IETF Logo Mail Archive

Re: [Cfrg] Analysis of ipcrypt?

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 27 February 2018 19:37 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 861F512711E for <cfrg@ietfa.amsl.com>; Tue, 27 Feb 2018 11:37:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVRqkD0rjANa for <cfrg@ietfa.amsl.com>; Tue, 27 Feb 2018 11:37:45 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D14E124BFA for <cfrg@irtf.org>; Tue, 27 Feb 2018 11:37:45 -0800 (PST)
Received: from [216.82.251.38] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta-12.messagelabs.com id B2/43-08493-883B59A5; Tue, 27 Feb 2018 19:37:44 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTaUwTQRSAnd1tuyprlnI9EaNWiVqlAaPYoAk m/kETzxgDDVEXWWljW3C3atEf3hDABqlFodGAxiscGqHiLQKeJUEBA8ZgAIHI4Y0RhCjudtdr f0y+vO/Ne28msySudqhCSdZuYzkrY9YoJxAvp3v0EZmV+YbImm/R+pzhGkzf0zeK9A5nN1qGx 910v1bF1T1vJ+KOX61TrsUNCpM1KdW+RWHMLevA0toPInux8wvajzrs2WgCSdAfMTjqKcCz0X hSTedjcKlttyjUdAeCzLwmn1DSkdBy9zEmciCdDJdb7vkYp2fC2StPfBxAzwHvcK5CypkLHQ2 juMQx8L06w8cEHQ6HXedUIlN0Ijx51KSQmh1E0POuE4liPL0Ofrwq8hVCdDAMecvkZiHwqrvI x0AHQmdjvVLiIOjr+innJ8LpwVohTgrxadA6ulpKmQpNRTlI7AV0iwq6TjiRJHRwLe+9zKugv aZdrpmFQdfIFIm1kOs4JMe3w5izUCXxXqhquyUX7cUgq9ApJ4VBQasLl0S2Ei5c7FFJ95sMrh JxOlE8Q9BV/Y04hrTuf07nFhxOFyG4mH2OcPvuyR+eFnYTUpIBusfaZNZCfnm/zPPgwpkB3C0 cGxfu/lGz5v+wyEugYKRGKfEMcOV0qiReBAMPP6NiNLEEzeZZbhfLRUTrkjhTitFmYUzmiKio BToLy/NMCmtmknjd1lRLBRIe4jjhu4HGji2vRZNJTBNEXc3KN6gnJaUmpxsZ3riZ22lm+VoUR pIaoMwVgvPn2BTWvs1kFl7zbw2knyaQ2idqik9jLLwpRVJeFEu+OPk2Ayc9b/qE9b5vfdk7kI GrCWuqlQ0NoWLFbbS4zbjT+qfo77+kCU0NDaCQMKbaL43lLCbb/74fhZBIE0CFi1X8TFbbn97 9wliYMNaDQZc4lo35q0L3o/lV62OunYkfbj3SOCesNmEP/aG+h1t6ymPwflwzuOKQgthUNTf2 /NfoPe4dX8n+41RD/NryPij2rp8dr09cGe68GTfSVrrpiquFHJp143bkgfINnkpnb/qGqLDFp jxH8+ipE63BQfdKp91xvN0ak/7p+UbQZWoXJ1xPWBiRfrsRH9IQvJGJ0uIcz/wCvZ/6IyAEAA A=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-3.tower-163.messagelabs.com!1519760263!152800524!1
X-Originating-IP: [216.32.180.56]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 142016 invoked from network); 27 Feb 2018 19:37:43 -0000
Received: from mail-by2nam03lp0056.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) (216.32.180.56) by server-3.tower-163.messagelabs.com with AES256-SHA256 encrypted SMTP; 27 Feb 2018 19:37:43 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=VUSDn7nBDdl7CFRag3BQ7VjNTkyLxa3+mbep6T37BUs=; b=DP+Vm7uI9/A7vYthX4nQGpLzePdJ0uiKXQkcij3fBQwVh8bZZ+SlWW4ZhwkN4zlD27qEeRjPfWj9BfWflmsivOplKG7iFWs0oz2xqMVVbZEvhFhA84DvtdzeWBmKGx12SaJIuVicf5YYFw8lPAaLV0xGQbS+Cpul4owoHvh+kPc=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1742.namprd14.prod.outlook.com (10.171.147.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.527.15; Tue, 27 Feb 2018 19:37:42 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::7929:3f48:4a4f:1e32%18]) with mapi id 15.20.0527.021; Tue, 27 Feb 2018 19:37:42 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, Paul Hoffman <paul.hoffman@icann.org>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Analysis of ipcrypt?
Thread-Index: AQHTq4FVsuo4dcsJg0eN6RT04Ck8yqOv/S6AgAiv1gA=
Date: Tue, 27 Feb 2018 19:37:42 +0000
Message-ID: <MWHPR14MB1376E27D3865C244E5C9F15783C00@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <18C83761-E442-45D9-BDBF-71DC7F751007@icann.org> <CAGiyFdfP12Y0RwdosFHKLkHKaW=UyhZki+m4G5KsPd8U1Ga3zg@mail.gmail.com>
