Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?

Paul Hoffman <paul.hoffman@icann.org> Sat, 24 February 2018 16:00 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54454127077 for <cfrg@ietfa.amsl.com>; Sat, 24 Feb 2018 08:00:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4igThpGswxgm for <cfrg@ietfa.amsl.com>; Sat, 24 Feb 2018 08:00:55 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E751127058 for <cfrg@irtf.org>; Sat, 24 Feb 2018 08:00:55 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 24 Feb 2018 08:00:53 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Sat, 24 Feb 2018 08:00:53 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] [Ext] Re: Analysis of ipcrypt?
Thread-Index: AQHTrUH0MeO6VVxatU2H2XlK7gdaSqO0JsgAgAANyICAAAMVgIAABT0A
Date: Sat, 24 Feb 2018 16:00:53 +0000
Message-ID: <04292D54-752E-47BF-B82A-AE9F60551AD0@icann.org>
References: <18C83761-E442-45D9-BDBF-71DC7F751007@icann.org> <CAHmME9r3awwZxjEU-HWnOCyARhBx54VOcUOFJB4opmneKdZsyA@mail.gmail.com> <72BE956C-7D0F-41BE-88DE-C7C2063A7FED@seer-grog.net> <877er4h8n5.fsf@fifthhorseman.net> <149857F4-859F-45C8-AA6E-E1F72342B988@seer-grog.net> <A17CCC93-1AEE-47E3-B1A3-CA2791AA3AE0@icann.org> <6063D40B-F8A8-4C63-92EB-53EF4DB64975@cisco.com> <CAGiyFdddeUkqhMxQLH079syiHuV3KgY3_Ko2pVxYhjd+jEUMLA@mail.gmail.com> <E04CDD47-DCB3-456E-A8A6-EE93B63442B0@seer-grog.net> <752714BA-FC71-4B37-8685-7E44A68989B5@icann.org> <CAGiyFdfA9fU0APiZznfEMKrsRiRwQDDDpBpxQ3+mk638rRka3g@mail.gmail.com>
In-Reply-To: <CAGiyFdfA9fU0APiZznfEMKrsRiRwQDDDpBpxQ3+mk638rRka3g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; boundary="Apple-Mail=_C8004CEE-492A-4A95-A64E-FD315BB3E881"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GUIOWmhOyAn3Y9lo70ohxV_K7Uk>
Subject: Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Feb 2018 16:00:56 -0000

On Feb 24, 2018, at 7:42 AM, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>; wrote:
> 
> A “non-invertible” construction based on truncated AES will yield many collisions if format-preserving (hashing to a 32-bit space), and it’ll likely become partially invertible with sufficiently many known in-out pairs.

OK, then apologize for my ignorance. In truncate32(AES128(padded_32_bit_address, 128_bit_random_key)), are you saying that an attacker with lots of pairs can determine the key faster than if it was just AES128(padded_32_bit_address, 128_bit_random_key)?

--Paul Hoffman