Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA4AC1654EC for ; Mon, 9 Sep 2024 06:48:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.254 X-Spam-Level: X-Spam-Status: No, score=-7.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRmIWDPmsN2d for ; Mon, 9 Sep 2024 06:48:20 -0700 (PDT) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2061c.outbound.protection.outlook.com [IPv6:2a01:111:f403:2612::61c]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAE7FC151073 for ; Mon, 9 Sep 2024 06:48:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=KoFwfhHaWsXO88um9ZvSJcT8eDl4KQwOhQEXfTSHR7gGbU2AGuin3MijUJekThGBokAL4RCNNl7o9V2xkbzsO+yflq/rcrAx0OzzTflJKEqyVmP41TjTFFFD6guoj4TAYPfaf8+MT9oor63b+dXfzt/Q8UYJ2sVL5rmGQdOM2RkiBUFZBC9UiMTrBVmKA+DutXpuH8KxUO2kGS19ZRdLv2l7nYGszs7Vl9x+RCOjBXdlQNVEJ/eieixC6gykrjpAuDDSunWiZJnS4k3OzTW++tnRS7BKWegMdTw265md2ycSUBVXLnkxMNJRFTN9oY3oYGh+e4d6zljbA6Kb2VYDTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4rh9k1gekbiE2SKF5eAEWouSS2acYAHcTEPiGDolGkQ=; b=mZ5jJdQ3bZpL1Lp1+0ZZ/ibFLtkB1zEfsWLe5jJLu1PptpLxggagEkrmxDpO9Yn0Gpj8xXQNwSC/B4/5/tM8yFPyk6Yxt4j41pJwZKhmsg6OVXQw1/PTiBW4wbKIA9k0o+qg0ErdXTI+rqiQe+AJm/5oxMbfM5alnusO+AFq1lmMlKtBF2vqefwqfLblr+C6P/oMZjym3nl09JnkkolTXO/1yTIyPx8JJYgou/weVdYDdaerxGOjKXmf00Jsg2S1en3wHrFUxnVu3ZKT6UD2HheripGXhUbWKWxDesWzVXEMYB4uIXOJd7fmZ4DOxiPtD5t8UILbm0VJejtcLm8qdQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4rh9k1gekbiE2SKF5eAEWouSS2acYAHcTEPiGDolGkQ=; b=BUualgJe/THfQDdtvwT0pgNDtKPJ/0tbpSEMgY5GjWb98UtylqeaE92w80RcHzUrJnW6xKGcrMNWB/E0Nd397nqWRn8Yfpt3DBJQHuLCdd+kNMmuPIN2OoVh12munJCYRhXdHCVE8OR7lEdfAhKQhuSLYslVpbe0FRAsOBnLbwykgBMuigBIwWUtARxBxBpWMJEGJFofQ87lKwN0i1nkUuGwrmxDpkJTx0/P+AKuAaFztjepgB/VuN6ke3jBpdcCjYqea29JLY6Xh3K8SQPNELv8ziARbUWAx/TpXi/+A26cPDKiOhv7qciwn6YboagPrRcL3nvmPWCHYo90yDZAyQ== Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DB9PR07MB8585.eurprd07.prod.outlook.com (2603:10a6:10:304::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.22; Mon, 9 Sep 2024 13:48:15 +0000 Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::bcf3:3f45:888e:a4b8%4]) with mapi id 15.20.7939.022; Mon, 9 Sep 2024 13:48:15 +0000 From: John Mattsson To: "Dang, Quynh H. (Fed)" , "saag@ietf.org" , "cfrg@irtf.org" Thread-Topic: We would like to have your feedback! Thread-Index: AdsBCzwazaB6eA3JSESNP4+42W0QCABsK3lR Date: Mon, 9 Sep 2024 13:48:15 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DB9PR07MB8585:EE_ x-ms-office365-filtering-correlation-id: 81ae9902-3264-4712-105e-08dcd0d60e17 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018; x-microsoft-antispam-message-info: =?Windows-1252?Q?T/3sf2K9EBEmsNJ6aUMnLE9DY7mDZITX/e3bm692wwVbAxh4V4rZE6vS?= =?Windows-1252?Q?+w3wU7ZRVF1Vf4xBGPbYcgOKMe7XFjvSsUtF37GmC/7YYXF0iJ5mHcsl?= =?Windows-1252?Q?lFn8KAemofkyQlqxjVMXISWnSWjtKw7osUu/fqLn3c6TuS8OkiGSN9YP?= =?Windows-1252?Q?jS9D0lh4eZnWqy+AHQdiIgqKANQOIGgTYjS4lXUij+j6nL1D2ZYoRY+1?= =?Windows-1252?Q?algJPgFw6eFO6Ftz+3hR6KcXjQJbEFb48JUWI9dFEOcCqgxhbe2+nm30?= =?Windows-1252?Q?v7KR6fT9/99DgJcUKlYOlfawvOZvjxvwP/+0hgTOsmWlXJ7damo9fPpI?= =?Windows-1252?Q?6uCbtsB7Egf9BpRqJVxY8Ylh8osw+E7KJqKd52iNSc8WlWxtkJSaTPS9?= =?Windows-1252?Q?ECPrI9oT8Vu0K3q7p7m5G3BqCQWBm3L2Qc81CdNTmJklCqmID9LWOr9s?= =?Windows-1252?Q?IzhjxvMxdeeqDsHPcK9cMDNo5w8RKEHunSC3D74DdPNYV6h2urPeXMSU?= =?Windows-1252?Q?BAfNftcdI/NpCW7PzMnvVC7ReD+tFnenP4VhlVGQ7rK/t2Cb/j7Zd3sg?= =?Windows-1252?Q?lXxSTl/lzG/xCUNNeOWbqkWl2tVDYKXnXSB5f7q4awQ+UkUTkzdPTBcP?= =?Windows-1252?Q?8mjyR1qMszej8Okn1pCgnBpbE+bps+8z0wUkieNjpmU34LnnOpQRyCDi?= =?Windows-1252?Q?06Sr9ZkWBTOZ060lQgi9EabEPzDVDFEr6vaLmkG4X/0ty6h9ET2vPWdZ?= =?Windows-1252?Q?a/wyNTYF99pogyH2A5S+K1hpSnzUb6H6dXjdF7VSfd1J9OL/ueKJ7SRa?= =?Windows-1252?Q?s1KJOcq7u5anJ/5p8FUGeJ9vrHHeBAGhcloXN6WGLj5zYFU4UTxLeBMI?= =?Windows-1252?Q?c9gQmhddMpAwAdbcmfYg5g+IM9PUvZgn3Yo0z3YyVPtvF13TAyKcB+Ox?= =?Windows-1252?Q?sFVvORh6iWokktakI/3P5xuA9mNC8DygkRIeGZyEYRIcwJ8kqBdsW3Yn?= =?Windows-1252?Q?K3KUskT6AECyfvS7T9PPW37BWUP9QYgJLj3x2Dq3NQeL84bGWEqML0rV?= =?Windows-1252?Q?kuHqMqLiKPP4KNmkOL/jPqySa/G+6b4h0sPBh6xZLd6x4yFuOHUKXxai?= =?Windows-1252?Q?aQyGk6n3NEIKBFlfkYkwXam8xcV4XxnYNT+hgk6ojMTT0UujIvxzX1t5?= =?Windows-1252?Q?JN/KQJcwDT2a7MprqOwueQavf3BtFylbjAYRT5qCwCfPsutdnzqdS52D?= =?Windows-1252?Q?qZrKS6U+Eq4KfhhkUnFMqXbJ7czdQNXY0F/ChzNXSs6pEv1QHc5yC7SE?= =?Windows-1252?Q?VALrip7VaFNRBHsHtnFEnkdtytiMtpPwLLkm7/GJh3+/bW2MWo1tUCgJ?= =?Windows-1252?Q?4S3mLp/XVxfatURelF5s/FFcnyoaEz140oHWipjVzxWUONrvAXOeGGP0?= =?Windows-1252?Q?RBr3dDXl+c1iRkT2rXsxDNPvcoWOqpmGVjlnreN5R6SYtb4sCWMMNqgX?= =?Windows-1252?Q?XlPD2q9VXmU58xPS9g9y3egsaRmb0w=3D=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVXPR07MB9678.eurprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?sczvl9HYImfDo05UsBbxqmbatKYMumxbIJtNW8Kp8a28/0K3Cx/5iEfF?= =?Windows-1252?Q?jXJIgCI/2WAPpXqdt1K9g2W+cGeVBZeVq1pm5mFvAFbwtIs/ACtknCW1?= =?Windows-1252?Q?5I0Dp1zMLfSGeMPIFfOEXBg2OaUyo5C6y3RWKcAb0cTVcnHjTUeZhIDI?= =?Windows-1252?Q?+tZzqVV9TLyxvy/MDBN4Ydk5aoNb5dcEXoTCD7mjHP+UICSMBw1VW1qi?= =?Windows-1252?Q?pwU5y0PHmsvVWkN+pElelSrnAvxxHF1rYbzPJ7iiXJPyImm43L/hWLFM?= =?Windows-1252?Q?vl351piPB7wGBqQ9XHtVEnJVILqiFNh1kwSxmfvc+tme0qgT6aVvxg6v?= =?Windows-1252?Q?SXXDft5aebX5sgMXBJrNxvAhpAbC29Uy038zrgpLUYIqEUWwiYmrMsxg?= =?Windows-1252?Q?cbN7EiNxfuQ4UQ475IcObE+nqSl6DQ4iWZYm3d+pBSHFw05v/09UxfTZ?= =?Windows-1252?Q?HkPxKzpnT7/ZJVFJKCLqkfnN/HSDBgyyx0faiAoWLpuPlhSHzQcIyWbC?= =?Windows-1252?Q?KuRtZCKITb9OlJmoV3Aye9M8XZC8W9+e14FXGTUi/5awCxXd3D8uq3H1?= =?Windows-1252?Q?iOcFTOqs5S56Q6kzpzFUhJvz13rCeX6NNuAGxiVOaPeqkgMSTmRKOpDs?= =?Windows-1252?Q?guLg0LiPqH7bbqLmgbfdjEDKtUK00+fs1xzL63Pg/qSY+4BmjIuyCGMs?= =?Windows-1252?Q?qshsqouW9o7wWdxrsfF6tJlAiXsxDUZKvZz2i12TBY4ybPbLOU8vZzEL?= =?Windows-1252?Q?4LHQdBOAvdYJYnX4pgz2CYj9o8nOhl6xSNbCoCExhQKmOIn+QzA4SG75?= =?Windows-1252?Q?CsFRGEu1XX92vJ2s6IShKBReDWi57CHg1imsGNBdei1eWTzv8OTYSzN7?= =?Windows-1252?Q?EycsOwW1pyB16KDoFd+Nr6HHCcDCKd7cSjjI+s29aF6NLwBPHj6aySXn?= =?Windows-1252?Q?WOnoOiyDCh/IN1vBAGXndi542JSvHzJ2DxcIn40yrOhK/gWKH7DOdab0?= =?Windows-1252?Q?EPimROBJGQ/Nk6dw0BM8khsKXu9UuIAQVq9sBRWPbbkAWZlGUgqSDuRl?= =?Windows-1252?Q?a9WL2/wmOoYeQua2ASvxdPRSapNmUF1TxIQhqgjXh7qZe9gNomA4H0Kt?= =?Windows-1252?Q?U6Qk6LtkpjkXZ27hvzpJRMQ3NDx9tP8W31JhNPGrOKjEAwZssgNq6cxP?= =?Windows-1252?Q?EVqCsInCvIcHjayrdhMLxfe/ZPFV6VDgqE0n9pwJOjNTrlN55YMSsQYu?= =?Windows-1252?Q?piHXRLOsm8NS44Y01h8GTr2iC/qF6HU+IHRy5xiPck8pB6MTTk1UqWIq?= =?Windows-1252?Q?thSxiVdqcKXUjUHBzy5QZidaFGnpga+WQO4w9vFwu7HRhJXOmuDsjLND?= =?Windows-1252?Q?7pXatd6fCst5yZff19RgiP8awWJNTB16VvRsucfydlwTKlG5ZbClLDqu?= =?Windows-1252?Q?AbKe6teOw4PU4Tq1sbuH39jl8aZFOVZrtTxechlRMlbFaI549NBLkvLA?= =?Windows-1252?Q?FSFKQK+IUhAIDHXo6ePVu1Cqeydd2xuj2fCzcuzt4wGlRS5speQFupLv?= =?Windows-1252?Q?zOh7XrCQCmsfhMdsPj65TOoMudTBXfbWLmwMfGYFPziSNx/a9FHw9Q22?= =?Windows-1252?Q?kuwI+62Ta0dVPHNA+dXrcLu9hHY0ifO7yGpKoTzuBFwFJW1RL7D26xGE?= =?Windows-1252?Q?hrlT5BMVP8Sv2JJIVel8dfGFYSyYEkd4iHx+mWRzy6eU9h9nNjhd/qPH?= =?Windows-1252?Q?gzK+6uWl8CNr6x+ifSM=3D?= Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678AEC4C66CA7D63104C97D89992GVXPR07MB9678eurp_" MIME-Version: 1.0 X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 81ae9902-3264-4712-105e-08dcd0d60e17 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2024 13:48:15.7608 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 6lzOohJ2yhBljqdp9HJBGjCj8C8fRMEq7c0Yr0BVrvK+4sLkbrxYjALmMueegMy+NQnlJyP5M4Cfv+PHhn6ne+H/Fkf0dXvHPRbnaTetMQY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB8585 Message-ID-Hash: GDU3D4WMRU7CNMMD7WHVHUNYSBZSX7MJ X-Message-ID-Hash: GDU3D4WMRU7CNMMD7WHVHUNYSBZSX7MJ X-MailFrom: john.mattsson@ericsson.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BCFRG=5D_Re=3A_We_would_like_to_have_your_feedback!_?= List-Id: Crypto Forum Research Group Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --_000_GVXPR07MB9678AEC4C66CA7D63104C97D89992GVXPR07MB9678eurp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hi Quynh, I think it is great that NIST is doing a lot of encryption again. - Cryptographic agility is important. If AES is broken, NIST does not have = any approved backup AEAD. - Current encryption algorithms have a lot of limitations. AES-CCM, and AES= -GCM are limited by the narrow 128-bit block size of AES and the 128-bit di= gest size of GHASH. This affect both confidentiality and integrity. 96-bit = nonces are too short to be used with random nonces. Of CCM, GCM, and Poly13= 05, only CCM with truncated tags behaves like an ideal MAC (when the number= of queries are limited). I think an AEAD mode based on Keccak has the potential to solve some of the= se limitations. And even if it does not, making a Keccak AEAD is a step tow= ards an Keccak-based accordion that can. In the future I would like see Rob= ust AEs (RAE) with succinct commitment and very good bounds. It would be ve= ry nice with standardized encryption algorithms that can be used with many = keys, many invocations per key, and long plaintexts without having to care = too much about various limits and implementation/usage pitfalls. I have not followed Keccak-based AEAD modes enough to give feedback. Do NIS= T have a list of constructions you are considering? I think (docked) double-decker is a nice construction for a VIL-SPRP, I thi= nk NIST should allow TurboSHAKE, and I think a duplex mode of Keccak has us= e cases beyond encryption. Cheers, John From: Dang, Quynh H. (Fed) Date: Saturday, 7 September 2024 at 12:00 To: saag@ietf.org , cfrg@irtf.org Subject: [saag] We would like to have your feedback! Hi SAAG and CFRG, NIST is considering whether to specify and approve one or more SHA-3 derive= d functions for authenticated encryption with associated data in a new, sep= arate Special Publication. The announcement is here : https://csrc.nist.gov= /News/2024/proposal-to-update-fips-202-and-revise-sp-800-185 . We would like to have your comments/suggestions by October 7, 2024. They s= hould be sent to cryptopubreviewboard@nist.gov with "Comments on FIPS 202 Decision Proposal" or =93Comments on S= P 800-185 Decision Proposal=94 in the subject line. More information is available on the website above. Regards, Quynh. --_000_GVXPR07MB9678AEC4C66CA7D63104C97D89992GVXPR07MB9678eurp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Hi Quynh,

 

I think it is great that N= IST is doing a lot of encryption again.

 

- Cryptographic agility is= important. If AES is broken, NIST does not have any approved backup AEAD.<= o:p>

 

- Current encryption algor= ithms have a lot of limitations. AES-CCM, and AES-GCM are limited by the na= rrow 128-bit block size of AES and the 128-bit digest size of GHASH. This affect both confidentiality and integrity. 96-bit nonces are too short to be used with random nonces. Of CCM, GCM, and Poly1305, only CCM with truncated tags behaves like an ideal MAC (when the number of queries are limited)= .

 

I think an AEAD mode based= on Keccak has the potential to solve some of these limitations. And even i= f it does not, making a Keccak AEAD is a step towards an Keccak-based accordion that can. In the future I would like see Robust AEs (RAE) with succinct commitment and very good bounds. It would be very nice= with standardized encryption algorithms that can be used with many keys= , many invocations per key, and long plaintexts without having to care too much about various limits and implementation/usage pitfalls.

I have not followed Keccak-based AEAD modes enough to give feedback. Do NIS= T have a list of constructions you are considering?

I think (docked) double-decker is a nice construction for a VIL-SPRP, I thi= nk NIST should allow TurboSHAKE, and I think a duplex mode of Keccak has us= e cases beyond encryption.

 =

Cheers,<= /p>

John

 

From: Dang, Quynh H. (Fed) <quynh.dang=3D= 40nist.gov@dmarc.ietf.org>
Date: Saturday, 7 September 2024 at 12:00
To: saag@ietf.org <saag@ietf.org>, cfrg@irtf.org <cfrg@irtf= .org>
Subject: [saag] We would like to have your feedback!

Hi S= AAG and CFRG,

&nbs= p;

NIST= is considering whether to specify and approve one or more SHA-3 derived fu= nctions for authenticated encryption with associated data in a new, separat= e Special Publication. The announcement is here : https://csrc.nist.gov/News/2024/proposal-to-update-fips-202-and-revise-sp-8= 00-185 .

&nbs= p;

We w= ould like to have your comments/suggestions by October 7, 2024.  They = should be sent to cryptopubreviewboard@nist.= gov with "Comments on FIPS 202 Decision Proposal" or =93Comme= nts on SP 800-185 Decision Proposal=94 in the subject line.  

&nbs= p;

More= information is available on the website above.

&nbs= p;

Rega= rds,

Quyn= h.  

--_000_GVXPR07MB9678AEC4C66CA7D63104C97D89992GVXPR07MB9678eurp_--