IETF Logo Mail Archive

Re: [CFRG] AEAD limits

John Mattsson <john.mattsson@ericsson.com> Tue, 17 November 2020 09:07 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A187E3A0AAD for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 01:07:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4O5m2cXIxJZ for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 01:07:03 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80040.outbound.protection.outlook.com [40.107.8.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C1473A0B3B for <cfrg@ietf.org>; Tue, 17 Nov 2020 01:06:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O/rxKHSLC4XQ4Yacf0fbCP4+2GH5WNCHx8lKPdI/oMKNGCzW/8uZ4nI7TkyaffvzlK03gu20QWaiFvA6srtY67fRHssoNr8iB2oJSl2XL0aFPZXlgZffdcp1KCo+ay/WapQvVqdHlz9Wn6VEsYQAdcrr5o3zwkVeobgct5qr0JJSkgf1xxbE0Nzp0/IyuWP8Aaa43E84cBRPHTLNgW5VSRgV+J6C+Wer0cJs5axR7ePwtkhZD3YXZzRUod1yFGjKiUU8E2T8ybsUdRXjXRjpAvrlWwFg9afVJboOuRfqx0k5RB94wiEx3+HTcjLnCl+FQeVtMWIiSz2IQv3TFA9yew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iOwvBAzWXSG552T05Nf5PK/CYS8EIctYX0y+YA8hP40=; b=hF1HkoeZkhMgprqpQEFr8k0PIr8cKAxwzzREXSawtVEP36LF9Dtxcmww4Ob6mvQcCnMJWTrV96g+tX1L1Ec+plhX4axvyH6oA15Fo6oRtGyevAFfqfn1ZZxxY4Nx5ITo78m0nxQ+M4JM84q/ent4kQz3Q/4vfUwjYHL52g+2hy271Izg4MEBUVoVj9aJxt2i2CpKH1cCM2B/iGWJ01nbMi88E/NLZFEn3sQ88tdFJ2km/P1tcqeykXwNqMmGD4amzcIcthJuREQp6HsDNRMONUZM01zpt2JmIWzcOoZOS93p/iLRjlFFnN1RPe2OFx/+nIR+15raAD/c3Un/M2z5Fg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iOwvBAzWXSG552T05Nf5PK/CYS8EIctYX0y+YA8hP40=; b=HTgyAkcSlbK0UD2BqJr2CwXQCyACTGN5qvHdoUGQLagbFptVKFbN3nxp0vd4VHWooThJ5Y6EDpIDwp4nhFhRvF0Zr4g5l7FvmI5s2G7+JNo7sH3AM3UfYQ3o1BMg9xn1vOJ1gUrpsjO25hvDVnHmeJr8bc/rSY8uACxnzH/J/I4=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM7PR07MB6787.eurprd07.prod.outlook.com (2603:10a6:20b:1bc::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Tue, 17 Nov 2020 09:06:52 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3589.017; Tue, 17 Nov 2020 09:06:52 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Yoav Nir <ynir.ietf@gmail.com>, "<cfrg@ietf.org>" <cfrg@ietf.org>
Thread-Topic: [CFRG] AEAD limits
Thread-Index: AQHWvLUag+3nit6+Dky4aNMmHCsCCqnMGVKA
Date: Tue, 17 Nov 2020 09:06:52 +0000
Message-ID: <4606546D-7C6D-4980-AEE1-2C9927F6B093@ericsson.com>
References: <F87F3593-6BF7-433C-ACB9-C83EDE36989D@gmail.com>
In-Reply-To: <F87F3593-6BF7-433C-ACB9-C83EDE36989D@gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0f0ac1af-9b14-454e-d17a-08d88ad81fb1
x-ms-traffictypediagnostic: AM7PR07MB6787:
x-microsoft-antispam-prvs: <AM7PR07MB67872623C1776FC10F206CDC89E20@AM7PR07MB6787.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nSEgRVkFWSyCNQwjtF+o8qaQiKeRdhHsx+yxkWih3TXYWL2D7I/diGroemWvqYQH2s6yhF3qZFcPueyTQyQSaOr9PHiEdq2M5RQXT72ijZV51nnFXlAEGW5BsYANTw49jgU9mu1x7qwKqjxWQ4dSLEeLHtF4qoNBxV1EbQWEADW1kz0ObWmCnCKsx1TX4hg4/xa+Ak86rTWH1HQjMioanuuIhc7xsjMZMLflGQxI//BFmTNgyvdAUcl0sWjXWq2Qt9Dkr3hpkIXsA2J7oib5w0W9omGeXxAko1PeSu+0RWWSrMQafiThC+DHuy3JKPhMWIlVhDC6uEhy00r+7NVmJsrCTr9DqKuTqKVvbv7gvXgPNO4eb8HyUtRrSqnMSCyPoejLxwPjkhpI4FINEkXLm7uxkLdUYzRziq2tMatB2jHpm/cOVdZmwDuc8C0bIoDa
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(366004)(376002)(346002)(396003)(136003)(83380400001)(8936002)(8676002)(33656002)(110136005)(6512007)(2906002)(71200400001)(86362001)(6486002)(6506007)(76116006)(64756008)(91956017)(66476007)(66446008)(36756003)(66946007)(316002)(53546011)(66556008)(5660300002)(478600001)(2616005)(966005)(186003)(44832011)(26005)(491001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QwnedeZtrY39LXlJiDte/13jeUBTueTVthDt93kezM+PrRFNR92/essjGQTeSGcuZViX6rvuUUDwBnEUmNAroJY+DbajkKvdRZAv66kvhkOjFrNFKobH4KNUo5y7LTsBjsS5hVZQRnE4AR5XvUn40IMoST/csY3WF1FhAZxlUwO6UqKRJ8tYGePHIX0bKWBZhW5Wu22gkKCSkZhrwYcZFkU9PKB9ce8VaS6RSdsbkX8RvZZk3+pjmT+JePtuL0L2tEUMlT4mzvzsAUAtBJFds/yYAn9BMW/e0/YTgFAPgqwWpd9VqucLGdbHsKgjf+CXi9VLqVxhn4RROHUZOkBBMzfx1e5dKVkLbqzhYqqMh/PQwLBgB29CH1lKjKDmm1DKzqdZJ+00nFP/5Imkh3YPqy1rpLdMxhDc8mGRsYjFLBBi8mwYV5mKlIXEFcTGkYFrNKORf7dqLk0uMvJV8a20EjCdTkWtNK4xlXG0xJ3p9CgE5qLLLQS22Cbh2rR8mPGpg8zQttXcklR20UI6noieWzijJAnSPzZlKhzUMrX+FhJRpo8jPQJSfL/hb01+u3hzRDZZoGHBiYDET0XcEHCB9yQB+P6LZhy1W1/T6pwhou2FSBAkOx9p/1kVCPKAKNYF1hBy9nYpjXiLI84STsNC+w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <0F328C1E7EE46547958CCB8DE9FB97DA@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f0ac1af-9b14-454e-d17a-08d88ad81fb1
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2020 09:06:52.1501 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aoPJiSMDi0n1e2pxtD+gimvCYmo+FVRPWcTYl+vpqnrHK1sc2fpEycvUW7LqpbJk4PyJleek2Ljgf0dNA94s06xO9J/OUTwKeVY+mEpKc+E=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6787
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/L6Gv7UjIJzga607ci21mnNSDaC0>
Subject: Re: [CFRG] AEAD limits
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 09:07:05 -0000

Hi,

I think such a table would be a good idea. I think the table would be “example limits” rather than “actual limits” and should contain values for different values of p, l_p, and l_aad. This would give implementors (or people writing drafts) some guidance. It would also work like a form of test vectors. Without examples it is hard for a user of the document to check if they calculated the limits correctly.

For non-constrained environments where re-keying is easy, I think the conclusions are simple, don’t use CCM and re-key frequently. For the constrained IoT world (which currently use AES-CCM with 32 and 64 bit MACs), I think the analysis gets more complicated and I think there are a lot of other factors than p, l_p, and l_aad that needs to be considered. I tried to summarize this in a mail to LAKE:

https://mailarchive.ietf.org/arch/msg/lake/jxnTTX2L6HM9ZeVrQ4TNHdISulA/

Cheers,
John

-----Original Message-----
From: CFRG <cfrg-bounces@irtf.org> on behalf of Yoav Nir <ynir.ietf@gmail.com>
Date: Tuesday, 17 November 2020 at 08:41
To: "<cfrg@ietf.org>" <cfrg@ietf.org>
Subject: [CFRG] AEAD limits

Following up on my mostly failed attempt to raise the issue at the meeting.

I still think we need to have, at least in an appendix, a table with actual limits in either bytes or packets.

Sure, this requires setting at least p and l.  p can be chosen arbitrarily (2^(-65)? 2^(-57)?), although I’d like an explanation of why a certain number makes sense.  l can be the row of the table.

For example, for p = 2^(-65) and l=1024 we get for AES-GCM that q<=2^22, so the table can show for this value of l 4 million packets and/or 4 GB.  For ChaCha20-Poly1305 you’d get v<=2^28 so you’d get 256 million packets or 256 GB.  With p at 2^(-57) you get other numbers. Still useful regardless or which value of p is chosen.

And one nit:  Please change the description of p in Table 1 from “Adversary attack probability” to “Adversary attack success probability" 
_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://protect2.fireeye.com/v1/url?k=d31878d1-8c83419c-d318384a-86b568293eb5-e5d58f0c6ea46c4c&q=1&e=d3b7c45d-3795-4e54-888a-da4eb737f746&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg

v2.30.2 | Report a Bug | By Email | System Status