Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F176D3A16FA for ; Thu, 2 Apr 2020 09:02:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_I5hGIQlJ2b for ; Thu, 2 Apr 2020 09:01:57 -0700 (PDT) Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DF723A1700 for ; Thu, 2 Apr 2020 09:01:55 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 88BBB62153; Thu, 2 Apr 2020 12:01:53 -0400 (EDT) X-Virus-Scanned: amavisd-new at htt-consult.com Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id LMuCbNZbqoGq; Thu, 2 Apr 2020 12:01:40 -0400 (EDT) Received: from lx140e.htt-consult.com (unknown [192.168.160.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 7F55062133; Thu, 2 Apr 2020 12:01:38 -0400 (EDT) To: Sergey Agievich , Michael StJohns , "cfrg@irtf.org" References: <39806a9f-206b-797d-e2b8-0a55bea2b1cb@htt-consult.com> <6f41ddbd-d2ec-1ecc-deca-9230f11fa421@nthpermutation.com> <3593bcc4-8a28-e9f7-cac2-025f0985fa47@nthpermutation.com> <3c8e107d-5499-4c5f-143e-e8cded55708e@htt-consult.com> From: Robert Moskowitz Message-ID: <19188ace-dd51-a7b0-8db6-051ddf8c2316@htt-consult.com> Date: Thu, 2 Apr 2020 12:01:33 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------06F3C5937CBDE65B554121E1" Content-Language: en-US Archived-At: Subject: Re: [Cfrg] Encrypt in place guidance X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2020 16:02:07 -0000 This is a multi-part message in MIME format. --------------06F3C5937CBDE65B554121E1 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sergey, Thank you.  This is very worthwhile.  It will take me a bit to process this, then incorporate it in my draft. Bob On 4/2/20 11:38 AM, Sergey Agievich wrote: > Q1. How to encrypt an m-bit plaintext X using an n-bit block cipher E > = {E_K} for n > m? > > If the encryption speed doesn't matter, we can use the following > approach based on the Feistel scheme. This approach is already being > used in format-preserving encryption. > >     Enc(X, K): >       1. Y <- X. >       2. Split Y into 2 equal parts: Y = Y1 || Y2 >       (let us assume for simplicity that m is even). >       3. For i = 1, 2, ..., d do: >         Y <- Y2 || (Y1 ^ first_m/2_bits(E_K(Y2 || Ci)), >       where Ci is a (n - m/2)-bit round constant. >       4. Y <- Y2 || Y1. >       5. Return Y. >     Dec(Y, K): >       1. X <- Y. >       2. Split X into 2 equal parts: X = X1 || X2. >       3. For i = d, ..., 2, 1 do: >         X <- X2 || (X1 ^ first_m/2_bits(E_K(X2 || Ci)). >       4. X <- X2 || X1. >       5. Return X. > > According to the theory, to provide CCA security guarantees (CCA = > Chosen Ciphertext Attacks) for m-bit encryption X |-> Y, we should > choose d >= 6. It seems very ineffective that when shortening the > block length, we have to use 6 times more block encryptions. On the > other hand, we preserve both the block cipher interface and security > guarantees in a simple way. > > Q2. How to encrypt an (3n/2)-bit plaintext X using an n-bit block > cipher E = {E_K}? > > I recommend the following scheme. > >     Enc(X, K): >       1. Y <- X. >       2. Split Y into 3 equal parts: Y = Y1 || Y2 || Y3. >       3. For i = 1, 2, 3 do: >         3.1. Y2 || Y3 <- E_K(Y2 || Y3) ^ Ci; >         3.2. Y <- Y2 || Y3 || (Y1 ^ Y2). >       4. Return Y. > > This scheme guarantees at least 2 differential and linear activations > per 3 rounds (the more activations, the higher strength against > differential and linear attacks). > > For comparison, the alternative scheme > >         3.1. Y1 || Y2 <- E_K(Y1 || Y2); >         3.2. Y <- Y2 || Y3 || Y1. > > that has been discussed in this thread guarantees only 1 activation. > > Best, > Sergey > > ------------------------------------------------------------------------ > *От:* Cfrg от имени Robert Moskowitz > > *Отправлено:* 1 апреля 2020 г. 20:13 > *Кому:* Michael StJohns; cfrg@irtf.org > *Тема:* Re: [Cfrg] Encrypt in place guidance > > > On 4/1/20 12:33 PM, Michael StJohns wrote: >> NIST SP800-38A -  Section 6.3.   CFB can work on any number of bits >> up to the block size.  CFB8 does a byte at a time and uses a block >> cipher operation for each byte. > > Got.  My copy of 38A is from '02; I will have to see if there is an > updated version, but sec 6.3 is there in my copy and I see how CFB8 works. > > Two questions: > > Operator and USS have 1 IV for the mission.  Because of potential of > lost messages, cannot make a chain as mentioned previously. > > 1) Can the same IV be used for multiple 8 byte location blocks using > CFB8?  Since the first 4 bytes are a signed integer: > > Int signed deg*10^7 (LE)    e.g. –11989298 > > It is likely that if the latitude is changing, it will only be in byte > 3.  It is possible that latitude is fix (the operator is walking > straight east or west) and only the last byte is changing in longitude. > > 2) What about CFB16 for efficiency?  Changes will tend to be in bytes > 4 and 8.  Attackers will know this. > > I feel more comfortable with some 64 bit cipher if I can't get that 2 > byte IV counter.... > > thanks > >> >> Mike >> >> >> >> On 4/1/2020 12:25 PM, Robert Moskowitz wrote: >>> >>> >>> On 4/1/20 12:15 PM, Michael StJohns wrote: >>>> Pretty much every IOT chip these days has support for at least AES >>>> 128 (and usually for ECB and  CTR and/or CCM).   Unless there is a >>>> good reason to use something else, assuming you have a good IV >>>> source, use AES-CTR - it can be used for any number of bytes >>>> without expansion.  If you don't have a great IV source, use >>>> something like AES-CFB8. >>> >>> Michael, >>> >>> I went looking for CFB8 and was only getting CFB.  Can you please >>> provide a pointer to it? >>> >>> Thanks. >>> >>> Bob >>> >>> >>>>    Avoid domain specific algorithms that may or may not have had >>>> security analyses done that are appropriate to your domain. >>>> >>>> You should have some some sort of message authentication/integrity >>>> protection and that's a physics problem that needs to be solved by >>>> allocating some additional bytes.  Generally at least 4 for an >>>> integrity tag.   If you have that space, move to AES-CCM as your mode. >>>> >>>> IMO, Speck may be a better choice later on as it gains more public >>>> experience and more implementations but you may want to think twice >>>> about including it in a specification at this time. >>>> >>>> Later, Mike >>>> >>>> >>>> On 4/1/2020 10:58 AM, Robert Moskowitz wrote: >>>>> >>>>> >>>>> On 4/1/20 10:06 AM, Blumenthal, Uri - 0553 - MITLL wrote: >>>>>> Robert, >>>>>> >>>>>> You're in luck, because Speck offers 96-bit block-size (with key size 96 or 144 bits). ;-) >>>>> >>>>> I did see that and felt it was a strong point for Speck. >>>>> >>>>>> This (variable block size) was one of the advantages of Speck over, e.g., AES. So the ISO first trimmed it down to the AES capabilities, and then decided "oh well, we already have AES". >>>>> >>>>> I saw that in the IACR slides: >>>>> >>>>> Gee look at all these great advantages it has. >>>>> >>>>> But the other guys don't, so let's strip them out. >>>>> >>>>> Oh, gee, no advantage here, so let's just drop it. >>>>> >>>>> Got to love that logic.  Of course if it is really a broken >>>>> cipher, then it is broken. >>>>> >>>>> There is really crypto justification for AEAD.  But this comes at >>>>> a serious cost that sometimes cannot be met. >>>>> >>>>> Having options like what Speck provides has value. Not great, but >>>>> a real value. >>>>> >>>>> Yes, there are all sorts of replay attacks.  There are some >>>>> use-case related mitigations.  In this case, so the operator is >>>>> lieing about where they are.  So what, they can do that anyway and >>>>> have all the crypto right. >>>>> >>>>> This is why, on a system level, we are proposing how an authorized >>>>> entity can directly and securely message the operator's control >>>>> system with such things as:  "Land now or be shot out of the air >>>>> and THEN we will come to get you." Much more timely than trying to >>>>> send an officer to the supposed Geo position of the operator first. >>>>> >>>>> :) >>>>> >>>>>> On 4/1/20, 09:38, "Cfrg on behalf of Leo Perrin" wrote: >>>>>> >>>>>> >>>>>> > So I am looking for both a 64 bit and 96 bit block cipher. I figured >>>>>> > out that if there is no 96 bit, I can do this by first encrypting the >>>>>> > 1st 64 bits and then the last 64 bits. The middle 32bits are double >>>>>> > encrypted, but I not seeing that as a problem. But then I am not a >>>>>> > cryptographer, only a crypto-plumber. >>>>>> >>>>>> I would advise you *not* to do this: this effectively creates a 96-bit block cipher with at least one significant flaw. >>>>>> >>>>>> Suppose that your plaintext is (A,B,C), where each word is 32-bit long, and that you use a block cipher E_k operating on 64 bits. Then you would first obtain (W,X) = E_k(A,B), and then (Y,Z) = E_k(X,C), so that the encryption of (A,B,C) is (W,Y,Z). The problem with this approach is that W does not depend on C. A similar behaviour exists for decryption (C does not depend on W). As a consequence, this 96-bit block cipher does not provide full diffusion! >>>>>> >>>>>> It is better to use a dedicated 96-bit block cipher. There are not many of them but they exist: >>>>>> - BKSQ, from the AES designers (essentially a 96-bit AES); >>>>>> - SEA, >>>>>> - EPCBC. >>>>>> The references for these are in our survey. >>>>>> >>>>>> If you really need to turn a 64-bit block cipher into a 96-bit one, then you would need to do at least 3 iterations of the 64-bit cipher instead of 2 as you suggested: >>>>>> >>>>>> (A, B, C) ---(E_k, Id)---> (W, X, C) >>>>>> (W, X, C) ---(Id, E_k)---> (W, Y, Z) >>>>>> (W, Y, Z) ---(E_k, Id)---> (T, U, Z) >>>>>> >>>>>> Still: from a security stand-point, I would much prefer a dedicated 96-bit cipher if I were in your position. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> /Léo >>>>>> >>>>>> _______________________________________________ >>>>>> Cfrg mailing list >>>>>> Cfrg@irtf.org >>>>>> https://www.irtf.org/mailman/listinfo/cfrg >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Cfrg mailing list >>>>>> Cfrg@irtf.org >>>>>> https://www.irtf.org/mailman/listinfo/cfrg >>>>> >>>>> >>>>> _______________________________________________ >>>>> Cfrg mailing list >>>>> Cfrg@irtf.org >>>>> https://www.irtf.org/mailman/listinfo/cfrg >>>> >>>> >>>> >>>> _______________________________________________ >>>> Cfrg mailing list >>>> Cfrg@irtf.org >>>> https://www.irtf.org/mailman/listinfo/cfrg >>> >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg --------------06F3C5937CBDE65B554121E1 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Sergey,

Thank you.  This is very worthwhile.  It will take me a bit to process this, then incorporate it in my draft.

Bob

On 4/2/20 11:38 AM, Sergey Agievich wrote:
Q1. How to encrypt an m-bit plaintext X using an n-bit block cipher E = {E_K} for n > m?

If the encryption speed doesn't matter, we can use the following approach based on the Feistel scheme. This approach is already being used in format-preserving encryption. 

    Enc(X, K):
      1. Y <- X.
      2. Split Y into 2 equal parts: Y = Y1 || Y2 
      (let us assume for simplicity that m is even).
      3. For i = 1, 2, ..., d do: 
        Y <- Y2 || (Y1 ^ first_m/2_bits(E_K(Y2 || Ci)), 
      where Ci is a (n - m/2)-bit round constant.
      4. Y <- Y2 || Y1.
      5. Return Y.
    
    Dec(Y, K):
      1. X <- Y.
      2. Split X into 2 equal parts: X = X1 || X2.
      3. For i = d, ..., 2, 1 do: 
        X <- X2 || (X1 ^ first_m/2_bits(E_K(X2 || Ci)).
      4. X <- X2 || X1.
      5. Return X.

According to the theory, to provide CCA security guarantees (CCA = Chosen Ciphertext Attacks) for m-bit encryption X |-> Y, we should choose d >= 6. It seems very ineffective that when shortening the block length, we have to use 6 times more block encryptions. On the other hand, we preserve both the block cipher interface and security guarantees in a simple way.

Q2. How to encrypt an (3n/2)-bit plaintext X using an n-bit block cipher E = {E_K}? 

I recommend the following scheme.

    Enc(X, K):
      1. Y <- X.
      2. Split Y into 3 equal parts: Y = Y1 || Y2 || Y3.
      3. For i = 1, 2, 3 do:
        3.1. Y2 || Y3 <- E_K(Y2 || Y3) ^ Ci;
        3.2. Y <- Y2 || Y3 || (Y1 ^ Y2).
      4. Return Y.

This scheme guarantees at least 2 differential and linear activations per 3 rounds (the more activations, the higher strength against differential and linear attacks).

For comparison, the alternative scheme 

        3.1. Y1 || Y2 <- E_K(Y1 || Y2);
        3.2. Y <- Y2 || Y3 || Y1.

that has been discussed in this thread guarantees only 1 activation.

Best,
Sergey

От: Cfrg <cfrg-bounces@irtf.org> от имени Robert Moskowitz <rgm-sec@htt-consult.com>
Отправлено: 1 апреля 2020 г. 20:13
Кому: Michael StJohns; cfrg@irtf.org
Тема: Re: [Cfrg] Encrypt in place guidance
 


On 4/1/20 12:33 PM, Michael StJohns wrote:
NIST SP800-38A -  Section 6.3.   CFB can work on any number of bits up to the block size.  CFB8 does a byte at a time and uses a block cipher operation for each byte.

Got.  My copy of 38A is from '02; I will have to see if there is an updated version, but sec 6.3 is there in my copy and I see how CFB8 works.

Two questions:

Operator and USS have 1 IV for the mission.  Because of potential of lost messages, cannot make a chain as mentioned previously.

1) Can the same IV be used for multiple 8 byte location blocks using CFB8?  Since the first 4 bytes are a signed integer:

Int signed deg*10^7 (LE)    e.g. –11989298

It is likely that if the latitude is changing, it will only be in byte 3.  It is possible that latitude is fix (the operator is walking straight east or west) and only the last byte is changing in longitude.

2) What about CFB16 for efficiency?  Changes will tend to be in bytes 4 and 8.  Attackers will know this.

I feel more comfortable with some 64 bit cipher if I can't get that 2 byte IV counter....

thanks


Mike



On 4/1/2020 12:25 PM, Robert Moskowitz wrote:


On 4/1/20 12:15 PM, Michael StJohns wrote:
Pretty much every IOT chip these days has support for at least AES 128 (and usually for ECB and  CTR and/or CCM).   Unless there is a good reason to use something else, assuming you have a good IV source, use AES-CTR - it can be used for any number of bytes without expansion.  If you don't have a great IV source, use something like AES-CFB8.

Michael,

I went looking for CFB8 and was only getting CFB.  Can you please provide a pointer to it?

Thanks.

Bob


   Avoid domain specific algorithms that may or may not have had security analyses done that are appropriate to your domain.

You should have some some sort of message authentication/integrity protection and that's a physics problem that needs to be solved by allocating some additional bytes.  Generally at least 4 for an integrity tag.   If you have that space, move to AES-CCM as your mode.

IMO, Speck may be a better choice later on as it gains more public experience and more implementations but you may want to think twice about including it in a specification at this time.

Later, Mike


On 4/1/2020 10:58 AM, Robert Moskowitz wrote:


On 4/1/20 10:06 AM, Blumenthal, Uri - 0553 - MITLL wrote:
Robert,

You're in luck, because Speck offers 96-bit block-size (with key size 96 or 144 bits). ;-)

I did see that and felt it was a strong point for Speck.

This (variable block size) was one of the advantages of Speck over, e.g., AES. So the ISO first trimmed it down to the AES capabilities, and then decided "oh well, we already have AES".

I saw that in the IACR slides:

Gee look at all these great advantages it has.

But the other guys don't, so let's strip them out.

Oh, gee, no advantage here, so let's just drop it.

Got to love that logic.  Of course if it is really a broken cipher, then it is broken.

There is really crypto justification for AEAD.  But this comes at a serious cost that sometimes cannot be met.

Having options like what Speck provides has value.  Not great, but a real value.

Yes, there are all sorts of replay attacks.  There are some use-case related mitigations.  In this case, so the operator is lieing about where they are.  So what, they can do that anyway and have all the crypto right.

This is why, on a system level, we are proposing how an authorized entity can directly and securely message the operator's control system with such things as:  "Land now or be shot out of the air and THEN we will come to get you." Much more timely than trying to send an officer to the supposed Geo position of the operator first.

:)

On 4/1/20, 09:38, "Cfrg on behalf of Leo Perrin" <cfrg-bounces@irtf.org on behalf of leo.perrin@inria.fr> wrote:

    
    > So I am looking for both a 64 bit and 96 bit block cipher.  I figured
    > out that if there is no 96 bit, I can do this by first encrypting the
    > 1st 64 bits and then the last 64 bits.  The middle 32bits are double
    > encrypted, but I not seeing that as a problem. But then I am not a
    > cryptographer, only a crypto-plumber.
    
    I would advise you *not* to do this: this effectively creates a 96-bit block cipher with at least one significant flaw.
    
    Suppose that your plaintext is (A,B,C), where each word is 32-bit long, and that you use a block cipher E_k operating on 64 bits. Then you would first obtain (W,X) = E_k(A,B), and then (Y,Z) = E_k(X,C), so that the encryption of (A,B,C) is (W,Y,Z). The problem with this approach is that W does not depend on C. A similar behaviour exists for decryption (C does not depend on W). As a consequence, this 96-bit block cipher does not provide full diffusion!
    
    It is better to use a dedicated 96-bit block cipher. There are not many of them but they exist:
    - BKSQ, from the AES designers (essentially a 96-bit AES);
    - SEA,
    - EPCBC.
    The references for these are in our survey.
    
    If you really need to turn a 64-bit block cipher into a 96-bit one, then you would need to do at least 3 iterations of the 64-bit cipher instead of 2 as you suggested:
    
    (A, B, C) ---(E_k, Id)---> (W, X, C)
    (W, X, C) ---(Id, E_k)---> (W, Y, Z)
    (W, Y, Z) ---(E_k, Id)---> (T, U, Z)
    
    Still: from a security stand-point, I would much prefer a dedicated 96-bit cipher if I were in your position.
    
    Cheers,
    
    /Léo
    
    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg
    


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg



_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg




_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg




_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg



_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

--------------06F3C5937CBDE65B554121E1--