[Cfrg] comments on draft-mcgrew-auth-enc-03.txt
Phillip Rogaway <rogaway@cs.ucdavis.edu> Wed, 15 August 2007 09:29 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ILFCR-0000M2-Kh; Wed, 15 Aug 2007 05:29:59 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ILFCQ-0000Lx-PB for cfrg@ietf.org; Wed, 15 Aug 2007 05:29:58 -0400
Received: from smtp.cs.ucdavis.edu ([169.237.4.8]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1ILFCP-0007wT-7s for cfrg@ietf.org; Wed, 15 Aug 2007 05:29:58 -0400
X-ASG-Debug-ID: 1187170190-123400000000-gZ1F82
X-ASG-Debug-ID: 1187170190-123400000000-gZ1F82
X-Barracuda-URL: http://169.237.4.8:8000/cgi-bin/mark.cgi
X-Barracuda-Connect: ocb.cs.ucdavis.edu[169.237.6.151]
X-Barracuda-Start-Time: 1187170190
Received: from ocb.cs.ucdavis.edu (ocb.cs.ucdavis.edu [169.237.6.151]) by smtp.cs.ucdavis.edu (Spam Firewall) with ESMTP id EE22E2F6A3; Wed, 15 Aug 2007 02:29:50 -0700 (PDT)
Received: from localhost (ocb.cs.ucdavis.edu [169.237.6.151]) by ocb.cs.ucdavis.edu (8.12.8/8.12.8) with ESMTP id l7F9SbAm006365; Wed, 15 Aug 2007 02:28:40 -0700
Date: Wed, 15 Aug 2007 16:29:50 +0700
From: Phillip Rogaway <rogaway@cs.ucdavis.edu>
To: "David A.McGrew" <david.a.mcgrew@mindspring.com>
X-ASG-Orig-Subj: comments on draft-mcgrew-auth-enc-03.txt
Message-ID: <Pine.WNT.4.64.0708151623170.4240@rogawaypan>
X-X-Sender: rogaway@rogawaypan
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at cs.ucdavis.edu
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.25592 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b7d60495f1a7f2e853e8cbae7e6dbfc
Cc: cfrg@ietf.org
Subject: [Cfrg] comments on draft-mcgrew-auth-enc-03.txt
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi David, In an earlier email (6 Oct 2006) (cc'ed to the cfrg) I passed on some comments on draft-mcgrew-auth-enc-00.txt. I've just taken a look at latest incantation, draft-mcgrew-auth-enc-03.txt (July 6, 2007), so thought to pass on some fresh comments. Since my comments are critical, I think I should say up front that I think the draft is greatly improved since the -00 version that I reviewed last year, and, also, that I think that an RFC along these lines might be valuable. 1. Nonces and the specific AEAD goals you intend Your ID says that "Each nonce provided to distinct invocations of the Authenticated Encryption operation MUST be distinct, for any particular value of the key." This statement stands in direct contradiction to your later statement that "The number of octets in the nonce MAY be zero". (This latter statement is itself ambiguous, either asserting that a _given_ nonce may have zero bytes (N_MIN = 0), or that all nonces will (N_MAX = 0).) The requirement that a nonce never repeats precludes the possibility of an appropriately-long user-supplied random value. Say this explicitly if you really mean it. But I myself would find this an odd choice; to me, a random nonce isn't just a _reasonable_ thing for the user to be able to supply, it's a _canonical_ thing to supply! If you mean to prohibit the user from providing random nonces, I can only assume this is rooted in experience that this is something so easily messed up that users of a cryptographic interface must NOT be allowed to do it.... In general, though, I find entire story on nonces, and how they relate to the cryptographic goal one is aiming for, to be kind of muddy. Eg., we are told that a probabilistic encryption scheme may use a zero-length nonce, but you don't say that a probabilistic scheme MUST use a zero-length nonce, nor do hint at what would be the intended cryptographic semantics when you have a nonce _and_ internal coins. We are not told that _only_ a probabilistic scheme may use a zero-length nonce and I cannot actually tell if you intend deterministic AE (key-wrap) to be in scope or not. You make clear that a counter may be used as a nonce, but it's unclear if it may be used (instead of coins) internally to an encryption mechanism (perhaps creating the odd asymmetry that counters may be shipped in or generated internally, but random coins MUST be generated internally). Must an (internal) counter-based scheme have N_MAX=0 and, if not, what is the meaning of supplying a nonce when there is also internal state. And so forth .... Perhaps part of the problem is that there are multiple AEAD formulations in the literature, these corresponding to some genuine difference about concerning the use of coins and state in the encryption process and whether or not an external nonce is supplied: ----------------------------------------------------------------- | Probabilistic| Stateful | Nonce-based | Deterministic | | AEAD [BN00] | AEAD [BN00] | AEAD [RBBK01,R02]| AEAD [RS06] | ----------------------------------------------------------------- coins? | yes | no | no | no | state? | no | yes | no | no | ----------------------------------------------------------------- nonce? | no | no | yes | no | ----------------------------------------------------------------- You can't quite ignore these subtleties in your ID because (a) what the user supplies to the encryption and decryption algorithms vary; (b) what is allowed in the underlying encryption algorithms varies (in terms of maintaining state or using randomness); (c) some combinations either haven't been defined or don't seem to make a whole lot of sense; and (d) a user of the interface needs to make an informed decision about what service he wants. 2. Mixing algorithms and interfaces, and SHOULD(|Nonce|=14) An interface definition ought aim to be mechanism-neutral. Indeed the high-level decision to specify in one ID both an interface and four particular algorithms feels kind of "political". One problem with mixing algorithms and an interface in one document is that it can lead one to favor the specified mechanisms (CCM and GCM) in somewhat hidden ways. For example, you say that a nonce SHOULD be 12 octets, the (somewhat idiosyncratic) choice of CCM, GCM. Why? The best reason I can think of for suggesting a particular nonce length would be the hope that a user could select this length and be sure that any mechanism conforming to all SHOULDs would support this choice. But if that's the goal you'd want to say SHOULD (N_MIN <= 12 and N_MAX >= 12), not SHOULD (N_MIN = N_MAX = 12). Still, even the relaxed SHOULD denigrates probabilistic, stateful, and deterministic encryption; perhaps one might say SHOULD ((N_MIN<=12 and N_MAX>=12)) OR (N_MIN=N_MAX=0)? But by that point it really seems better to remove any SHOULD about nonce lengths.... 3. Vector-value AD The ID says that the AD must be a string, but SIV mode, an AEAD scheme by Tom Shrimpton and me [RS06], uses a vector-valued AD. Your own ID might itself be seen as having some contents that motivate a vector-valued AD, eg, when you indicate that the AD could include addresses, ports, sequence numbers, protocol version numbers, and other fields that indicate how the plaintext or ciphertext should be handled, forwarded, or processed. In many situations, it is desirable to authenticate these fields. Note the plural, "fields"; I think the AD is quite often a list of values (more often then is a plaintext, nonce, or key). If this list must be formed into a string by the user there is a conceptual gap, a specificational gap, and a lost opportunity for optimization. See [RS06]. I am not trying to suggest that it's a terrible a thing for the AD to be a string; indeed a string AD has a different kind of elegance on it side. I'm only saying that it might be nice not to _preclude_ the AD from being a vector of strings. 4. Unbounded strings and the constants P_MAX, A_MAX, and N_MAX I understand P_MAX, A_MAX, and N_MAX to be bounds on what the mechanism is algorithmically capable of handling. One might guess the "type" of these values to be nonnegative integers. But it's more like that or "infinity": some algorithms can handle strings of any length (and indeed this is generally desirable). Be sure to indicate that these values can be nonnegative integers OR infinity. 5. Nomenclature Getting to some lower-level stuff, I'll repeat my suggestion that the term "additional authenticated data" and the acronym "AAD" be replaced by the term "associated data" and the acronym "AD". While I realize that there's some precedent for the term AAD, (a) the (relatively small amount of) scientific literature making mention of this concept seems to favor "associated data" (eg, compare google-scholar hits); (b) The phrase "additional authenticated data" makes no English-language sense: the data isn't authenticated, it's something the user _wants_ to have authenticated. (Calling it (additional) authenticated data is a bit like naming a plaintext a "jumbled string" because the user wants to encrypt it.) (c) you already use the term AEAD extensively, an acronym that stands for "authenticated encryption with associated data" -- not "authenticated encryption with additional authenticated data". I'll mention too that, given the centrality of AEAD to this document, you probably should reference [R02], where AEAD was first named, defined, and formally investigated. 6. Questionable prose Finally, a few specific statements that didn't make a whole lot of sense to me and probably should be cut: a. "When [AD, A, is used], authentication is provided without copying the data [A] into the ciphertext." Not formally meaningful, not something you're in any position to mandate, and not something anyone would even think to do! [Encode A in the plaintext, perhaps....] b. "The nonce MAY be included in P or A if it is convenient to the application." An odd suggestion. A user-supplied nonce is needed for decryption, so somehow encoding it into the plaintext would serve no ostensible purpose; regardless, a user doesn't need your blessing to put anything he wants into P. Similarly, it would be weird to put a nonce into A, since, as you point out, the nonce is already authenticated; but, regardless, this isn't for you to judge. (Actually, the one thing a user actually SHOULDN'T drop into P or A -- the key K or something derived from it -- you're silent on.) c. "The authenticated decrypt operation will, with high probability, return FAIL whenever its inputs were not created by the encrypt operation with the identical key (assuming that the AEAD algorithm is secure)." This sentence has two interpretations, the way I read it, one of which is incorrect: that the decryption of a ciphertext C under a key K' different from the encryption key K will usually result in FAIL. That reading makes sense, but the claim isn't implied by any standard notion of AE security. Best wishes, phil _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] comments on draft-mcgrew-auth-enc-03.txt Phillip Rogaway
- [Cfrg] Re: comments on draft-mcgrew-auth-enc-03.t… David A. McGrew