In-Reply-To: <CAGiyFdfP12Y0RwdosFHKLkHKaW=UyhZki+m4G5KsPd8U1Ga3zg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [12.200.26.2]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1742; 6:KwmLb8Cg6CfRloMhPpgcF4r+6veY1yQRiOyqz9mrWpCqMHhZwI0sq06dJ6JQ28518Qhb7HN8+iCWg2mat8fEBAqFYepuRusGjdbe+UJsxxAWtcP3Im7fQqAnRbCaJNhEBRG+euE/cwaUR0zvbGnO2S9Y5NQ+lPkxikHzrJxSEUr51+YGu+7s8m8D8UIp4/gcf3/LopYBngi2RvqWo/6+wR9jzAUjvmxDD1jf2Z97Tpws4FnWsEBMS+GEQvgu7GNdwYY10Yw2LgpTiitzjEDlBdliGM5wl1J6GtdhrRhf7RDOzuN/4b7uhK/SgZiKQJvwficQvxLph8n+QdXtd6l0Lpst6CAW15XBFKLeTUJG/yIBQJYWu5piu+Yr2+wzNfJv; 5:NJD0wCDApGslTaW/oHGVp73cMvZtuBb3dTo8xeGfT13cC06vp/EEUy/UdUEbQU3KD3eWRx5LtNOu+JZlWY4daNGpGJ98cWG3v9eAu4KNPh7V8N1BVyhK7wnUclJzk9pbeVtmYr1h3vU4bRKJEYOm0h/ocuLe1jH9ALrZC0WFgso=; 24:BACJqxn/nAuoTviiCDhGoLM404fvhpO0x3uQZzzOmJPPGW+Vjj30s3dXDgHUNfzukJXGyLbSZ9KUu4RtdgEl2vMpH+PTo0GQ8TzzX49tlg8=; 7:rPT+o1vAsUT0ASRq8orZO9bvXSLJ6/1MPX/D6peD0PdVRB/EC6a3MtE1s3S1sjmbEI5o8we5TMYEAAJ0fKAiWfImLlOuol9Ym5qQquB7FikzgYIBO1A7vnfwzXKkqyIwuAO0HdY3Wi6VpS4hzritkP/TAGEFaSoPxwfd90VuJLp8zR0CNkWUNukqfmZ3WB47xsOwU/6yt51ih7wurO8kz02UReAasHhEmCXcPGdFiKaRVUfGWDPW1hstQ+WV1i1b
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 616e2936-9427-440c-590a-08d57e19916e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7026125)(7027125)(7023125)(5600026)(4604075)(3008032)(2017052603307)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1742;
x-ms-traffictypediagnostic: MWHPR14MB1742:
x-microsoft-antispam-prvs: <MWHPR14MB1742E5A3C2DB33D3F9B1AE5783C00@MWHPR14MB1742.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(166708455590820)(192374486261705)(21748063052155)(5213294742642);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040501)(2401047)(8121501046)(5005006)(3231220)(944501161)(52105095)(93006095)(93001095)(3002001)(10201501046)(6041288)(20161123558120)(20161123564045)(20161123560045)(2016111802025)(20161123562045)(6043046)(6072148)(201708071742011); SRVR:MWHPR14MB1742; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1742;
x-forefront-prvs: 05961EBAFC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7966004)(396003)(376002)(346002)(39380400002)(366004)(39860400002)(189003)(199004)(105586002)(81156014)(5250100002)(606006)(4326008)(2950100002)(25786009)(6436002)(6246003)(97736004)(3660700001)(99936001)(39060400002)(2900100001)(7736002)(74316002)(3280700002)(790700001)(3846002)(99286004)(6116002)(68736007)(6506007)(59450400001)(26005)(76176011)(186003)(102836004)(229853002)(53546011)(33656002)(2906002)(66066001)(5660300001)(106356001)(110136005)(54896002)(7696005)(236005)(8936002)(9686003)(6306002)(316002)(55016002)(8676002)(81166006)(53936002)(86362001)(14454004)(966005)(508600001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1742; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: aNF96xILavb02E4YxrKQuXNBeA5uGu6zC4unp7wTPjwoMpP+xfmm6zlLE5+g4ixyhMWCGgDX7Q4sZNvlToHJ2nmR/H58081gZNiY5BkI/qY01Kk10qBKNbWhvjuuBcAXtCDCQJKOKrID6N0SlJ+cTNFnZMbQIwt06k7wghpWXNc=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0337_01D3AFC7.C0FFD220"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 616e2936-9427-440c-590a-08d57e19916e
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2018 19:37:42.0909 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1742
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3gS4XeJ-8TAKYpd9Oa68uwd5ncg>
Subject: Re: [Cfrg] Analysis of ipcrypt?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2018 19:37:48 -0000

Why use a low security toy cipher, when there are high security FPE algorithms available, which provide full strength and are reasonably efficient?  A number of them are being standardized as part of the work by ANSI ASC X9F1.

 

In particular, output sizes that are 2^n lead to very efficient implementations of most FPE algorithms.  They’re basically just Feistel structures over 32-bit blocks, using AES or something similar as the round function.

 

-Tim

 

From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Jean-Philippe Aumasson
Sent: Wednesday, February 21, 2018 11:55 PM
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Analysis of ipcrypt?

 

Hi!

I designed ipcrypt as a low-security toy cipher to encrypt IPv4 addresses for some log analysis application. It may be good enough for this purpose, however it has very low security:

 

* because of 32-bit blocks, a chosen-plaintext codebook attack will work in time 2^32 (or much less for specific IP ranges)

 

* known-plaintext codebook attacks will work similarly but in O(n log n), or 2^37 (coupon collector problem)

 

* there is a generic ~2^16 distinguisher that works by looking for a collision in a sequence of blocks

 

* worse, Jason just found a high-probability differential that seems detectable with fewer than 2^24 chosen-plaintext pair, and which may speed up key recovery

 

 

 

On Thu, 22 Feb 2018 at 03:03, Paul Hoffman <paul.hoffman@icann.org <mailto:paul.hoffman@icann.org> > wrote:

Greetings. ipcrypt is a format-preserving cipher for IPv4 addresses. It has a 32-bit blocksize for input and output, and 128-bit blocksize for the key. It was developed by Jean-Philippe Aumasson and is described at:
   https://github.com/veorq/ipcrypt
There doesn't appear to be any formal paper describing the algorithm, but the Python and Go code is trivial to follow.

This algorithm is now being considered by a few different projects that want to obfuscate IPv4 addresses. Has anyone analyzed the algorithm? I could not find analyses, but certainly could have missed them.

For a project I'm on, ipcrypt is attractive if an attacker cannot derive the 128-bit random key without a lot (maybe 2^80ish) effort. For cases in common use, assume that the attacker has 2^24 known plaintext/ciphertext pairs under a single 128-bit random key. For additional ciphertexts, how much effort must the attacker expend to get the key in order to decrypt additional unknown ciphertexts?

(Note that there are other options for this use case, which have different positive and negative features. What we'd like to know is how good is ipcrypt if we chose it.)

--Paul Hoffman_______________________________________________
Cfrg mailing list
Cfrg@irtf.org <mailto:Cfrg@irtf.org> 
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email