Re: [Cfrg] Do we need a selection contest for AEAD?
Mridul Nandi <mridul.nandi@gmail.com> Wed, 24 June 2020 17:35 UTC
Return-Path: <mridul.nandi@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2463A10A7 for <cfrg@ietfa.amsl.com>; Wed, 24 Jun 2020 10:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kk6KcHtaH2NR for <cfrg@ietfa.amsl.com>; Wed, 24 Jun 2020 10:34:58 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A553A084F for <cfrg@irtf.org>; Wed, 24 Jun 2020 10:34:58 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id y5so3032472iob.12 for <cfrg@irtf.org>; Wed, 24 Jun 2020 10:34:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Vgl+yYsyARbFDqg9j/N4qKWMpQhvT3yo683Dk/fHoA0=; b=ctorvlsqDyWmAvITJbyiE0kxrr/3USUuedAYJmR1EQo2oXj/9fTONYwhbM3LzJFEwn IR8D8Jjo0GypOL08P5fHXrxfmtgUxas6p8GEVdiogdlSH5rOmemqOrT/GCqGoKGsCJ6N AJlSuc0sfsShCxQwfUpMvQ42/p1YfLcjn7bZ/1ClXh+VB/j3Rnw2rKQLjyTbtWq358wK f6iQMpQTEy76OhrmjcinMBYFHOprsXEO+zrPjAG16yXv+e4VVcMz0T3NcDI8EmxVYFHJ SNc5pXm4lfAOPHhrVvWi8a5RgdoOshSIWCU7IeNscOwT5V4MpM+CnbHwwushSipZ+3Q1 aTXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Vgl+yYsyARbFDqg9j/N4qKWMpQhvT3yo683Dk/fHoA0=; b=mVvqUY3uuhFSY44SjAC0sd/GDQmu+2ZEG5w+ZgSg74PP2dKNXLAc3ofo1gvn2GngLF 8CGbetw5HD7UHvfwd+GYgLsG+R67DDmgQr55jI4e8VYOXC7Tn34vQ+ZTN/k+HeypiXFw g3xkjxeccUqXMM9hrN6MjtF3DlvqaX2dH41iImF7fe9pOIbCLzAYRhzmdEfojgiWgvxU W4F87kaYIRPm7atE1x4rIDh0FcmSlMZXALzX6WVyy9zOMyIYriZf64xcdtAaotgmHgP+ DuCVQbP1CZ+SD0O3EBCO3/nCLFOZL5P7MDhLBaO/IRCpUuCyBgdBEz2g5PuL0s83l6eP jBKw==
X-Gm-Message-State: AOAM5314q8NjTTGNaiHq+6cp7GNps1x9NsnLUzgo6dZW5FSIYgI16d6o UumsLLBirquqtMaI51wCpXLFYYYNVugoVZayY2u4lIWf
X-Google-Smtp-Source: ABdhPJyUWvwk8cNrejgJii3o6Vs8viVtNVlIGh4uKXbYHTenJHoC0A5pYYTxDPYCTaEX/6uZvdueNf6hWiS2fm52lbA=
X-Received: by 2002:a5d:9052:: with SMTP id v18mr31957972ioq.116.1593020096892; Wed, 24 Jun 2020 10:34:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com> <CAKDPBw8oRZoBzCQv4yfM_QwGyHtqU42VXuV97MytjzsqyQJvcw@mail.gmail.com> <CAMvzKsh4LsnRNkHdhENvn_EQkiNKpi-n8Z7ByKHLDBCrTyyarg@mail.gmail.com> <36E536DC-5107-40C7-92CD-17C21F52C37F@ll.mit.edu>
In-Reply-To: <36E536DC-5107-40C7-92CD-17C21F52C37F@ll.mit.edu>
From: Mridul Nandi <mridul.nandi@gmail.com>
Date: Wed, 24 Jun 2020 23:04:45 +0530
Message-ID: <CAJBmYM_sDQKbf=TamAs2G=e-=3mkG-U+rwmyTu5jGJJM3KaiJw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000fed46805a8d7e4bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Jsi-M8STR4FvQEdepXRTYaW8nvQ>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 17:35:01 -0000
Dear all, I think we are lacking formal added security requirements of AEAD. Beyond the classical definition of AEAD, it would be really interesting if we can list the additional features in a more formal way.. So I like the idea of "meta-competition" for discussing and prioritizing requirements and use cases. After looking at the outcome of the discussion we may decide whether a competition is indeed helpful or not. Even if we decide not to proceed with a competition, the community can try to design satisfying certain features discussed in that meta-competition.. This would at least help to understand which features are meaningful and how/where it is meaningful to pursue further research in this direction. Thanks and regards, Mridul Nandi Associate Professor Indian Statistical Institute Kolkata On Wed, Jun 24, 2020 at 10:44 PM Blumenthal, Uri - 0553 - MITLL < uri@ll.mit.edu> wrote: > I don't support that idea, because different use cases require different > "optimizations". My use case doesn't care for nonce hiding, but cares very > much for performance, and for the ability to have defined security bounds > for truncated synthetic IV. > > There is no "one size fits all", or "one champion fits all". Even CAESAR > results may not be granular enough (several categories, with a winner in > each one). > > Or are you planning to have a *separate* competition for *each* of those > listed below: > > they have a clear guide what to choose from. Whether this is > committing, remotely-keyed, ZK-friendly, lightweight, > side-channel-resistant, nonce-misuse resistant, nonce-hiding, > beyond-birthday, etc. > > On 6/24/20, 13:09, "Cfrg on behalf of Yevgeniy Dodis" <cfrg-bounces@irtf..org > on behalf of dodis@cs.nyu.edu> wrote: > > I support Paul's idea. I feel AEAD landscape is getting a bit out of > hand, even despite the CEASAR competition. > Would be good to bring back more structure and understanding, so when > people in the industry need an AEAD scheme, > they have a clear guide what to choose from. Whether this is > committing, remotely-keyed, ZK-friendly, lightweight, > side-channel-resistant, nonce-misuse resistant, nonce-hiding, > beyond-birthday, etc. > > On Wed, Jun 24, 2020 at 12:34 PM Paul Grubbs <pag225@cornell.edu> > wrote: > > > > I think an AEAD competition is a great idea. Recently I've been > studying the AEAD landscape, and there seem to be a lot of gaps between the > needs of applications/protocols and the properties widely-used schemes > provide. To address this and get a sense of which needs are most pressing, > it might be good to have the first round be more of a "meta-competition" > for discussing and prioritizing requirements and use cases. The result of > this would be an (ideally small) list of well-defined design targets, for > which people can propose schemes in subsequent rounds. > > > > I'd also like to suggest another use case for AEAD: ZK-friendly AEAD > modes. These modes would be compatible with efficient ZK proof systems and > would make it easy to prove properties of plaintexts in zero knowledge. > > > > On Fri, Jun 19, 2020 at 1:32 PM Stanislav V. Smyshlyaev < > smyshsv@gmail.com> wrote: > >> > >> Dear CFRG, > >> > >> The chairs would like to ask for opinions whether it seems > reasonable to initiate an AEAD mode selection contest in CFRG, to review > modern AEAD modes and recommend a mode (or several modes) for the IETF. > >> > >> We’ve recently had a CAESAR contest, and, of course, its results > have to be taken into account very seriously. In addition to the properties > that were primarily addressed during the CAESAR contest (like protection > against side-channel attacks, authenticity/limited privacy damage in case > of nonce misuse or release of unverified plaintexts, robustness in such > scenarios as huge amounts of data), the following properties may be > especially important for the usage of AEAD mechanisms in IETF protocols: > >> 1) Leakage resistance. > >> 2) Incremental AEAD. > >> 3) Commitment AEAD (we've had a discussion in the list a while ago). > >> 4) RUP-security (it was discussed in the CAESAR contest, but the > finalists may have some issues with it, as far as I understand). > >> 5) Ability to safely encrypt a larger maximum number of bytes per > key (discussed in QUIC WG).. > >> > >> Does this look reasonable? > >> Any thoughts about the possible aims of the contest? > >> Any other requirements for the mode? > >> > >> Regards, > >> Stanislav, Alexey, Nick > >> _______________________________________________ > >> Cfrg mailing list > >> Cfrg@irtf.org > >> https://www.irtf.org/mailman/listinfo/cfrg > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Do we need a selection contest for AEAD? Stanislav V. Smyshlyaev
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Eric Rescorla
- Re: [Cfrg] Do we need a selection contest for AEA… Daniel Franke
- Re: [Cfrg] Do we need a selection contest for AEA… Wasa Bee
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Paul Grubbs
- Re: [Cfrg] Do we need a selection contest for AEA… Yevgeniy Dodis
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mridul Nandi
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Stephen Farrell
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Michael StJohns