Re: [Cfrg] new authenticated encryption draft
"John Wilkinson" <wilkjohn@gmail.com> Wed, 23 August 2006 02:05 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFi7K-0002fc-Ry; Tue, 22 Aug 2006 22:05:18 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GFi7J-0002fU-U8 for cfrg@ietf.org; Tue, 22 Aug 2006 22:05:17 -0400
Received: from ug-out-1314.google.com ([66.249.92.171]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GFi7H-0001zg-Jx for cfrg@ietf.org; Tue, 22 Aug 2006 22:05:17 -0400
Received: by ug-out-1314.google.com with SMTP id m2so2269560uge for <cfrg@ietf.org>; Tue, 22 Aug 2006 19:05:14 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lF4Ta3ZnyY0//JHzhIv30LG2ckAyhLSzqmt0ph2u5QJ8weo/5c+xW77Tw9sTnIl36X4Hu2h/UxmRG1IS61cmto4aCBgTVArwkhnCX9s/BBsOKkSuDxAV3gcEGEA2VrO4W+qGkDhNf2V9AptIQzlL7Z97UvnoGXCCjeoj5Gi4qfc=
Received: by 10.67.24.13 with SMTP id b13mr4780937ugj; Tue, 22 Aug 2006 19:05:14 -0700 (PDT)
Received: by 10.67.117.3 with HTTP; Tue, 22 Aug 2006 19:05:14 -0700 (PDT)
Message-ID: <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com>
Date: Tue, 22 Aug 2006 22:05:14 -0400
From: John Wilkinson <wilkjohn@gmail.com>
To: cfrg@ietf.org
Subject: Re: [Cfrg] new authenticated encryption draft
In-Reply-To: <p06230910c10e98a55c4c@10.30.1.9>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com> <p06230910c10e98a55c4c@10.30.1.9>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
On 8/20/06, Greg Rose <ggr@qualcomm.com> wrote: > At 11:47 -0700 2006/08/20, Hal Finney wrote: > > > >It is outside the scope of your document, but I have found from my > >disk experience that the approach in these algorithms of letting the > >AEAD algorithm manage uniqueness of IVs at the "micro scale" while the > >caller manages uniqueness at the "macro scale" can actually lead to > >very inefficient allocation of IV space. For example, with GCM taking > >an external IV contribution of 64 bits, if the caller is encrypting a > >lot of short messages in a context where it must be stateless and pass > >in a random IV contribution, it can only encrypt 2^32 such messages > >under a given key. The seemingly vast IV space is eroded to a very > >significant limitation similar to what we had in the old days of DES. > > This "erosion" only happens if the requirement is that the IV be > random and unpredictable to an attacker. Most AEAD systems don't > require this strong guarantee, and any form of Nonce will usually do; > the only requirement being uniqueness. So the 64 bit input, provided > in the form of a counter, is good to the same order-of-magnitude > limit as the block cipher itself. Gregg, unless I'm missing something, in the _stateless_ case Hal mentions, the IV/nonce must be random (since a counter requires state), and the potential for nonce "collisions" becomes unacceptably high after many fewer than 2^32 encryptions. David, while I've only briefly skimmed your draft, Hal and Gregg's comments make me wonder about the way you're treating IVs in your specification. Why do you feel that IVs must be an _output_ of the encryption algorithm, rather than a purely internal value? Further, what, exactly, do you mean by the requirement that "A deterministic AEAD encryption algorithm MUST accept an additional input, and that value [the IV contribution] MUST be included _verbatim_ [emphasis added] in the IV." It seems to me that it would be a better abstraction of the AEAD mechanism if the IV is used purely internally to the algorithm, so that the only input required is a nonce, and that the same nonce is used for encryption and decryption. Furthermore, the requirement that the "IV contribution" must be used "verbatim" in the IV could be read to exclude, for example, Bellare, Rogaway, and Wagner's EAX mode. EAX uses a user-supplied nonce, which may be of any length, and computes a MAC on this nonce to generate the initial counter for counter-mode encryption. -John _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew