[Cfrg] Farfalle-SANSE
Gilles Van Assche <gilles.vanassche@st.com> Fri, 02 November 2018 12:34 UTC
Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D0CE130DC1 for <cfrg@ietfa.amsl.com>; Fri, 2 Nov 2018 05:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mw_CdvQWVzgy for <cfrg@ietfa.amsl.com>; Fri, 2 Nov 2018 05:34:30 -0700 (PDT)
Received: from mx07-00178001.pphosted.com (mx08-00178001.pphosted.com [91.207.212.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1836D126F72 for <cfrg@irtf.org>; Fri, 2 Nov 2018 05:34:29 -0700 (PDT)
Received: from pps.filterd (m0046661.ppops.net [127.0.0.1]) by mx08-.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id wA2CSYHI028576 for <cfrg@irtf.org>; Fri, 2 Nov 2018 13:34:28 +0100
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by mx08-00178001.pphosted.com with ESMTP id 2nghk11jfj-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT) for <cfrg@irtf.org>; Fri, 02 Nov 2018 13:34:28 +0100
Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id CF2F334 for <cfrg@irtf.org>; Fri, 2 Nov 2018 12:34:27 +0000 (GMT)
Received: from Webmail-eu.st.com (sfhdag6node2.st.com [10.75.127.17]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id 593C64DFB for <cfrg@irtf.org>; Fri, 2 Nov 2018 12:34:27 +0000 (GMT)
Received: from [10.137.2.67] (10.75.127.51) by SFHDAG6NODE2.st.com (10.75.127.17) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 2 Nov 2018 13:34:26 +0100
To: cfrg@irtf.org
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com>
From: Gilles Van Assche <gilles.vanassche@st.com>
Openpgp: preference=signencrypt
Autocrypt: addr=gilles.vanassche@st.com; keydata= xsDiBD8SkBwRBADFdM4ygHSMHFx6T5i2h1kJYurvDCbak3XS/+n6xLU6MXePU3PD6Onpuc9g 2lEFnVko+SrjK0+2VJOdwd5tDel1EkAVEwbB8mDNDaxyalhiLw7CQEgZVpFGgMOaFiUPUhYZ KwwkzKf9IDb5uG+DmUTSNBBBNohnhSDo9ZHxZejNPQCg/7Wg+vfKwyrniTAVOwmyzh86FgcD /RZrWc9oqkbwhJGiRtGZyZuARtDvWxwFs35UfbySbiBRrhHNezR+0XP2iI2bOSCNr2k2pP0r WA7UgQ1x/RQ+D9Abgd/P2fFSgaodKQ3MjPoKo8FS0yAMFt7crOaRQm/IuHauUXWfw4VyeXcG gKm1sMV9ApK0Xh0NLERJ9F5FtQRaA/42+3Np6IRPEqRAlyg1uAJzBa7QAXd1QTWxkzEImHvr w1Xdvo6OYNnOPe8XVoMjdY3BaZ/arKmeyScsEKczeWqNXuIPhCYo24sRw0Ug2ztnUZzyhkHQ I4BAo7uP0KC84SzTBR4ZEHZ4NJe8szxCE29DbgJ7w82WEN8fq1pytxZ2Ms0rR2lsbGVzIFZh biBBc3NjaGUgPGdpbGxlcy52YW5hc3NjaGVAc3QuY29tPsK3BBARAgB3BQJYpYPyFwoAAYAl 4V1V5bnd3l+yv2GEFv/VwMI2IBQAAAAAABYAAWtleS11c2FnZS1tYXNrQHBncC5jb22NCAsJ CAcDAgEKAhkBFhhsZGFwOi8vcGdwLXNtZC5zdC5jb20FGwMAAAADFgIBBR4BAAAABBUICQoA CgkQc/9XCxoSKFjLDwCfQM7xiXDWVlNoNoyBQMi/kEYG6oQAnifl72lD+g5rmSxgjML5t9Pi w66rzsFNBD8SkBwQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz 0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPF RzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgN RR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgR jXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7 AAICCACzlrAg+Re240hxYkSqg8XOPMsVA7LUu+ukInygJM20pTY0y9mVl4JxNucTnsa98Y5k umgx5f2kvoWIWyo7iTFVebFJd/DUW7TGtnwt6fM+yvGReh3HfrIvjnogkSD09stPCsqMrASn He7wFwrKlBKNC1ePdKtk6BUyrjjbNFgLXak3E9A4ISXV31c43iRz/y2GNg8GljbnKwyyBgsx +oHIqiyz3S0lsFqHhkocYQrobm1HIAGCZsKSIIGQRVtNijq+4gxG/dnD2RlLHCoQEk6vdsmg EOvD3Ylqk85j2VV9gdnVWDbCZeo+RmX4ZzOc5JA0e/rCh2H8VS+WDdmNo+fowkwEGBECAAwF Aj8SkBwFGwwAAAAACgkQc/9XCxoSKFjvmgCfYxaz3jP35HUmtYu5DSH+fktMwuQAoMitXa0b 5wlXzvzHaXtqpPhetYjM
Message-ID: <415bf880-f1ea-d036-c046-b29f19abed5e@st.com>
Date: Fri, 02 Nov 2018 13:35:41 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: [10.75.127.51]
X-ClientProxiedBy: SFHDAG4NODE3.st.com (10.75.127.12) To SFHDAG6NODE2.st.com (10.75.127.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-02_07:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HxCKQ63XaQtfc8f1S8IK80WLvIg>
Subject: [Cfrg] Farfalle-SANSE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2018 12:34:34 -0000
Dear all, On a related note, we published at ToSC last year (and presented at FSE 2018) the Kravatte pseudo-random function [1], to which an SIV mode can be attached. More specifically, we recently specified the SIV-based authenticated encryption scheme Kravatte-SANSE [2]. As a feature, it also supports sessions, for use cases where multiple messages are exchanged and where each tag authenticates all messages already sent so far in the session. This function is based on the 6-round Keccak-p permutation and performs well in software without AES hardware acceleration. For instance, Kravatte-SANSE processes plaintext and metadata at 1.32 cycles/byte on Skylake and at 0.84 c/b on SkylakeX processors. Would this be of interest to CFRG? Kind regards, Guido, Joan, Seth, Michaël, Gilles and Ronny [1] https://tosc.iacr.org/index.php/ToSC/article/view/855 [2] https://keccak.team/2018/kravatte_sane_sanse.html On 4/10/18 12:12, Neil Madden wrote: > Hi, > > I am interested in adapting the SIV construction to other ciphers and MAC algorithms. As currently specified in RFC 5297, the mode is only defined for a MAC (AES-CMAC) that produces a 128-bit tag length. Furthermore, it assumes that the tag length is exactly the same as the nonce/IV required by the cipher (i.e., also 128-bits for AES-CTR). This restriction to limit the authentication strength of the AEAD based on the length of the required nonce for confidentiality seems somewhat artificial to me. > > As a concrete example, I am interested in SIV constructions based on XSalsa20 (or XChaCha20 as recently proposed on this list) together with some keyed hash MAC, such as HMAC-SHA256 or Blake2. XSalsa20 requires a nonce of 192-bits, while HMAC-SHA256 produces a MAC tag of 256 bits. I have a draft recommending MRAE modes for JOSE, and would like to include one non-AES algorithm that can be implemented well in software on platforms without AES hardware acceleration. > > I believe that there are just two adaptions needed to make this work: > > 1. Adjusting the conditional XOR constant used in the doubling operation in s2v (https://tools.ietf.org/html/rfc5297#section-2.3) to account for other field sizes. > 2. Defining the nonce used as input to the cipher as the left-most n bits of the authentication tag returned from s2v, where n is the size of the nonce required by the cipher (i.e., the full tag is output, but a truncation of it is used as the nonce). > > For step 1, based on the comments in [1] and the table of primitive polynomials from [2], I think the polynomials and corresponding constants to use for different values of n (bit length of MAC output) are: > > n = 128 gives x^128 + x^7 + x^2 + x + 1 and constant = 0^{120}10000111 (= 0x87 with leading 0s) > n = 192 gives x^192 + x^7 + x^2 + x + 1 and constant = 0^{184}10000111 (= 0x87 with more leading 0s) > n = 256 gives x^256 + x^10 + x^5 + x^2 + 1 and constant = 0^{245}10000100101 (= 0x00..0425) > > Is this something that CFRG might support if I submitted a draft? > > Regards, > > Neil > > [1]: http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf > [2]: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.365.1806&rep=rep1&type=pdf > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Extending SIV to other ciphers and MAC alg… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Paterson, Kenny
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Alexandre Anzala-Yamajako
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Tony Arcieri
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- [Cfrg] Farfalle-SANSE Gilles Van Assche
- [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Kravatte-SANSE Russ Housley
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Farfalle-SANSE Nick Sullivan
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche