IETF Logo Mail Archive

Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?

"Jim Schaad" <ietf@augustcellars.com> Thu, 10 December 2015 19:36 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A9E81AD289 for <cfrg@ietfa.amsl.com>; Thu, 10 Dec 2015 11:36:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnPWXzUE765e for <cfrg@ietfa.amsl.com>; Thu, 10 Dec 2015 11:36:44 -0800 (PST)
Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C641AD365 for <Cfrg@irtf.org>; Thu, 10 Dec 2015 11:36:44 -0800 (PST)
Received: from hebrews (c-24-21-96-37.hsd1.or.comcast.net [24.21.96.37]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 2D0A32CA32; Thu, 10 Dec 2015 11:36:43 -0800 (PST)
From: Jim Schaad <ietf@augustcellars.com>
To: "'Blumenthal, Uri - 0553 - MITLL'" <uri@ll.mit.edu>, 'Björn Edström' <be@bjrn.se>, 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>
References: <5668D26F.2020200@cs.tcd.ie> <5668D7A3.1070103@cs.tcd.ie> <A03EFDDF-DDA7-49E0-B0F4-64B50D0BB8EF@gmail.com> <56694CB0.4020503@cs.tcd.ie> <CAA4PzX2WFOJKe0qMST01n9WPV7HJHMkAjgBviaQZ9LTPne-_eg@mail.gmail.com> <D28EFC16.23CBC%uri@ll.mit.edu>
In-Reply-To: <D28EFC16.23CBC%uri@ll.mit.edu>
Date: Thu, 10 Dec 2015 11:33:57 -0800
Message-ID: <01b801d13381$b6f9d880$24ed8980$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Content-Language: en-us
Thread-Index: AQLfQQIZ6lkrPiNxPbI19eLWNb5S4AHRME89ArTNY1cCOOGk7QKX793gAplpIoecSP+FwA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/2nhXJE2Zu18Q-JNPk17yRak6n6I>
Cc: "'cfrg@irtf.org'" <Cfrg@irtf.org>, 'Nevil Brownlee' <rfc-ise@rfc-editor.org>
Subject: Re: [Cfrg] would it be a good idea for CFRG to try review algorithm documents?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 19:36:46 -0000

This document is not the old GOST algorithm - that was published long ago.  This is a 128-bit block algorithm.

Jim


> -----Original Message-----
> From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Blumenthal, Uri - 0553 -
> MITLL
> Sent: Thursday, December 10, 2015 7:01 AM
> To: Björn Edström <be@bjrn.se>; Stephen Farrell <stephen.farrell@cs.tcd.ie>
> Cc: cfrg@irtf.org; Nevil Brownlee <rfc-ise@rfc-editor.org>
> Subject: Re: [Cfrg] would it be a good idea for CFRG to try review algorithm
> documents?
> 
> GOST has been reviewed and analyzed by the cryptographic community
> (academia included) for ages (well, decades, really). I’ve seen several
> publications. As I recall, the only significant weakness found was related to
> related-keys <pun intended :>. Of course it uses 64-bit blocks in the world where
> (most) everybody embraced 128-bit, and some toy with 256-bit block ciphers.
> 
> However distinguished this body of cryptographers is, I doubt anything new
> would pop up.
> 
> But by all means, review away! :-)
> 
> P.S. Isn’t Russia moving to Grasshopper (128-bit block cipher), making it their
> new standard (“GOST” is an abbreviation for “State Standard”, in case anybody
> cares to know :)? I.e., isn’t the “old” GOST becoming irrelevant?
> --
> Regards,
> Uri Blumenthal
> 
> 
> 
> 
> 
> On 12/10/15, 7:18 , "Cfrg on behalf of Björn Edström"
> <cfrg-bounces@irtf.org on behalf of be@bjrn.se> wrote:
> 
> >I 100% support the view that cryptographic proposals should be sanity
> >checked by CFRG or another appropriate WG/RG. Specifically for the
> >reason you mention Stephen: There may have been recent research that
> >invalidates some security assumptions that were previously held.
> >
> >Cheers
> >Björn
> >
> >
> >On Thu, Dec 10, 2015 at 10:58 AM, Stephen Farrell
> ><stephen.farrell@cs.tcd.ie> wrote:
> >>
> >> Hiya,
> >>
> >> On 10/12/15 09:25, Yoav Nir wrote:
> >>> Hi, Stephen.
> >>>
> >>>> On 10 Dec 2015, at 3:38 AM, Stephen Farrell
> >>>> <stephen.farrell@cs.tcd.ie> wrote:
> >>>>
> >>>>
> >>>> But as a non-cryptographer, I'd be happier if in future things like
> >>>> this (or non-national "vanity" algorithm descriptions) had gotten
> >>>> some review from CFRG, however I'm not sure if folks here would be
> >>>> generally willing to do that kind of review.
> >>>
> >>> The kind of review you might get in an IETF WG or in a IRTF RG is
> >>> somewhere between a few hours to a few days of work from several
> >>> people.
> >>>
> >>> That is likely enough to review some vanity crypto that someone
> >>> thought up all by himself (example: [1]). It is not enough for a full
> >>> analysis of cryptography that actually works. The draft you are
> >>> talking about is GOST crypto. GOST has a team of good cryptographers
> >>> working full-time on these algorithms. I doubt a cursory review by
> >>> this list could find any new weaknesses. We might be able to point at
> >>> previous work published about such an algorithm, or point out that
> >>> the block cipher uses a 64-bit block. But I don’t think it’s likely
> >>> to find new stuff.
> >>
> >> Agreed.
> >>
> >> Pointing at previous work that affects how to sensibly use an
> >> algorithm in IETF protocols, or spotting details that are badly
> >> documented, would be what we're after here, not new cryptanalytic
> >> results. (If someone had those, and was gonna publish, they'd
> >> publish elsewhere for sure.)
> >>
> >> The reason I think that could be valuable though is that I do
> >> think there's expertise on this list that's not available in
> >> the IETF and I'd like to avoid a situation where cryptographers
> >> come back to us some years later saying "WTF!!? the IETF has said
> >> how to use <foo> for <bar>, but <biffle et al> showed years ago
> >> that that's only safe for 2^N packets and the <blah> setting
> >> has to be <fuffle>."
> >>
> >> I figure it's reasonably likely that the proponents of the
> >> <foo> algorithm might omit such details, not out of
> >> crypto-badness but just for normal human-nature reasons or
> >> because they assume that everyone using <foo> should know
> >> that already.
> >>
> >> Cheers,
> >> S.
> >>
> >>
> >>
> >>
> >>>
> >>> Yoav
> >>>
> >>> [1] http://www.ietf.org/mail-archive/web/cfrg/current/msg06805.html
> >>>
> >>
> >> _______________________________________________
> >> Cfrg mailing list
> >> Cfrg@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >
> >_______________________________________________
> >Cfrg mailing list
> >Cfrg@irtf.org
> >https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email