IETF Logo Mail Archive

Re: [Cfrg] new authenticated encryption draft

"John Wilkinson" <wilkjohn@gmail.com> Wed, 23 August 2006 02:05 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFi7K-0002fc-Ry; Tue, 22 Aug 2006 22:05:18 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFi7J-0002fU-U8 for cfrg@ietf.org; Tue, 22 Aug 2006 22:05:17 -0400
Received: from ug-out-1314.google.com ([66.249.92.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GFi7H-0001zg-Jx for cfrg@ietf.org; Tue, 22 Aug 2006 22:05:17 -0400
Received: by ug-out-1314.google.com with SMTP id m2so2269560uge for <cfrg@ietf.org>; Tue, 22 Aug 2006 19:05:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lF4Ta3ZnyY0//JHzhIv30LG2ckAyhLSzqmt0ph2u5QJ8weo/5c+xW77Tw9sTnIl36X4Hu2h/UxmRG1IS61cmto4aCBgTVArwkhnCX9s/BBsOKkSuDxAV3gcEGEA2VrO4W+qGkDhNf2V9AptIQzlL7Z97UvnoGXCCjeoj5Gi4qfc=
Received: by 10.67.24.13 with SMTP id b13mr4780937ugj; Tue, 22 Aug 2006 19:05:14 -0700 (PDT)
Received: by 10.67.117.3 with HTTP; Tue, 22 Aug 2006 19:05:14 -0700 (PDT)
Message-ID: <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com>
Date: Tue, 22 Aug 2006 22:05:14 -0400
From: John Wilkinson <wilkjohn@gmail.com>
To: cfrg@ietf.org
Subject: Re: [Cfrg] new authenticated encryption draft
In-Reply-To: <p06230910c10e98a55c4c@10.30.1.9>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com> <p06230910c10e98a55c4c@10.30.1.9>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org

On 8/20/06, Greg Rose <ggr@qualcomm.com> wrote:
> At 11:47  -0700 2006/08/20, Hal Finney wrote:
> >
> >It is outside the scope of your document, but I have found from my
> >disk experience that the approach in these algorithms of letting the
> >AEAD algorithm manage uniqueness of IVs at the "micro scale" while the
> >caller manages uniqueness at the "macro scale" can actually lead to
> >very inefficient allocation of IV space. For example, with GCM taking
> >an external IV contribution of 64 bits, if the caller is encrypting a
> >lot of short messages in a context where it must be stateless and pass
> >in a random IV contribution, it can only encrypt 2^32 such messages
> >under a given key. The seemingly vast IV space is eroded to a very
> >significant limitation similar to what we had in the old days of DES.
>
> This "erosion" only happens if the requirement is that the IV be
> random and unpredictable to an attacker. Most AEAD systems don't
> require this strong guarantee, and any form of Nonce will usually do;
> the only requirement being uniqueness. So the 64 bit input, provided
> in the form of a counter, is good to the same order-of-magnitude
> limit as the block cipher itself.

Gregg, unless I'm missing something, in the _stateless_ case Hal
mentions, the IV/nonce must be random (since a counter requires
state), and the potential for nonce "collisions" becomes unacceptably
high after many fewer than 2^32 encryptions.

David, while I've only briefly skimmed your draft, Hal and Gregg's
comments make me wonder about the way you're treating IVs in your
specification. Why do you feel that IVs must be an _output_ of the
encryption algorithm, rather than a purely internal value? Further,
what, exactly, do you mean by the requirement that "A deterministic
AEAD encryption algorithm MUST accept an additional input, and that
value [the IV contribution] MUST be included _verbatim_ [emphasis
added] in the IV."

It seems to me that it would be a better abstraction of the AEAD
mechanism if the IV is used purely internally to the algorithm, so
that the only input required is a nonce, and that the same nonce is
used for encryption and decryption. Furthermore, the requirement that
the "IV contribution" must be used "verbatim" in the IV could be read
to exclude, for example, Bellare, Rogaway, and Wagner's EAX mode. EAX
uses a user-supplied nonce, which may be of any length, and computes a
MAC on this nonce to generate the initial counter for counter-mode
encryption.

-John

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email