Re: [Cfrg] SIV for non-AES ciphers first draft

Neil Madden <neil.e.madden@gmail.com> Tue, 18 December 2018 10:18 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C18212D4ED for <cfrg@ietfa.amsl.com>; Tue, 18 Dec 2018 02:18:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id So_15rFZBe-3 for <cfrg@ietfa.amsl.com>; Tue, 18 Dec 2018 02:18:04 -0800 (PST)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44D6C131135 for <cfrg@ietf.org>; Tue, 18 Dec 2018 02:18:04 -0800 (PST)
Received: by mail-wm1-x32a.google.com with SMTP id n190so2068296wmd.0 for <cfrg@ietf.org>; Tue, 18 Dec 2018 02:18:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=JM6CgRHzauJv+qRkT9MDj1jUqbNR0IpoCoFyuQbpE24=; b=NGhzbGhMHmK5/LF/PdJYAMAfiKV41evjgk44jswBGMdu9i1tKdb2noYdX4he31aVDW M+32c5Uz65iK4P8ogAVKK+u9Qy8jG+iWhIIhuHkcktgA51bYJYkfeiSEgq67DkTWiDU4 kvtWqcLwcRyEgcyiR0xH/0m0trhMMevVZnDXsqX+L7AACKRh3+iY9FBxJR/vENpmWM+x eyxrGaDE/YPKzmeEyYhlOwPWgklnCKdRWS5H9lyO41fUY7bIkz4SeiAMmxenoBStW7Aj i89UJtjcPVR7E7qEoo8P4GrwpkUUXe6bTH8rhFybMJmGxs6FP9g6cmmsUjKDoEFctP87 R06A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=JM6CgRHzauJv+qRkT9MDj1jUqbNR0IpoCoFyuQbpE24=; b=rRleJVYnM70D9Q0elwky/hRlSO32eIS253+T3sDmp7XDc2UuaSU0GX/w7O32w7KABX FIAIM7PZiLSgjZmlU71XnIzAZ+i6WdPhXPxJ4DrrdMz9Ygq+hKmRyX/yzqRh8nVN8MbJ s1RYmijTBxGf5ZhATFP4AUc+4x2gcirNZEue1e2Hzp4e9a4Ws5+4yasPnO+jI5oo3Hte KBSeJpQFP2BepT6qcmeEuM3gTcDibSO0jp1BWHIpQDZaeH89RxQNlqQMfiWy7oxE4Hty +z1mC+WaAh3vKkrhi4BjPbzF92MjyMZ+NgT0/gxkhTe5UpvZUbZutNx0QgLcbugAdElR 1ZyA==
X-Gm-Message-State: AA+aEWagbIJD22/+r0Za2dZ06EbSSFP4dCFj9yahyWmGQ46VQV+I5Oxy pGM7DbyDkIEsVJ4sWcrnYjYqNc43
X-Google-Smtp-Source: AFSGD/UaFQGR+cJpI52WNRcr5KMJDkOty52YRwvNFfd7JBM/ydYrjSFP5YrAaZzGMacj39u9l+L5IA==
X-Received: by 2002:a1c:cbc7:: with SMTP id b190mr2749844wmg.13.1545128282240; Tue, 18 Dec 2018 02:18:02 -0800 (PST)
Received: from guest2s-mbp.lan (92.150.32.217.dyn.plus.net. [217.32.150.92]) by smtp.gmail.com with ESMTPSA id j14sm2183841wrv.96.2018.12.18.02.18.01 for <cfrg@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Dec 2018 02:18:01 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 18 Dec 2018 10:18:00 +0000
References: <0D91AF7A-F26F-4E20-A009-B7D75BF8107D@gmail.com> <A7D10A25-1DC1-4633-A745-64EF35BD1F8B@usfca.edu> <82273196-5DAC-4127-90B2-E7C3874A84D8@gmail.com>
To: cfrg@ietf.org
In-Reply-To: <82273196-5DAC-4127-90B2-E7C3874A84D8@gmail.com>
Message-Id: <B5AA83F9-3AB7-4E4F-9A4A-DBF7BA4D63EC@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/P4ByNm8KPjPaxX1VzG6LDI9mBHA>
Subject: Re: [Cfrg] SIV for non-AES ciphers first draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 10:18:07 -0000

I think I will update the draft to use keyed Blake2s rather than HMAC-SHA-256, as it has several advantages in terms of speed and features. I will try and update the I-D this week.

Does anybody have any other feedback? Is the subject matter of interest to CFRG?

The draft link again: https://tools.ietf.org/html/draft-madden-generalised-siv-00

Kind regards,

Neil

> On 26 Nov 2018, at 09:41, Neil Madden <neil.e.madden@gmail.com> wrote:
> 
> I’m not wedded to HMAC-SHA256, so Blake2 is an attractive option. I went with HMAC-SHA256 because it seems good enough and fairly ubiquitous.
> 
> If we went for Blake2 then there are a number of decisions to be made:
> 
> 1. Do we pick Blake2b or Blake2s? My mild preference would be for the s variant as both cipher and MAC then work well on 32-bit systems and it requires less RAM.
> 
> 2. Do we go for 256-bit auth tag (as now), or take advantage of Blake2’s variable length output to produce a 192-bit tag, exactly matching the nonce required for XChaCha? A 256-bit auth tag is probably excessive for most uses.
> 
> 3. Do we use Blake2’s native keyed hash support or use HMAC-Blake2? See [1] for some arguments in favour of using HMAC, but then keyed Blake2 is (presumably) faster.
> 
> [1] http://noiseprotocol.org/noise.html#hash-functions-and-hashing
> 
> — Neil
> 
>> On 26 Nov 2018, at 08:07, Paul Lambert <plambert@usfca.edu> wrote:
>> 
>> On the draft …
>> Given the benefits of Blake2 and it’s similar construction to ChaCha, why not use Blake2 instead of HMAC-SHA-256?
>> 
>> Paul
>> 
>> 
>>> On Nov 22, 2018, at 9:22 AM, Neil Madden <neil.e.madden@gmail.com> wrote:
>>> 
>>> I have now uploaded a (very rough) first draft describing how to extend the SIV mode of operation to non-AES ciphers and MACs, as previously discussed on this list.
>>> 
>>> The I-D is available here: https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dmadden-2Dgeneralised-2Dsiv_&d=DwIGaQ&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=5WQpmA8deCCE8ehAcBhR-0SwNWDHfNA7dEo1IVxbNUM&s=Bs8DJzvOJ6KwhzN8Yti0sRCdOT5r02Ho7m3qmNKJpuI&e=
>>> The source is on Github here: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_NeilMadden_draft-2Dmadden-2Dgeneralised-2Dsiv&d=DwIGaQ&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=5WQpmA8deCCE8ehAcBhR-0SwNWDHfNA7dEo1IVxbNUM&s=qgsdZqOvSNNunN3u9v69TfSUfrP3mW7OV865Ui6qq8E&e=
>>> 
>>> Feedback welcome. Hopefully I’ve managed to wrestle xml2rfc to produce the right output.
>>> 
>>> Kind regards,
>>> 
>>> Neil Madden
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_cfrg&d=DwIGaQ&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=5WQpmA8deCCE8ehAcBhR-0SwNWDHfNA7dEo1IVxbNUM&s=g8oGz_kyMuTTp26sl6yblddFB_S1C5LiXRE9KKXhvxw&e=
>> 
>