[Cfrg] Comments on SIV and draft-dharkins-siv-aes-00
mcgrew <mcgrew@cisco.com> Thu, 18 October 2007 20:41 UTC
Return-path: <cfrg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IicBj-0002nj-2r; Thu, 18 Oct 2007 16:41:51 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IicBi-0002nF-7v for cfrg@ietf.org; Thu, 18 Oct 2007 16:41:50 -0400
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IicBd-0008Lu-TV for cfrg@ietf.org; Thu, 18 Oct 2007 16:41:50 -0400
X-IronPort-AV: E=Sophos;i="4.21,297,1188802800"; d="scan'208";a="25038617"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by sj-iport-1.cisco.com with ESMTP; 18 Oct 2007 13:41:45 -0700
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id l9IKfidw024408; Thu, 18 Oct 2007 16:41:44 -0400
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id l9IKerkD004433; Thu, 18 Oct 2007 20:41:28 GMT
Received: from xmb-rtp-20c.amer.cisco.com ([64.102.31.57]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 18 Oct 2007 16:41:25 -0400
Received: from 10.32.254.210 ([10.32.254.210]) by xmb-rtp-20c.amer.cisco.com ([64.102.31.57]) with Microsoft Exchange Server HTTP-DAV ; Thu, 18 Oct 2007 20:41:25 +0000
User-Agent: Microsoft-Entourage/11.2.4.060510
Date: Thu, 18 Oct 2007 13:41:21 -0700
From: mcgrew <mcgrew@cisco.com>
To: dharkins@lounge.org
Message-ID: <C33D1301.1904%mcgrew@cisco.com>
Thread-Topic: Comments on SIV and draft-dharkins-siv-aes-00
Thread-Index: AcgRxz2efG/tr326Edy4ygAUUQnMFg==
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 18 Oct 2007 20:41:25.0626 (UTC) FILETIME=[40600DA0:01C811C7]
X-TM-AS-Product-Ver: SMEX-8.0.0.1181-5.000.1023-15490.002
X-TM-AS-Result: No--22.916800-8.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=8637; t=1192740104; x=1193604104; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@cisco.com; z=From:=20mcgrew=20<mcgrew@cisco.com> |Subject:=20Comments=20on=20SIV=20and=20draft-dharkins-siv-aes-00 |Sender:=20 |To:=20<dharkins@lounge.org>; bh=dzcXaX5bJIBZakstY8iKNGSiBvu7j+xQuG/zxbonMn0=; b=iM3E0TCrRy84QF5VKcZy2Ab1+sI9WhKf+jfpJjwnGEG/uEhJtmYmHGZQCfSyeOMRs4fHue98 CKckz+Q9tdOHs7fRLHSQBm5PIBIOUdMm9YRcNCAtv8MqRatAuz74bse6;
Authentication-Results: rtp-dkim-1; header.From=mcgrew@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 3d7f2f6612d734db849efa86ea692407
Cc: cfrg@ietf.org
Subject: [Cfrg] Comments on SIV and draft-dharkins-siv-aes-00
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Hi Dan, I'm sorry to take so long in getting back to you. The new draft looks great - thanks for carrying it forward. I have a bunch of comments, some on the document, and some on SIV itself. First, a bunch of detailed comments. The abstract says that " SIV takes a key, a plaintext, and a vector of data". I think the term "vector" will not be intuitive to many readers, so perhaps it would make sense to say that the vector is "an array of variable-length octet strings", or something like that. I mean to suggest that you add text describing what is meant, rather than changing the terminology from what Phil and Tom wrote. For the key derivation application (Section 1.3.3), what would the SIV plaintext input be equal to? Would it be omitted? Also, I would guess that SIV-based key derivation would only be appropriate for deriving keys from a given key, and that it may not be suitable for use in deriving keys from data that is unpredictable but not uniformly random, as is used e.g. in Diffie-Hellman. At least, I believe that this is outside of the scope of what is claimed in the security analysis, and it would make sense to document that (after verifying with Phil and Tom). I think that it might be useful to help explain the vector of inputs by using an analogy to the POSIX "iovec" or scatter/gather functions readv and writev; these functions also allow the user to avoid data-marshalling, and they should be familiar to many implementers. Of course, the way that readv and writev work doesn't depend on the way that data is broken into smaller elements, but SIV does. Does S2V mean "vector to string"? Would "V2S" be sensible? Section 1.3.4 typo - "troughput". Also, it might be useful to provide the detail that SIV requires two passes over the data during an encryption operation, and thus is less suitable for pipelined hardware implementations. Notation "X10*" - might be notationally clearer to define p(X) as a padding function, since "X10" looks like a variable name. I like the compatibility between SIV-CTR and typical CTR implementations. Sections 3 and 6 define how to use SIV as a nonce-based AEAD, and how to use it as such in the context of [AEAD]. But I think that a bit more specificity is needed here. Section 3 seems to allow multiple "associated data" inputs, while Section 6 will need to require that there is just a single AD input. So I think that Section 3 needs to add a definition that's specific to the use of SIV together with [AEAD]. Next, some higher-level comments. First, what's the motivation for key wrapping? This is an important question that a lot of people have wrestled with. I understand from Section 1.3.1 that nonceless AEAD is valuable because there are existing protocols that do not make use of nonces, so SIV's capability for nonceless AEAD enables it to be easily adopted by these protocols. This is a very good point. Nonetheless, it does not address the question of "when should a user use nonceless AEAD?" outside of those "legacy" cases. I would expect that we would want to provide guidance that users SHOULD use nonces wherever possible, but MAY otherwise do without nonces. (Perhaps there should be an exception for cases in which determinism is essential, e.g. database applications in which plaintext-to-ciphertext mapping must be deterministic. But this is clearly a special case.) Second, I'm skeptical about the value of the vector input, so I suggest that more motivation, explanation, and an example usage or two, be added to the draft. I'll summarize my skepticism below in the hope that it will be helpful. As I understand it, the two benefits of the vector-input are that it eliminates the need for the user to marshal multiple inputs into a single input, and that it offers performance advantages in those cases that there are repeated invocations of the crypto function in which some of the inputs remain constant. Regarding performance, any AEAD algorithm can be made to support a scatter/gather or init/update/final interface as per RFC1321. It is a conventional technique to copy the intermediate state after an update operation, and then use it to process different suffixes. Beyond that, there are functions that support an "incremental" interface, in the sense of "Incremental Cryptography and Application to Virus Protection" (27th ACM Symposium on the Theory of Computing, May 1995). GMAC, and many other functions that make use of universal hashing, can be used in this way. So it is possible to reap the performance benefit claimed for SIV with some existing functions, and it's possible to realize the performance advantage without using a vector of inputs. As a concrete example, one could replace the use of AES-CMAC on a vector of inputs in SIV with a polynomial hash function (such as GHASH, the component of GCM/GMAC) applied to a single input. This would allow even *more* performance optimizations (in particular, it allows optimizations whenever there are repeated invocations of the crypto function in which *any part* of the input remains constant). In practice, it seems that these optimizations aren't used so much. I believe that the reason is because the additional complexity doesn't seem warranted when the amount of data that stays the same across invocations is small compared to the entire data. FWIW, I do think that there are applications for incremental message authentication within the area of security for data-at-rest. The key derivation example that's used to motivate the vector-of-inputs points out that in key derivation applications, it is common to have multiple inputs to the KDF, some of which stay fixed across multiple invocations of the KDF algorithm. This is true, though I question the performance gains, because I suspect that in the KDF case, there are many small inputs. I suspect that the vector approach would perform worse than the standard approach if there were ten one-byte inputs, for example. Additionally, I wonder why we're that interested in designing SIV to work well within some existing KDF models (why not just design a dedicated KDF?), and it seems to me that SIV doesn't actually fit all of the models. It seems to not be usable within draft-dang-nistkdf, because SIV requires a key as a separate and distinct input, which that draft does not provide. Also, as noted above, SIV-based KDFs may not be suitable for use in deriving keys from Diffie-Hellman (or least this use would be outside the "warranty" provided by the security analysis). Regarding the need to avoid data marshalling, it is true that in many AEAD cases, there are multiple data fields that are authenticated. However, in most of my experience (e.g. RFCs 4106 and 4543 and IEEE P1619) there is no data-marshalling issue that needs to be solved, because the fields are already contiguous, and the lengths of the fields are fixed, so there is no length-encoding overhead. In ESP (RFC 4303, not RFC 2406) and SRTP, there are AD inputs that are not contiguous, but which have fixed lengths; this is because both of these protocols have an authenticated but unencrypted header, plus an authenticated "extended sequence number" that holds the high-order bits of the sequence number, which is not carried in the packet. For these protocols, an AEAD implementation that supports an init/update/final interface is sufficient. Also, in practice these protocols are often implemented by copying the extended sequence number field. Perhaps there are other application areas in which the data-marshalling before AEAD is onerous - maybe someone can chime in. On reflection, it seems to me that the enduring advantage for using a vector of inputs is the fact that it frees the user from the need to explicitly encode the lengths of the component fields, when those fields have variable length. Of course, applications that make use of the vector-of-inputs feature will need to define how that vector is constructed, and make sure that the order of the inputs is well understood. In addition, if the applications want to make use of a conventional AEAD method as well, then they will also need to define a data-marshalling function. Thirdly, I think it would be useful and interesting to have a comparison between arbitrary-length pseudorandom permutations with associated data (such as EME and XCB) and SIV. But I think that's probably getting beyond the scope of the SIV draft ;-) Best regards, David _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Comments on SIV and draft-dharkins-siv-aes… mcgrew
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… Dan Harkins
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… Dan Harkins
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… mcgrew
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… mcgrew
- [Cfrg] Re: Comments on SIV and draft-dharkins-siv… Dan Harkins