IETF Logo Mail Archive

Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms

Tony Arcieri <bascule@gmail.com> Thu, 04 October 2018 13:25 UTC

Return-Path: <bascule@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BBCA1292AD for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 06:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yz6tiKD_98XF for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 06:25:37 -0700 (PDT)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B57C128CE4 for <cfrg@ietf.org>; Thu, 4 Oct 2018 06:25:37 -0700 (PDT)
Received: by mail-vs1-xe2d.google.com with SMTP id i10so5328533vsm.13 for <cfrg@ietf.org>; Thu, 04 Oct 2018 06:25:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4QIr8h+eq9ANo2EFCvyKNKXbTet8WTHkP6ermThmCcw=; b=M7BPhI9/cXUuFGxsxFuwRgHe32J0cm8YcuWks6AgLKbb4NWbzm+U1m+wmsm4FeHzB+ KW8AOo7nQzUvf5Re0mMLm9XAfqdvQ6etKbTeTb9qCpHqk2wsekpMYXGK/MuI7dBoRW6h 4mal62o5R2rFp9zSxOmCazLrT0GTkB0+f6PzX9ntHF1SrnFEIFjIEwxW0/k5oxrUfAIp C9Zbld6nNx5L6oRjGykUUQmvKH3TKazuaDC4+99vSfdbIa2pEVnuDacmdGjjg82M3ZJO v6+0kb4Ai49UcZRKZ42DhFZs8G9ZsZWUkP9EbJt88512SwD7E/oh1ESdo13uW4HFIzWD MQwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4QIr8h+eq9ANo2EFCvyKNKXbTet8WTHkP6ermThmCcw=; b=rFHe4NWIhxCG6BEANp82LME8B2eX1hLwseMNSldTNqkFa5Vkb7fxkc7GrwkbtcNd0e /aS3jXOvfyIxpvDNWn2XQjMG62Gn/fCJO8pTaOu6zxDBFxVsi/4LI10d5YlF+utXBzg8 HVpcb2wPOv8f9tAupPkecyM8Ao8yewlA1h0CuS/dRYJ5Bx8rFpPk2QQ57K1z40EPNO3i wuVtPl+Eo5VKs9YyWPi+uziKQkL8hd5jGGnbAaO3pxaPm256aKi/Bz30IpMYFSvVMG/E Ekb2XSCWIquuMP74RB5T8ylQg8U6NMGkKQh/1GpHHU0CFDTQPf0aokoo9eatD417PLXH K06A==
X-Gm-Message-State: ABuFfoh6UKCt0d/YfqQnICwax1fNt7kk0ZB66W72qJ4qM6SzwXoUexGf CJI30ymJ5xqxzcCGe+18TOPPkLdetNMkVJTRbis=
X-Google-Smtp-Source: ACcGV60tPw+1W0E24gjuEti1DDzGmoYFmZsXYYffh5LI1Lf7eY90togrFu/t+xKQzeR1fO6IJsYP777eu8VGFoJcnXM=
X-Received: by 2002:a67:c206:: with SMTP id i6-v6mr2468540vsj.143.1538659535961; Thu, 04 Oct 2018 06:25:35 -0700 (PDT)
MIME-Version: 1.0
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com>
In-Reply-To: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Thu, 04 Oct 2018 06:25:25 -0700
Message-ID: <CAHOTMV+KCeczA4D+ZbeCHDQcRaxaLPCQ6seqGb8+HUsUX99i_g@mail.gmail.com>
To: neil.e.madden@gmail.com
Cc: cfrg@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001242e2057767170c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3tryEsi7k8jXPGzNwpH3A-3sqGs>
Subject: Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 13:25:39 -0000

I am also interested in alternative SIV modes...

On Thu, Oct 4, 2018 at 3:12 AM Neil Madden <neil.e.madden@gmail.com> wrote:

> As currently specified in RFC 5297, the mode is only defined for a MAC
> (AES-CMAC) that produces a 128-bit tag length.


...specifically I have considered writing an I-D for PMAC, and specifying
an RFC 5297-alike construction which swaps in PMAC in lieu of CMAC. I have
already implemented this construction in the https://miscreant.io library.

That said...


> As a concrete example, I am interested in SIV constructions based on
> XSalsa20 (or XChaCha20 as recently proposed on this list) together with
> some keyed hash MAC, such as HMAC-SHA256 or Blake2.


I think for IETF protocols you'll almost certainly want to use XChaCha20
over XSalsa20, as the latter has not been specified for IETF work, and is
redundant with XChaCha20.

If you're curious, here is some discussion about instantiating a SIV mode
using ChaCha20 and Poly1305 as primitives. This is of course a bit tricky,
as in the typical ChaCha20Poly1305 construction the Poly1305 key is derived
from the beginning of the ChaCha20 keystream (hence why I assume you're
proposing swapping in a PRF like HMAC as the basis of S2V):

https://github.com/briansmith/ring/issues/413

-- 
Tony Arcieri

v2.23.0 | Report a Bug | By Email