Re: [Cfrg] new authenticated encryption draft
David McGrew <mcgrew@cisco.com> Wed, 20 September 2006 11:53 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GQ0dv-0000nj-QJ; Wed, 20 Sep 2006 07:53:31 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GQ0du-0000ne-Eb for cfrg@ietf.org; Wed, 20 Sep 2006 07:53:30 -0400
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GQ0dp-0002NR-WA for cfrg@ietf.org; Wed, 20 Sep 2006 07:53:30 -0400
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 20 Sep 2006 04:53:25 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k8KBrPuL001562; Wed, 20 Sep 2006 04:53:25 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id k8KBrPYp003406; Wed, 20 Sep 2006 04:53:25 -0700 (PDT)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 20 Sep 2006 04:53:25 -0700
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 20 Sep 2006 04:53:24 -0700
In-Reply-To: <007401c6dc8d$33d42b40$24d5fc83@galois>
References: <007401c6dc8d$33d42b40$24d5fc83@galois>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <174B3B8E-2AA7-42F2-9831-394C3DD13434@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Wed, 20 Sep 2006 04:53:23 -0700
To: Tom Shrimpton <teshrim@cs.pdx.edu>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 20 Sep 2006 11:53:24.0379 (UTC) FILETIME=[6089A6B0:01C6DCAB]
DKIM-Signature: a=rsa-sha1; q=dns; l=3102; t=1158753205; x=1159617205; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:David=20McGrew=20<mcgrew@cisco.com> |Subject:Re=3A=20[Cfrg]=20new=20authenticated=20encryption=20draft; X=v=3Dcisco.com=3B=20h=3DbEwS0oJgdOC6R0v1cvsFzhF5aNU=3D; b=TKAqOfyxTGTFugW+nvfOfwX22ISsaYr3+SB3gHfXizO4qeMjjIryW4/8rUkTAKBqRnqxr7OF TzUjKq2UdOPZ92woJUpwYuq3Amj3koy8DqMdU9xtAJ2LRDldoKp6zuDj;
Authentication-Results: sj-dkim-3.cisco.com; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0fa76816851382eb71b0a882ccdc29ac
Cc: cfrg@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Thanks Tom! FYI, the links to the PDF and PS files are broken on Phil's page at http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.html, but I found the docs online at http://eprint.iacr.org/2006/221 For others: one of the goals of the Eurocrypt paper was to provide 'misuse resistant' authenticated encryption, which has bearing on the AE draft. A formal definition of what it means to resist misuse is given in Section 7. David On Sep 20, 2006, at 1:17 AM, Tom Shrimpton wrote: > Dear CFRG readers, > > At the risk of seeming like a shameless self-promoter, > might I direct your attention to my paper with Phil Rogaway > "A Provable-Security Treatment of the Key-Wrap Problem", > which appeared at Eurocrypt this year? In retrospect, > the title was perhaps poorly chosen: the initial motivation > for the work was to analyze the NIST/ANS X9.102 proposed > key-wrapping algorithms, but the main point of the paper > is a formal study of deterministic authenticated encryption. > The most recent version of the paper, and the specification > for our associated Synthetic IV (SIV) blockcipher mode of operation, > are available at http://www.cs.ucdavis.edu/~rogaway/papers/ > keywrap.html. > I've included an abstract, below. > > Cheers, > -Tom > > ---------------------- > > (June-December 2006) (Permanently) > Thomas Shrimpton Thomas Shrimpton > LACAL/IC Dept. of Computer Science > EPFL Portland State University > Lausanne, Switzerland Portland, OR USA > +41.021.693.6685 +1.503.725.5392 > teshrim@cs.pdx.edu > www.cs.pdx.edu/~teshrim > > > > Abstract: > Standards bodies have been addressing the key-wrap problem, > a cryptographic goal that has never received a provable-security > treatment. > In response, we provide one, giving definitions, constructions, and > proofs. > We suggest that key-wrap's goal is security in the sense of > deterministic > authenticated-encryption (DAE), a notion that we put forward. > We also provide an alternative notion, a pseudorandom injection (PRI), > which we prove to be equivalent. We provide a DAE construction, SIV, > analyze its concrete security, develop a blockcipher-based > instantiation of it, > and suggest that the method makes a desirable alternative to the > schemes > of the X9.102 draft standard. The construction incorporates a method > to turn a PRF that operates on a string into an equally efficient PRF > that operates on a vector of strings, a problem of independent > interest. > Finally, we consider IV-based authenticated-encryption (AE) schemes > that are maximally forgiving of repeated IVs, a goal we formalize as > misuse-resistant AE. We show that a DAE scheme with a vector-valued > header, > such as SIV, directly realizes this goal. > > > _______________________________________________ > Cfrg mailing list > Cfrg@ietf.org > https://www1.ietf.org/mailman/listinfo/cfrg _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew