IETF Logo Mail Archive

Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Thu, 04 October 2018 12:05 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C694C130E4F for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 05:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7NJbE8S-5pXS for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 05:05:36 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50080.outbound.protection.outlook.com [40.107.5.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7BA5130E45 for <cfrg@ietf.org>; Thu, 4 Oct 2018 05:05:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W9AA6b9tlgF0kylC+sHPU/3kb52zEp1ZjohM6Viw0Lw=; b=ZnGOENuS3thDeZhC0Tv98VWI9AIvtHx84VGCno5dnFmd8XjZITZY4UJKQ9Kty0Kx4iBK4TA96ULQMcwsGPMnsEoTQCSCA0zHl1482Tt7VbWDhdM6NGv42RAMRcCG7OxVm5ju6K4bX1dBMB8bsM7tEZIY9T2MvPcWMUDUuZXllmA=
Received: from DB7PR03MB3561.eurprd03.prod.outlook.com (52.134.98.30) by DB7PR03MB3883.eurprd03.prod.outlook.com (52.135.135.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1207.23; Thu, 4 Oct 2018 12:05:33 +0000
Received: from DB7PR03MB3561.eurprd03.prod.outlook.com ([fe80::b0a6:6e59:ae22:a0a6]) by DB7PR03MB3561.eurprd03.prod.outlook.com ([fe80::b0a6:6e59:ae22:a0a6%4]) with mapi id 15.20.1207.022; Thu, 4 Oct 2018 12:05:33 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Neil Madden <neil.e.madden@gmail.com>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] Extending SIV to other ciphers and MAC algorithms
Thread-Index: AQHUW8rTkVT6XVJWp06xbuJtVlJb0KUPDkyA
Date: Thu, 04 Oct 2018 12:05:33 +0000
Message-ID: <987DD4D3-7D55-439C-A2A8-36612F8388FA@rhul.ac.uk>
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com>
In-Reply-To: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.11.0.180909
x-originating-ip: [134.219.227.30]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB7PR03MB3883; 6:da6nYaJvD3oHyEV8oj54likHI/JDc2PkizFzILGEph+fFut7esDSRKVkU/v6Lblco4dzIsqkUr+5LrGgC6WkRvuiACCqvZpUSADrT2UCScJpV1u/WnpX+YxSdxFVWR8DnLDnl0014eIUXKPMxpd8Z8qiyhDFcqA2idoHw8p8h02OUunRmkwU08DSoYUyuEN1RnoEl3hgZD9v6wgeM16o7H9Jij6PA/uI2fOla5y+u3rjlaQxXhsNVA39fKCqa1GhudoCS9okQSbIRcDT3W4XlgGQsLN7M8ltiF5AXsbfn0mcRjd2DMOTYXNldoASYURv9gwpzodozuE+IXEeoe3qFDUjwl/i2JG5wTkwNha3f4EwepO9E/+Clavlkz5mmwvNsuWfHdLTr593e25Kh1FKGOgWtbk/p+Qhm9SbgCFG/jQsil6x2XllIDtRMVWu+hSE+AMLrSu2op8Y+7N+tzx7uw==; 5:mn2v9mF7ypsbwp75YCB1LmR6oyDzuaX/XXQ/ccaZgFNHDboHvAmElj2Je38aNvhcOfmUKdEezMUiRX48WiWHKk5+uAUAiTZ6jy9YPu9JrjJg6kzfwpqXnEFVGmOKKSSuBrKoXw/zaRwsoxNaeAkq4m808Qy1+SGYt9aHwstMBwE=; 7:5+fliiZMYLzBfU9Gz99LkSTFwe29+0W6gmgcsWeVkb7NOmEakwwSSBB9xO9jJc/06/wR/qEtx8X+Z8IFjhYKXMASgIUCMT6Ttid8H6e0ktD5I0HuZ4VoQjCwAdnK5nZX3Y/S0+gX4G1VZFoZVvKS91COSFtvgEKw1zi4RkAdxgtFSDH7L9gFL39k6GrvXFFoaTF3lTHvQAGBLW3zbeMDEaV6UYkatci58t5UPXsSCb7ysDAlYE24q4EGt9HglN9b
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 8df65db9-b922-43c8-fd73-08d629f1afce
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:DB7PR03MB3883;
x-ms-traffictypediagnostic: DB7PR03MB3883:
x-microsoft-antispam-prvs: <DB7PR03MB3883FF03DA23957D3B97E399BCEA0@DB7PR03MB3883.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(66011452539121)(178422352896581)(85827821059158);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231355)(944501410)(4982022)(52105095)(3002001)(149066)(150057)(6041310)(20161123562045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991048); SRVR:DB7PR03MB3883; BCL:0; PCL:0; RULEID:; SRVR:DB7PR03MB3883;
x-forefront-prvs: 0815F8251E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(136003)(376002)(396003)(346002)(199004)(189003)(13464003)(39060400002)(446003)(86362001)(6116002)(3846002)(11346002)(5250100002)(25786009)(36756003)(229853002)(2501003)(66066001)(14444005)(256004)(2900100001)(486006)(413944005)(6506007)(966005)(53546011)(99286004)(6486002)(478600001)(14454004)(2616005)(476003)(72206003)(76176011)(58126008)(186003)(68736007)(105586002)(26005)(102836004)(316002)(74482002)(305945005)(6306002)(81156014)(33656002)(6346003)(110136005)(5660300001)(82746002)(786003)(8936002)(8676002)(2906002)(6436002)(7736002)(83716004)(71200400001)(71190400001)(97736004)(6512007)(106356001)(81166006)(53936002)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR03MB3883; H:DB7PR03MB3561.eurprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-microsoft-antispam-message-info: aGg+FKd1Y3ztiLbyQzyFnePk+7qWN0P+xS0aea+zkwP6LAx318aNZ2HRhIw/1R2VC5sj+Qa576L6SkSMiueJyG/Q2XRlwGlBmLJ9NMp+jrDMAqwzgQV94i60u6liwSDKSi4SN6o4rgrA3Tm4ry3mkJD6TSAPvPHD1SZBWQtWZUwT7n7Pfk3oZqXbLx0S8nAuWa3utMDtGNeqpFCDzyK6eX2fKB2iHomskbWiCqI1SDMxEFnX2emKhK8FmVOaxHYbGq1zWGrU83X5MG0dyMEBV872Bza/ccdf1EVtat5doERqhm7o4H9s5L+tA92efCNRJ9zj92HX1pwNz961DKepVhK/metO1RRJd3d/eethFD4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <20AE48C25067024099AFCDE49E1288F8@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 8df65db9-b922-43c8-fd73-08d629f1afce
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2018 12:05:33.2158 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR03MB3883
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/I357sF5p4ymPm-Ov936CIsNlgcs>
Subject: Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 12:05:40 -0000

Dear Neil,

Speaking without my co-chair hat on: I think this could be interesting and useful. Have you by any chance looked at the portfolio of AEADs that has come out of the CAESAR competition to see if any of them would meet your needs?

https://competitions.cr.yp.to/caesar-submissions.html

Best wishes,

Kenny


-----Original Message-----
From: Cfrg <cfrg-bounces@irtf.org> on behalf of Neil Madden <neil.e.madden@gmail.com>
Date: Thursday, 4 October 2018 at 11:12
To: "cfrg@ietf.org" <cfrg@ietf.org>
Subject: [Cfrg] Extending SIV to other ciphers and MAC algorithms

    Hi,
    
    I am interested in adapting the SIV construction to other ciphers and MAC algorithms. As currently specified in RFC 5297, the mode is only defined for a MAC (AES-CMAC) that produces a 128-bit tag length. Furthermore, it assumes that the tag length is exactly the same as the nonce/IV required by the cipher (i.e., also 128-bits for AES-CTR). This restriction to limit the authentication strength of the AEAD based on the length of the required nonce for confidentiality seems somewhat artificial to me.
    
    As a concrete example, I am interested in SIV constructions based on XSalsa20 (or XChaCha20 as recently proposed on this list) together with some keyed hash MAC, such as HMAC-SHA256 or Blake2. XSalsa20 requires a nonce of 192-bits, while HMAC-SHA256 produces a MAC tag of 256 bits. I have a draft recommending MRAE modes for JOSE, and would like to include one non-AES algorithm that can be implemented well in software on platforms without AES hardware acceleration.
    
    I believe that there are just two adaptions needed to make this work:
    
    1. Adjusting the conditional XOR constant used in the doubling operation in s2v (https://tools.ietf.org/html/rfc5297#section-2.3) to account for other field sizes.
    2. Defining the nonce used as input to the cipher as the left-most n bits of the authentication tag returned from s2v, where n is the size of the nonce required by the cipher (i.e., the full tag is output, but a truncation of it is used as the nonce).
    
    For step 1, based on the comments in [1] and the table of primitive polynomials from [2], I think the polynomials and corresponding constants to use for different values of n (bit length of MAC output) are:
    
    n = 128 gives x^128 + x^7 + x^2 + x + 1 and constant = 0^{120}10000111 (= 0x87 with leading 0s)
    n = 192 gives x^192 + x^7 + x^2 + x + 1 and constant = 0^{184}10000111 (= 0x87 with more leading 0s)
    n = 256 gives x^256 + x^10 + x^5 + x^2 + 1 and constant = 0^{245}10000100101 (= 0x00..0425)
    
    Is this something that CFRG might support if I submitted a draft?
    
    Regards,
    
    Neil
    
    [1]: http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf
    [2]: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.365.1806&rep=rep1&type=pdf
    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email