IETF Logo Mail Archive

Re: [Cfrg] Do we need a selection contest for AEAD?

Mridul Nandi <mridul.nandi@gmail.com> Wed, 24 June 2020 17:35 UTC

Return-Path: <mridul.nandi@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2463A10A7 for <cfrg@ietfa.amsl.com>; Wed, 24 Jun 2020 10:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kk6KcHtaH2NR for <cfrg@ietfa.amsl.com>; Wed, 24 Jun 2020 10:34:58 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A553A084F for <cfrg@irtf.org>; Wed, 24 Jun 2020 10:34:58 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id y5so3032472iob.12 for <cfrg@irtf.org>; Wed, 24 Jun 2020 10:34:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Vgl+yYsyARbFDqg9j/N4qKWMpQhvT3yo683Dk/fHoA0=; b=ctorvlsqDyWmAvITJbyiE0kxrr/3USUuedAYJmR1EQo2oXj/9fTONYwhbM3LzJFEwn IR8D8Jjo0GypOL08P5fHXrxfmtgUxas6p8GEVdiogdlSH5rOmemqOrT/GCqGoKGsCJ6N AJlSuc0sfsShCxQwfUpMvQ42/p1YfLcjn7bZ/1ClXh+VB/j3Rnw2rKQLjyTbtWq358wK f6iQMpQTEy76OhrmjcinMBYFHOprsXEO+zrPjAG16yXv+e4VVcMz0T3NcDI8EmxVYFHJ SNc5pXm4lfAOPHhrVvWi8a5RgdoOshSIWCU7IeNscOwT5V4MpM+CnbHwwushSipZ+3Q1 aTXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vgl+yYsyARbFDqg9j/N4qKWMpQhvT3yo683Dk/fHoA0=; b=mVvqUY3uuhFSY44SjAC0sd/GDQmu+2ZEG5w+ZgSg74PP2dKNXLAc3ofo1gvn2GngLF 8CGbetw5HD7UHvfwd+GYgLsG+R67DDmgQr55jI4e8VYOXC7Tn34vQ+ZTN/k+HeypiXFw g3xkjxeccUqXMM9hrN6MjtF3DlvqaX2dH41iImF7fe9pOIbCLzAYRhzmdEfojgiWgvxU W4F87kaYIRPm7atE1x4rIDh0FcmSlMZXALzX6WVyy9zOMyIYriZf64xcdtAaotgmHgP+ DuCVQbP1CZ+SD0O3EBCO3/nCLFOZL5P7MDhLBaO/IRCpUuCyBgdBEz2g5PuL0s83l6eP jBKw==
X-Gm-Message-State: AOAM5314q8NjTTGNaiHq+6cp7GNps1x9NsnLUzgo6dZW5FSIYgI16d6o UumsLLBirquqtMaI51wCpXLFYYYNVugoVZayY2u4lIWf
X-Google-Smtp-Source: ABdhPJyUWvwk8cNrejgJii3o6Vs8viVtNVlIGh4uKXbYHTenJHoC0A5pYYTxDPYCTaEX/6uZvdueNf6hWiS2fm52lbA=
X-Received: by 2002:a5d:9052:: with SMTP id v18mr31957972ioq.116.1593020096892; Wed, 24 Jun 2020 10:34:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com> <CAKDPBw8oRZoBzCQv4yfM_QwGyHtqU42VXuV97MytjzsqyQJvcw@mail.gmail.com> <CAMvzKsh4LsnRNkHdhENvn_EQkiNKpi-n8Z7ByKHLDBCrTyyarg@mail.gmail.com> <36E536DC-5107-40C7-92CD-17C21F52C37F@ll.mit.edu>
In-Reply-To: <36E536DC-5107-40C7-92CD-17C21F52C37F@ll.mit.edu>
From: Mridul Nandi <mridul.nandi@gmail.com>
Date: Wed, 24 Jun 2020 23:04:45 +0530
Message-ID: <CAJBmYM_sDQKbf=TamAs2G=e-=3mkG-U+rwmyTu5jGJJM3KaiJw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000fed46805a8d7e4bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Jsi-M8STR4FvQEdepXRTYaW8nvQ>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 17:35:01 -0000

Dear all,

I think we are lacking formal added security requirements of AEAD.
Beyond the classical definition of AEAD, it would be really interesting if
we can list the additional features in a more formal way..   So I like the
idea of "meta-competition" for discussing and prioritizing requirements and
use cases.  After looking at the outcome of the discussion we may decide
whether a competition is indeed helpful or not.  Even if we decide not to
proceed with a competition, the community can try to design satisfying
certain features discussed in that meta-competition..  This would at least
help to understand which features are meaningful and how/where it is
meaningful to pursue further research in this direction.

Thanks and regards,
Mridul Nandi
Associate Professor
Indian Statistical Institute
Kolkata



On Wed, Jun 24, 2020 at 10:44 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> I don't support that idea, because different use cases require different
> "optimizations". My use case doesn't care for nonce hiding, but cares very
> much for performance, and for the ability to have defined security bounds
> for truncated synthetic IV.
>
> There is no "one size fits all", or "one champion fits all". Even CAESAR
> results may not be granular enough (several categories, with a winner in
> each one).
>
> Or are you planning to have a *separate* competition for *each* of those
> listed below:
>
>     they have a clear guide what to choose from. Whether this is
>     committing, remotely-keyed, ZK-friendly, lightweight,
>     side-channel-resistant, nonce-misuse resistant, nonce-hiding,
>     beyond-birthday, etc.
>
> On 6/24/20, 13:09, "Cfrg on behalf of Yevgeniy Dodis" <cfrg-bounces@irtf..org
> on behalf of dodis@cs.nyu.edu> wrote:
>
>     I support Paul's idea. I feel AEAD landscape is getting a bit out of
>     hand, even despite the CEASAR competition.
>     Would be good to bring back more structure and understanding, so when
>     people in the industry need an AEAD scheme,
>     they have a clear guide what to choose from. Whether this is
>     committing, remotely-keyed, ZK-friendly, lightweight,
>     side-channel-resistant, nonce-misuse resistant, nonce-hiding,
>     beyond-birthday, etc.
>
>     On Wed, Jun 24, 2020 at 12:34 PM Paul Grubbs <pag225@cornell.edu>
> wrote:
>     >
>     > I think an AEAD competition is a great idea. Recently I've been
> studying the AEAD landscape, and there seem to be a lot of gaps between the
> needs of applications/protocols and the properties widely-used schemes
> provide. To address this and get a sense of which needs are most pressing,
> it might be good to have the first round be more of a "meta-competition"
> for discussing and prioritizing requirements and use cases. The result of
> this would be an (ideally small) list of well-defined design targets, for
> which people can propose schemes in subsequent rounds.
>     >
>     > I'd also like to suggest another use case for AEAD: ZK-friendly AEAD
> modes. These modes would be compatible with efficient ZK proof systems and
> would make it easy to prove properties of plaintexts in zero knowledge.
>     >
>     > On Fri, Jun 19, 2020 at 1:32 PM Stanislav V. Smyshlyaev <
> smyshsv@gmail.com> wrote:
>     >>
>     >> Dear CFRG,
>     >>
>     >> The chairs would like to ask for opinions whether it seems
> reasonable to initiate an AEAD mode selection contest in CFRG, to review
> modern AEAD modes and recommend a mode (or several modes) for the IETF.
>     >>
>     >> We’ve recently had a CAESAR contest, and, of course, its results
> have to be taken into account very seriously. In addition to the properties
> that were primarily addressed during the CAESAR contest (like protection
> against side-channel attacks, authenticity/limited privacy damage in case
> of nonce misuse or release of unverified plaintexts, robustness in such
> scenarios as huge amounts of data), the following properties may be
> especially important for the usage of AEAD mechanisms in IETF protocols:
>     >> 1) Leakage resistance.
>     >> 2) Incremental AEAD.
>     >> 3) Commitment AEAD (we've had a discussion in the list a while ago).
>     >> 4) RUP-security (it was discussed in the CAESAR contest, but the
> finalists may have some issues with it, as far as I understand).
>     >> 5) Ability to safely encrypt a larger maximum number of bytes per
> key (discussed in QUIC WG)..
>     >>
>     >> Does this look reasonable?
>     >> Any thoughts about the possible aims of the contest?
>     >> Any other requirements for the mode?
>     >>
>     >> Regards,
>     >> Stanislav, Alexey, Nick
>     >> _______________________________________________
>     >> Cfrg mailing list
>     >> Cfrg@irtf.org
>     >> https://www.irtf.org/mailman/listinfo/cfrg
>     >
>     > _______________________________________________
>     > Cfrg mailing list
>     > Cfrg@irtf.org
>     > https://www.irtf.org/mailman/listinfo/cfrg
>
>     _______________________________________________
>     Cfrg mailing list
>     Cfrg@irtf.org
>     https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email