Re: [CFRG] AEAD limits
John Mattsson <john.mattsson@ericsson.com> Tue, 17 November 2020 18:27 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F153A1535 for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 10:27:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxpTPxNBIouB for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 10:27:25 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60040.outbound.protection.outlook.com [40.107.6.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9139C3A152E for <cfrg@ietf.org>; Tue, 17 Nov 2020 10:27:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MSCSmmGdYfXMdF7iNra7nFFJsekZCnRB7VFfaI+Zn+KT+GFDeQDHmk/+8gXlYmqVP4Riqdc7UjZoBvvEYke6cm6iv3E5d2KwWFxIut45uFyj77LZlGb5u1IsN+o6Qb60IzBLu4bbimpncGF3/U2Xn41BJlYZoYsdkQhclr5zzGnQMCpNZq6aQpqjka7hWGIQWmqgHzNEMloGFk7w7JWxORmQWYZnNTJhaDObIAI6PmvEm8OobxonKBluzG02woamb/rB0fLQqxrFGygP5f8vhltL0XROpK2ONJub6Ad7nk8Fz9CQs6G6KPspCBDp2WrYCJOkEHWYy4LJoE+kKrE11w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i4hq8kmGr8jfv+p/1lx4QSkURXI9IIxUC/h03fM5WLk=; b=F/fqPhC7yanIN6jh7QmFH8tz2mfPZydDaYyprUoXj2ub9XRRoVkoijh0jHRttWJ2Ji3O9OSuWOV52QN+qx2xi9hZ/FiIrHPMk+SHge4GIIaL7uoLEnkuUtCU0XozJXPbSsWiPkQjS5u/0V5Jzvm0MzBkzTNUNh3VIhq4NSAuS8EtPBGUTC1r/JltloISQ8p7t2vUFZiqUDDIZN+cprZb+nmztokXmzXy3pp5oQxZUXNL43nMctQTOoTwpzs0xL0hv6yRvwXccki5wtBs/a8+ARLvu+tXgJ204T08SkRE6PoLraEPfb0HRU2pmHOy+SGeYejBOS1BHRaYzPA+DDkl1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i4hq8kmGr8jfv+p/1lx4QSkURXI9IIxUC/h03fM5WLk=; b=gphJqXoLw14vslRD26xkw6cgvVjfV0gs9Lbe5Rw8x1I0I70tYgv02L9H6lDAcFutVAP3Fyl8ScG9ncbb2U47583RZqsb1t1RBufb+sxzxjtq8EvpBFFcDuOhYG1eNIkZVnlzLIejdFz6qfrOze54QZFvUXJHl3FR0noswNkJ0BA=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB5974.eurprd07.prod.outlook.com (2603:10a6:20b:99::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Tue, 17 Nov 2020 18:27:22 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3589.017; Tue, 17 Nov 2020 18:27:22 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Dmitry Belyavsky <beldmit@gmail.com>
CC: Yoav Nir <ynir.ietf@gmail.com>, "<cfrg@ietf.org>" <cfrg@ietf.org>
Thread-Topic: [CFRG] AEAD limits
Thread-Index: AQHWvLUag+3nit6+Dky4aNMmHCsCCqnMGVKA///3G4CAAKWAAA==
Date: Tue, 17 Nov 2020 18:27:22 +0000
Message-ID: <78634C98-730C-4FF8-849B-2555C6EC2E13@ericsson.com>
References: <F87F3593-6BF7-433C-ACB9-C83EDE36989D@gmail.com> <4606546D-7C6D-4980-AEE1-2C9927F6B093@ericsson.com> <CADqLbzJP1P61+RXBC2waJaWz25C21YgDHtqAGE7sw-L-qAu1sQ@mail.gmail.com>
In-Reply-To: <CADqLbzJP1P61+RXBC2waJaWz25C21YgDHtqAGE7sw-L-qAu1sQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 78723867-4868-4c5d-724a-08d88b266d27
x-ms-traffictypediagnostic: AM6PR07MB5974:
x-microsoft-antispam-prvs: <AM6PR07MB5974B473D4B1B92D3E274C8089E20@AM6PR07MB5974.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: O80XtlRLEVbDbb12N23Y9RQ9idWNN+glKZks1SPPfr1j7LuqsP3VuKkIkzFJkVwSS6/V3h7TXjJKLh+BFylXsP1YZt3qdtRC+mpN4/WVvvwi6UsUiBXZ7RmPEa9xga8kcWWdtJQs/KKtlV8wPUAPmId22R3JEB8gULBCHA7xb1Gm8HvBuY29zEKBpeW67eFAUBAesX0LShBSDZqanat+RabUoyV4k7JUNxtWkcCfzUAxs6L2UYZs5EWulgX/rMZy2tmZDZfXJ96a+Zq+dVnKrLXwvAncmO9M1qGuYab7WDrX4eW4MT5MVh7JvFYaw42JPRSW+Uf45btxeO9blpNoBll53bGlZSSYl5yVCrvgfzJ9dSRayGaikYPbSoSKf0jT7uRyCh1Wp82ZJebR0y4AxQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(346002)(376002)(316002)(44832011)(2616005)(64756008)(66556008)(6506007)(53546011)(66446008)(66476007)(6916009)(166002)(26005)(5660300002)(66946007)(76116006)(33656002)(8936002)(86362001)(8676002)(2906002)(478600001)(6486002)(186003)(83380400001)(54906003)(966005)(71200400001)(36756003)(91956017)(4326008)(6512007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: gNnoKpCd+h7YA+glCHP7svWm3QrAGccOUnjwwcNeOauPCsUIMQBtMVzHPlAOL73uvjAjfv7a8Aed9C5p3XMc+eYd6Kwh1FHa+jAUjF2iiDDlMCl/GDB6167Mrh6tEyJWJM0rqB5/IX3p9OOtXMy3nxacVIzWDjGPwgB3u5bPf9RTniz5YI07WW6YCCurgCMOd7OJ3GMYSct+hu2qWMo+n6b2G5YaJqvgQ8IuONg10EV0t08o9I2heTVXkFTNTp+kVxAInMW3hkeFZSRYcyZp5+la2YeCi5h1mutc9kPhqEqcFWQ+8wOq17OWUkMU1+iwR1PyOphaJcKusajSFqHWPTjPisRnnOOHGKMl4x7TAytESNkY57dQjrNyaoam7Hx5tSvdyp/IR0Qjla75lg4h4zuZ6EgnPrntCqKadeviaPNV/ZmGLNaPIMXrX41ZTN4N60cmV2sAOjxraaDBSmh7k3SaZokefxdXfDCuxxwfDP9TY57Ral3xeSo2Q0438kTTSShUwi7so3Ri/cqkyDKFOdtXz0W17KubAPKHw8xQ9zBZjJHc+RTJT/NbHlECYdNajGJStGlqSqQqTvP9a9xgwiVw61wZimQV/JWXl1Q65JiuvtTwVtB2V9ai6PeQB0hz+iWgOFfVmizoYykcu5OQ1A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_78634C98730C4FF8849B2555C6EC2E13ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 78723867-4868-4c5d-724a-08d88b266d27
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2020 18:27:22.8435 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: k+cvIK4LFvPgPZ3JZFnHEU6xKWokLcxqIPMIKaCrZLunc8NIlfOd6oSC25eKFltlqklXRO4yNjxM4ULnGdoOHk+nWiVbZ5MS2xTHzEjRzio=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5974
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FeneGLXWK1Wj-Q10NeB5DZO8oRM>
Subject: Re: [CFRG] AEAD limits
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 18:27:30 -0000
If the draft calculates v and q for different values of p, l_p, and l_add, they would be as stable as the equations themselves. John From: Dmitry Belyavsky <beldmit@gmail.com> Date: Tuesday, 17 November 2020 at 10:35 To: John Mattsson <john.mattsson@ericsson.com> Cc: Yoav Nir <ynir.ietf@gmail.com>, "<cfrg@ietf.org>" <cfrg@ietf.org> Subject: Re: [CFRG] AEAD limits I agree with the idea of such a table, but do we really think it's stable enough to make it a part of RFC? On Tue, Nov 17, 2020 at 12:07 PM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote: Hi, I think such a table would be a good idea. I think the table would be “example limits” rather than “actual limits” and should contain values for different values of p, l_p, and l_aad. This would give implementors (or people writing drafts) some guidance. It would also work like a form of test vectors. Without examples it is hard for a user of the document to check if they calculated the limits correctly. For non-constrained environments where re-keying is easy, I think the conclusions are simple, don’t use CCM and re-key frequently. For the constrained IoT world (which currently use AES-CCM with 32 and 64 bit MACs), I think the analysis gets more complicated and I think there are a lot of other factors than p, l_p, and l_aad that needs to be considered. I tried to summarize this in a mail to LAKE: https://mailarchive.ietf.org/arch/msg/lake/jxnTTX2L6HM9ZeVrQ4TNHdISulA/ Cheers, John -----Original Message----- From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Yoav Nir <ynir.ietf@gmail.com<mailto:ynir.ietf@gmail.com>> Date: Tuesday, 17 November 2020 at 08:41 To: "<cfrg@ietf.org<mailto:cfrg@ietf.org>>" <cfrg@ietf.org<mailto:cfrg@ietf.org>> Subject: [CFRG] AEAD limits Following up on my mostly failed attempt to raise the issue at the meeting. I still think we need to have, at least in an appendix, a table with actual limits in either bytes or packets. Sure, this requires setting at least p and l. p can be chosen arbitrarily (2^(-65)? 2^(-57)?), although I’d like an explanation of why a certain number makes sense. l can be the row of the table. For example, for p = 2^(-65) and l=1024 we get for AES-GCM that q<=2^22, so the table can show for this value of l 4 million packets and/or 4 GB. For ChaCha20-Poly1305 you’d get v<=2^28 so you’d get 256 million packets or 256 GB. With p at 2^(-57) you get other numbers. Still useful regardless or which value of p is chosen. And one nit: Please change the description of p in Table 1 from “Adversary attack probability” to “Adversary attack success probability" _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://protect2.fireeye.com/v1/url?k=d31878d1-8c83419c-d318384a-86b568293eb5-e5d58f0c6ea46c4c&q=1&e=d3b7c45d-3795-4e54-888a-da4eb737f746&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/v1/url?k=8e52694e-d1c95048-8e5229d5-86ee86bd5107-fe864896a21f2058&q=1&e=ba3a0fa2-5c12-463e-81af-fea783bcbc92&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> -- SY, Dmitry Belyavsky
- [CFRG] AEAD limits Yoav Nir
- Re: [CFRG] AEAD limits John Mattsson
- Re: [CFRG] AEAD limits Dmitry Belyavsky
- Re: [CFRG] AEAD limits John Mattsson