Re: [Cfrg] Do we need a selection contest for AEAD?

"David McGrew (mcgrew)" <mcgrew@cisco.com> Tue, 30 June 2020 23:33 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3793A03FF for <cfrg@ietfa.amsl.com>; Tue, 30 Jun 2020 16:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TEwxeC6O; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=YHFys1Lh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xkN1dAh-uAga for <cfrg@ietfa.amsl.com>; Tue, 30 Jun 2020 16:33:14 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E46C3A040F for <cfrg@irtf.org>; Tue, 30 Jun 2020 16:33:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3354; q=dns/txt; s=iport; t=1593559993; x=1594769593; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=gC5AHY2qp1taqfBOyq6EG5rkJ/kBop6iUM0C776hjcg=; b=TEwxeC6OOZwBGf5O9IyjsMkvzu7rKzK4MeswNTXGS/Kv3eW3zLeIPSM/ bxWmwKyYVRL9tNW+SAxqcDqXBmh4En03SnkAeGiZNJd7zwlvtxxRLZG6m gUieXMCsQMFwFCE8/2EEghHr7cAq4/O+O/4Ea85jo1eKexOrza/WnskTS 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3ApMq15xcr3Okx4RUQloFAk6cVlGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwaQAdfU7vtFj6zdtKWzEWAD4JPUtncEfdQMUh?= =?us-ascii?q?IekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutaFjbo3n05jkXSV?= =?us-ascii?q?3zMANvLbHzHYjfx828y+G1/cjVZANFzDqwaL9/NlO4twLU48IXmoBlbK02z0?= =?us-ascii?q?jE?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AlAgCdyvte/4YNJK1gHQEBAQEJARI?= =?us-ascii?q?BBQUBQIE5BQELAYFRUQdvWC8sCoQng0YDjScligGOWYFCgRADVQsBAQEMAQE?= =?us-ascii?q?YCwoCBAEBhEcCF4F5AiQ3Bg4CAwEBCwEBBQEBAQIBBgRthVsMhW4BAQEDAQE?= =?us-ascii?q?BEAsGEQwBASwLAQQLAgEIGAICERUCAgIfBgsVEAIEDgUUDoMEAYJLAw4gAQ6?= =?us-ascii?q?jawKBOYhhdoEygwEBAQWCSYJ4DQuCDgMGgQ4qAYJoiWEeGoIAgREnDBCBT1A?= =?us-ascii?q?uPoIaKxcBgRkNEWiCVzOCLZI5oX5NCoJclFSEbgMdnxaeRpFkAgQCBAUCDgE?= =?us-ascii?q?BBYFpI4FWcBU7KgGCPlAXAg2OHgkag06FFIVCdDcCBgEHAQEDCXyMfYE1AYE?= =?us-ascii?q?QAQE?=
X-IronPort-AV: E=Sophos;i="5.75,298,1589241600"; d="scan'208";a="782654356"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 30 Jun 2020 23:33:12 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 05UNXCmR004487 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 30 Jun 2020 23:33:12 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 30 Jun 2020 18:33:12 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 30 Jun 2020 18:33:11 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 30 Jun 2020 18:33:11 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GWNzCyzUFABgTfNuM4Vq8gchC1jd+bVk38kGOWprK+Y8zN64BRpcI8PGwwp7CsO1RPBqQukBKOv6xkumaI+fc0CxmsY0waGvZVpqUxwBNrm14te6enWY5VMRqU5xo5Io8CNPebSoF/ZvYN3gZ8gSQpwFVvc2X1KvV0uX5xpxS5pepY+wzLVPmO9zZbcnw0bFpqVg70YkP9wOUVHBAQ0AP7qPDSfKRS79CXXqreLydPGRg/PFvW+Xx9IO4/pU9lLHOzEwir95roNI4M5Md497ak1YkxYBfyUUQ/l1M+eIh3SA18HXXafbLdRHsCMA69YHviAsbt2ztXEpUt5oE5WPYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gC5AHY2qp1taqfBOyq6EG5rkJ/kBop6iUM0C776hjcg=; b=lB/1h23wf2RffjL2EwUUdo/GD/bAsI2f7AVBzUYK15rRckTyZ3tEvNjOfrpAAJZiT5M/LjdMMYWRVJAwDDJ00oD93XZbIhtwuaQoOSWJHL7sPT4xD44QnizGQu69YelOmuMJZ6uqeKr2SRqjF6QF3m7giA0pe/EgA4Q77dCQm/zDjhAt45DybsMmozM8uevL17KllsEvphTvVmdR3oZazSRr1gKtN2VGsWBaWP+LVs0dnStRu8i84TRpoZlfa55FQr34m18QjQMIdjQWWVXkEwGOMFLLqRnTTa3mp59nAqG8Veym0NKy0zxVe1e0f6Cz5dgeXsCxBAA3AEtvtfOQog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gC5AHY2qp1taqfBOyq6EG5rkJ/kBop6iUM0C776hjcg=; b=YHFys1Lh+ZpJ985pNBfddQFL+HSWb/NnftUpQTaRiIN4MhKcFkQ7hU8/F48yWoSTtaVwp+70lDAz9gyuF1/kAVitycl7SXDjrtT/U+pFL8133nNO4IFZOnmRvYkTo2ugRlTbabSiNHVTNeeCngQcc6tLzaIuBUxqziYnBLymyvg=
