Re: [Cfrg] Farfalle-SANSE
Nick Sullivan <nick@cloudflare.com> Thu, 29 November 2018 22:49 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C276130EDD for <cfrg@ietfa.amsl.com>; Thu, 29 Nov 2018 14:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.46
X-Spam-Level:
X-Spam-Status: No, score=-3.46 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIlm5NxxNyqR for <cfrg@ietfa.amsl.com>; Thu, 29 Nov 2018 14:49:08 -0800 (PST)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 440BD1276D0 for <cfrg@irtf.org>; Thu, 29 Nov 2018 14:49:08 -0800 (PST)
Received: by mail-oi1-x229.google.com with SMTP id a77so3137637oii.5 for <cfrg@irtf.org>; Thu, 29 Nov 2018 14:49:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zlj82Gazm6rCwfVj7YJJgdx+e8iaBgWBQok34e6U/74=; b=A4VbG7XyUHNyTO0M+CE03B1qqNcLlkD872lfoRR8fMu9mUL24Mb8UfbvCm9kDuyCkw pz2qJhmXA1hJdMIOt81MeDq2FNQB5LEz29wjR5svGphxLzdSqIISGHxUVV45GUmpHmdI yp68zklssl21RdP7rtLYwuAMdrhYJC/Ntfwrk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zlj82Gazm6rCwfVj7YJJgdx+e8iaBgWBQok34e6U/74=; b=pD+cFlfh2V6Vw/4d71YC09N3FYA8R3e9KMo0W7w+yE9qXnch2hUd8ZAKoE9H55GXF0 JKmO4wxdZchReggRSdmPwGUMJoF4RPInwK2e5/Zuprjr9NWF7ZntWElaNPqLWTATk092 53GCmlC7x51XvgKpIUViVRSzj0JDeLTX/lYhPpNALy7sHXIAnaEA8JR3lYVRHLOcrL7u NQbtmPj/681K7AQmIRxbF8BsLPY50ttasYOZDNQP8miuxvBG/04MQ3DpsKNNvOPXfyhF ajfUf8hiLQmGY/Xsf5WAkoViEJOoK9VUAoBfpZZmE3mAr7Gl594HGgno2xvveMd5cBwk Q5/g==
X-Gm-Message-State: AA+aEWYiZKVyi7O4K7hU8AyCiYbYYOSFmQGNE9ad3NK69TU8EWoDDJQD CPcGn8s6J1UsuU/UyU0ZzZpYvEekNoSFPqT7MwIXyg==
X-Google-Smtp-Source: AFSGD/UHUa/hWWGf+uHkOhdQU3OT8psgxWOtIsJfXAwY7Xujjl8B/WzPjkuc4Y4n8Dq3cN24e53uX0tHKIRFA0Qxo7I=
X-Received: by 2002:aca:5587:: with SMTP id j129mr2056570oib.93.1543531747510; Thu, 29 Nov 2018 14:49:07 -0800 (PST)
MIME-Version: 1.0
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com> <415bf880-f1ea-d036-c046-b29f19abed5e@st.com>
In-Reply-To: <415bf880-f1ea-d036-c046-b29f19abed5e@st.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Thu, 29 Nov 2018 14:48:55 -0800
Message-ID: <CAFDDyk-HD0oCH_1hk9KaBE9U6bk=FvE7XTHMbYbJXQpk1OhJXg@mail.gmail.com>
To: Gilles Van Assche <gilles.vanassche@st.com>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000082a235057bd57dad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2FuQmCMoqcpztK2Cbr1wdOqZeYo>
Subject: Re: [Cfrg] Farfalle-SANSE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Nov 2018 22:49:11 -0000
Hi Gilles, I'm interested in this construction but I'd like to know more. What sort of applications do you think this function would have within the IETF? Would it be useful as a general replacement for PRFs in, for example, TLS? Can it leverage hardware-specific instructions? Best, Nick On Fri, Nov 2, 2018 at 5:34 AM Gilles Van Assche <gilles.vanassche@st.com> wrote: > Dear all, > > On a related note, we published at ToSC last year (and presented at FSE > 2018) the Kravatte pseudo-random function [1], to which an SIV mode can > be attached. More specifically, we recently specified the SIV-based > authenticated encryption scheme Kravatte-SANSE [2]. As a feature, it > also supports sessions, for use cases where multiple messages are > exchanged and where each tag authenticates all messages already sent so > far in the session. > > This function is based on the 6-round Keccak-p permutation and performs > well in software without AES hardware acceleration. For instance, > Kravatte-SANSE processes plaintext and metadata at 1.32 cycles/byte on > Skylake and at 0.84 c/b on SkylakeX processors. > > Would this be of interest to CFRG? > > Kind regards, > Guido, Joan, Seth, Michaël, Gilles and Ronny > > [1] https://tosc.iacr.org/index.php/ToSC/article/view/855 > [2] https://keccak.team/2018/kravatte_sane_sanse.html > > > On 4/10/18 12:12, Neil Madden wrote: > > Hi, > > > > I am interested in adapting the SIV construction to other ciphers and > MAC algorithms. As currently specified in RFC 5297, the mode is only > defined for a MAC (AES-CMAC) that produces a 128-bit tag length. > Furthermore, it assumes that the tag length is exactly the same as the > nonce/IV required by the cipher (i.e., also 128-bits for AES-CTR). This > restriction to limit the authentication strength of the AEAD based on the > length of the required nonce for confidentiality seems somewhat artificial > to me. > > > > As a concrete example, I am interested in SIV constructions based on > XSalsa20 (or XChaCha20 as recently proposed on this list) together with > some keyed hash MAC, such as HMAC-SHA256 or Blake2. XSalsa20 requires a > nonce of 192-bits, while HMAC-SHA256 produces a MAC tag of 256 bits. I have > a draft recommending MRAE modes for JOSE, and would like to include one > non-AES algorithm that can be implemented well in software on platforms > without AES hardware acceleration. > > > > I believe that there are just two adaptions needed to make this work: > > > > 1. Adjusting the conditional XOR constant used in the doubling operation > in s2v (https://tools.ietf.org/html/rfc5297#section-2.3) to account for > other field sizes. > > 2. Defining the nonce used as input to the cipher as the left-most n > bits of the authentication tag returned from s2v, where n is the size of > the nonce required by the cipher (i.e., the full tag is output, but a > truncation of it is used as the nonce). > > > > For step 1, based on the comments in [1] and the table of primitive > polynomials from [2], I think the polynomials and corresponding constants > to use for different values of n (bit length of MAC output) are: > > > > n = 128 gives x^128 + x^7 + x^2 + x + 1 and constant = 0^{120}10000111 > (= 0x87 with leading 0s) > > n = 192 gives x^192 + x^7 + x^2 + x + 1 and constant = 0^{184}10000111 > (= 0x87 with more leading 0s) > > n = 256 gives x^256 + x^10 + x^5 + x^2 + 1 and constant = > 0^{245}10000100101 (= 0x00..0425) > > > > Is this something that CFRG might support if I submitted a draft? > > > > Regards, > > > > Neil > > > > [1]: http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf > > [2]: > http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.365.1806&rep=rep1&type=pdf > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Extending SIV to other ciphers and MAC alg… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Paterson, Kenny
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Alexandre Anzala-Yamajako
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Tony Arcieri
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- [Cfrg] Farfalle-SANSE Gilles Van Assche
- [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Kravatte-SANSE Russ Housley
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Farfalle-SANSE Nick Sullivan
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche