Re: [Cfrg] ISE seeks help with some crypto drafts

"Blumenthal, Uri - 0553 - MITLL" <> Mon, 08 April 2019 21:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 77DAA120100; Mon, 8 Apr 2019 14:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LdxDrUh3rvLK; Mon, 8 Apr 2019 14:38:19 -0700 (PDT)
Received: from (LLMX3.LL.MIT.EDU []) by (Postfix) with ESMTP id A238012034F; Mon, 8 Apr 2019 14:38:19 -0700 (PDT)
Received: from ( by (unknown) with ESMTP id x38LcHfF000774; Mon, 8 Apr 2019 17:38:17 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: mcgrew <>
CC: "<>" <>, cfrg <>, "" <>
Thread-Topic: [Cfrg] ISE seeks help with some crypto drafts
Date: Mon, 8 Apr 2019 21:38:15 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3637589895_540127552"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-04-08_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904080158
Archived-At: <>
Subject: Re: [Cfrg] ISE seeks help with some crypto drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Apr 2019 21:38:24 -0000

Hi Uri,

On Apr 8, 2019, at 8:30 AM, Blumenthal, Uri - 0553 - MITLL <> wrote:


Well, we *are* interested in OCB and ciphers with block size != 128 bits, even if we won't necessarily document our use in another RFC.


The draft on OCB with general block size needs more usage guidance, as I discussed with Ted and you when the drafts were first discussed last year (please see   


Yes I remember. I will remind Ted.


It is really important that an RFC provide strong guidance to users, as their target audience is implementers and users that might not understand the security ramifications.  


Yes I agree with your point here. 


I am not opposed to publishing this draft, 




but I see it as a critical next step to fully document the interest that you mention, either in draft-krovetz-ocb-wideblock or in a document that can be referenced by that one, along with usage guidance on when it is a good idea to do AEAD with a wide block cipher or a small block cipher.


I think it would not be proper to document *my* interest. What IMHO would be good is documenting use cases, benefits and caveats of using blocks wider and shorter than 128 bits.


The general block size draft would be more appealing if it could be tied to a w != 128 cipher that has withstood significant significant cryptanalysis.   


Shorter blocks are for special applications only (or for classroom exercises). Longer blocks weren’t 


For smaller block sizes, this could be one of the modern 64-bit ciphers like PRESENT, SIMON, or SPECK, though I don’t think we should be promoting the use of 64-bit modes of operation for general-purpose use.   


When AES-NI is in most every moderately large CPU? Nah, I’m not suggesting that we promote *general-purpose* use of 64-bit blocks. As I said, special applications only. In general, “you cannot get fired for selecting 128-bit block AES (and in my case – with 256-bit key)”. 😉


For implementation environments where a 64-bit cipher fits better than AES, it would be really attractive to use an AEAD mode that is secure beyond the birthday bound, as a way to compensate for the significant security degradation due to short blocks.   It would be great if we could leverage whatever interest there is in small block ciphers into some momentum towards higher-security modes of operation.  


That I’d need to discuss with Phil and Ted. I did not consider wide/generic use of short blocks.


It looks like the drafts haven’t been updated since they were first posted, though Ted expressed a willingness to update them.


I’ll need to get hold of Ted. Somehow his email eludes me right now (thanks, IT, for restoring only part of my email folders after the crash).






Thus, I see your point but disagree with it's apparent conclusion. IMHO the OCB draft should be published. 


Not sure about RC{5,6} - not my cup of tea.




Sent from my iPhone

On Apr 8, 2019, at 08:21, Eric Rescorla <> wrote:

These drafts seem quite low value to publish:


The existing OCB document [RFC 7253] is cited by exactly zero RFCs (, so having a specification for ciphers with block size != 128 seems of particularly low value. 


The existing RC5 document [RFC 2040] has 6 RFC-level citations, but as far as I know, RC5 has practically no usage in IETF protocols. AFAICT, RC6 isn't even specified in an RFC. Thus, test vectors for these algorithms don't seem that interesting.








On Fri, Mar 8, 2019 at 9:20 AM RFC ISE (Adrian Farrel) <> wrote:

Hi CFRG and SecDir,

Ted Krovetz has asked for publication of ...
....and... the Independent Stream.

These are both currently in expired state, but available in the archive.

At this stage I am looking to know whether anyone feels that publication
would be a bad thing:
- at this stage
- ever

Please send me your opinions direct (I am not subscribed to this list, but
will check the archives).

Please also let me know if you would be willing to be a detailed reviewer
of this work.

Adrian Farrel (ISE),

Cfrg mailing list

Cfrg mailing list