Received: from BL0PR11MB2947.namprd11.prod.outlook.com (2603:10b6:208:33::28) by BL0PR11MB3025.namprd11.prod.outlook.com (2603:10b6:208:79::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.25; Tue, 30 Jun 2020 23:33:09 +0000
Received: from BL0PR11MB2947.namprd11.prod.outlook.com ([fe80::3cea:d71b:ea4e:c02a]) by BL0PR11MB2947.namprd11.prod.outlook.com ([fe80::3cea:d71b:ea4e:c02a%2]) with mapi id 15.20.3131.027; Tue, 30 Jun 2020 23:33:09 +0000
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Do we need a selection contest for AEAD?
Thread-Index: AQHWRl+sLJeUiGUMVkyR6yf00MJrvKjx4N6A
Date: Tue, 30 Jun 2020 23:33:09 +0000
Message-ID: <C55EF5A9-F283-4721-98B9-22CE168D4E08@cisco.com>
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
In-Reply-To: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c0e8085-82aa-45b6-be0b-08d81d4df2ae
x-ms-traffictypediagnostic: BL0PR11MB3025:
x-microsoft-antispam-prvs: <BL0PR11MB3025C17767FF89F229C3037CC96F0@BL0PR11MB3025.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0450A714CB
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OGkDvs83UaMFmWAQ4g4j35GxTzgKnVilPKSfLJp0ySvadtQFQlBLGGJns2/5mwOReXjMFAruKs76oTzJhSAmFaoYPRiXrrx4Z3VBbkxVH+1EtIDN5eKao+IJIVb9L0N0WQSGWy7VGyp0PS9cawxz2VOLf0e+XS00hfaHhJnL6t1Z6CFdio7AY0pzfLEavIKRsdro4zv3VhTcpoJhLfchSJDtAGDozz9JA5/iOXnQ94CzeWASLw5Z72C2/gp4Dk2wxbAN+tSs1/l1L80AriRTx13LHqKI4KRJhCoHj3ZAc43NjXKrErUlfHGliEvtWiUus3Wnl9gUubqiR3PwHwx01/qyb7UMKRkjRTMf0iyxmv0A38ii6NJiXi6CI8QYFlkDIvxUVPKtWSlwFnrRKCsy5gqLBD4N+s4RNlB7v6XcZ5G8jUDkzfq/eVRF8prOg1nOahfdRqK/gS3vhOU8tubU3A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB2947.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(136003)(376002)(366004)(396003)(36756003)(4326008)(316002)(83380400001)(53546011)(26005)(2616005)(6506007)(186003)(6916009)(86362001)(6486002)(966005)(33656002)(478600001)(5660300002)(8936002)(76116006)(66446008)(64756008)(66476007)(6512007)(71200400001)(8676002)(2906002)(66556008)(66946007)(23603002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: uSaeT7PlmzeOmf6DYWn1kowiZwVJMluz6rmQO6p9z1atqI7n9i93iYMcBKGOFuRsiYHpnGmp4ePkWMxuWtE4QpqKC5HsmexdzBJItLE2aor6BqOcu4/27V97AX4ihoSDBJJsUbQXS7iwbMELAog6htxjxt0Ot8nbmPVoKUeA58oW4fA8kuYP1s6q1K+g7eoASIWALLl1duRwl90TyjEO/HumlVjMhK/bFZA7HyI8lcd5uVLuXHXJ19Z3BYGpzut6C33iyKkwnwtno5eQTi75MP4rBahflIq1QeDkbKWTd7P3cXV9xaiDdwQAKN4BEbb3K2JYnMKe8SNNgBshZUG5t4gbv34oWy80EyKDBB70P3CgJx1v2IWlLtfDBAP2vr538cAN4MQgEnFbCcuXP1i852S9r5TmfxjS/aTaoJrGTzZtGhSX5RQgFG+mul0wpaN/Ydvi2c/MjyF+Ay514Ekj52PYoL6SJbFMrg9ciuikNVE=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FAEBD97641299441A89FEAA5B13E3474@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL0PR11MB2947.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c0e8085-82aa-45b6-be0b-08d81d4df2ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2020 23:33:09.2241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: E+WR5EPOzZPAbc5d6PNoG10EqUedjTVSlzB1oHW+59O52/muROLE8rgWDpAOgAhI/RDJ+pEjjyCH3swduGTnxA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3025
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/40SQSDEI8zdIOa2HxhGvYIk1cKo>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 23:33:16 -0000

Hi Stanislav, Alexey, and Nick,

It would be great for CFRG to review modern AEAD modes and their properties, but instead of holding a contest at this time, I suggest focusing on the applicability of these properties to IETF protocols.  It would be valuable for the community to get to a better understanding of which properties have the most applications, and which are niceties and which are nececessities. In the same vein, having a deeper understanding about the scenarios that have led to security failures in the field would help to motivate properties like robustness and leakage resilience.  So I suggest having a call for presentations and documents that includes these broader topics around AEAD.  If nothing else, it could be a prelude to a contest.

The list of properties below is a great start; nonce hiding and resistance to multiple forgery attacks are also worth considering (and have been raised by others I believe).

Regards,

David

> On Jun 19, 2020, at 1:32 PM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote:
> 
> Dear CFRG,
> 
> The chairs would like to ask for opinions whether it seems reasonable to initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes and recommend a mode (or several modes) for the IETF.
> 
> We’ve recently had a CAESAR contest, and, of course, its results have to be taken into account very seriously. In addition to the properties that were primarily addressed during the CAESAR contest (like protection against side-channel attacks, authenticity/limited privacy damage in case of nonce misuse or release of unverified plaintexts, robustness in such scenarios as huge amounts of data), the following properties may be especially important for the usage of AEAD mechanisms in IETF protocols:
> 1) Leakage resistance.
> 2) Incremental AEAD.
> 3) Commitment AEAD (we've had a discussion in the list a while ago).
> 4) RUP-security (it was discussed in the CAESAR contest, but the finalists may have some issues with it, as far as I understand).
> 5) Ability to safely encrypt a larger maximum number of bytes per key (discussed in QUIC WG)..
> 
> Does this look reasonable?
> Any thoughts about the possible aims of the contest?  
> Any other requirements for the mode?
> 
> Regards,
> Stanislav, Alexey, Nick
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg