffghfelleetieejhefggfduleffueefhfen ucffohhmrghinhepuhgtshgurdgvughunecuvehluhhsthgvrhfuihiivgeptdenucfrrg hrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvthdpnhgspghr tghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtoheptghfrhhgsehirh htfhdrohhrgh
X-ME-Proxy: <xmx:o9zPZz8ejxvk2yRlK005e1ASjF5zpcmeCqWE3I-6ZwdDWnmoXhQhLw> <xmx:o9zPZ_rmExq6q8BZnkNOx_WhanFN_zTOq1iJ9RhAJ267-J7jIffHXg> <xmx:o9zPZ8q4ufJt5dFd1iKzrirreIjBBCcKcLiaPP26bB6cwPM55794hA> <xmx:o9zPZ1TGNzwVWKM5qGL7piDXUA3ARtsE3x-zw_M9FQNXTxkhF4rxQA> <xmx:o9zPZzQkpBmUhhkzRiZ0K5QQ7iD2piX9UqYnovV5iSk1LEhJMWee9Oj5>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 922113360079; Tue, 11 Mar 2025 02:48:03 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: T023edbf6ad1a257a
Date: Tue, 11 Mar 2025 17:47:43 +1100
From: Martin Thomson <mt@lowentropy.net>
To: cfrg@irtf.org
Message-Id: <be5a2807-29a4-4e66-8ea7-cc1a5acd200f@betaapp.fastmail.com>
In-Reply-To: <CABATvwgQR64RxEyvHJGudL1KipTR4k9ZCh_TbX_Ch3oK7ZGRyQ@mail.gmail.com>
References: <AS5PR07MB9675B4B72C3E7956A5DCA1D089CA2@AS5PR07MB9675.eurprd07.prod.outlook.com> <20250306143247.85841.qmail@cr.yp.to> <CABATvwhCiuqzXOaGzV8Q+yB88SONw5zYJMtDU9NSyLk=cpr3Ww@mail.gmail.com> <CABATvwjU=6Br5fyqS=j-2nUJxsU9LTa2PGHjviANWS40Qw5Jfg@mail.gmail.com> <CABATvwgQR64RxEyvHJGudL1KipTR4k9ZCh_TbX_Ch3oK7ZGRyQ@mail.gmail.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-ID-Hash: JNMUANAODBDSMEZFOEKR3NZ3IY2LAVD6
X-Message-ID-Hash: JNMUANAODBDSMEZFOEKR3NZ3IY2LAVD6
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-aead-limits
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/23S8kYXAUILl2ppS_TPBRdCl5as>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

On Sat, Mar 8, 2025, at 06:35, Mihir Bellare wrote:
> "Rekeying uses a lightweight transform to produce new keys." Not sure 
> what is meant; is a function being applied to an existing key to derive 
> subkeys? If so, I am not sure it is quite true that "Rekeying 
> effectively resets progress toward single-key limits". Analyses of 
> rekeying that I know (eg. [AB00] 
> <https://cseweb.ucsd.edu/~mihir/papers/rekey.pdf>) do show some 
> improvement but not to the extent of resetting to single-key limits, 
> and it also depends on how the rekeying is done. But I may be missing 
> other analyses or what is meant by rekeying or what is meant by the 
> phrase in quotes.

I think that Felix already replied to others about how we had some text about rekeying that was flat-out wrong, or at least misleading.

> The attacker success probability also depends on its running time, 
> denoted o in the table, but I am not sure if, or how, this is getting 
> taken into account in the bounds. Yet it does (or should) affect them. 
> For example, 5.1.1 says 
>
> CA <= ((s + q + 1)^2) / 2^129
>
> So if s=q=1 this says CA <= 9/2^{129} but this isn't true for any 
> realistic running time for the attacker. For example if o = 2^{64} 
> (which may even be over optimistic) then even with s=q=1 we have CA > 
> 2^{64}/2^k which is 1/2^{64} if k=128. So running time sets some lower 
> limits on CA regardless of s,q, and this will also affect the bound on 
> q+s which would be a function of o in addition to p. Another dimension 
> is that currently Section 5 gives the same bounds for AEAD_AES_128_GCM 
> and AEAD_AES_256_GCM but when attacker running time is considered we 
> would expect to see differences due to the different values of k, and 
> the bounds should be better for k=256. Perhaps the draft is making some 
> assumptions or approximations here that I am missing?

The draft currently says that offline work, o, is only a factor for our multi-user analysis, which seems wrong for exactly the reasons you state.  The MU analysis sets out its assumptions about o, such as assuming that o <= q + v in the GCM analysis (that is, the attacker is assumed to be unable to out spend all other users of the cipher); ChaCha20Poly1305 would require absurd values for o (or extremely low attack probability) to clear its 2^247.

Of course, I can see why the GCM result is questionable if you consider that the point of the exercise is to place an upper bound on both q and p.  If you look at the tables, you might choose a value of p + q of ~2^37, which is clearly a long way short of a difficult task.

As for the single user analysis, it seems like we should integrate o into estimates, if only to pick a value that we think sets a reasonable bound on the advantage.  In most of the papers we cite, offline work is not considered directly, so presumably it is inherent in the baseline PRP (or PRF) advantage, which is easy to look past when it isn't the main contributor to advantage.  (It's possible I haven't correctly restored state regarding the necessary papers here; the translation of notation is thorny, but I think that's right.)

With that in mind, we can make some pretty firm general statements about the limits implied by relying on a PRP and the amount of offline work that might be deployed.  That is, if you set a target advantage of 2^-50, then you are inherently assuming that o is significantly less than 2^n*2^-50 or that term would be what determines the advantage that an attacker gains.  Would that sort of thing help?

v2.43.4 | Report a Bug | By Email | System Status