Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms
Neil Madden <neil.e.madden@gmail.com> Thu, 04 October 2018 14:38 UTC
Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85215130E55 for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 07:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id an9-NXem6eX4 for <cfrg@ietfa.amsl.com>; Thu, 4 Oct 2018 07:38:36 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E296E130E21 for <cfrg@ietf.org>; Thu, 4 Oct 2018 07:38:34 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id e4-v6so10241588wrs.0 for <cfrg@ietf.org>; Thu, 04 Oct 2018 07:38:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SwqMF1cCeTNjgd42tQnuMfgYcWOvkogDrQsIVvMuoms=; b=UVPUdra3F+wc3SAbkTnvpA3DzfrVifj2xNTf01qUHfbXqoxFMqzmav8UI1o7onARca nOGRyo5ta58/oysn0OrE4w3R96e1FnIUy4EURxyr4fOSvmJ/Gsa8W5OZ0qlp4dm6z0cW S1W1DymwtryugGWJxANDU5GqwBApMkef/4Kbe/AdyZih4ZwLUdV1n0L88LVZPEcETASU hlc+krkg6PEg3J08HmHyeNjX2vwZgE0XeWam8tN05hJ+dPyFrwTvmbsS0rf5D5Qu/L6h P5IOuLoEsxd4Q52b37ZqMP7wN9Ls6Qe1LH2cZ7NFBKm2HqUxcldUndQTV6ExkMI/sAP6 ppiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SwqMF1cCeTNjgd42tQnuMfgYcWOvkogDrQsIVvMuoms=; b=l0S71/HoaeIY4vV44DektjWzUHcKkXXETmhSFh63PWHsmo0qZPwVptogMdqa/ewGkZ G0mUEV5sbA6X6pEtp+4wRAccQxMoNh5W9S4lW2ymIMQaLP359PwYcRv3/zmaWpHQ1G3j J8/ED8PG/0oxpQsvET72g80Eb4uslFmmfELUMytvzL/B2GpAMUNrGC7GLR4C6FzOwI+E Ub7nbXYKxiq7p4BZrh57G04/ZAJpnNx28+bZCCAJeuKZ81TPx+uAWWubbyLyjKZE3Mr6 /NeGtYfecI/rHLaIdXxCsb8Bd0Gk4ZCA8Fb/B9sNhSwPEER7fcn6iG27WfZREe96GXWi 61wQ==
X-Gm-Message-State: ABuFfoiaTnXQvwTuCGSqD21UR/y67fqT4B7R4Xj3yrHjuj1hCdShDitL to6FkZ70xs321qk9ggplWQZG6/fP
X-Google-Smtp-Source: ACcGV63/0MNPCdXw4haQPw7XEUzuOb8LVLig2BZsxr3gDKBcfb4t9K0EOsKaAUrcgeHWiP6Ndm5zzQ==
X-Received: by 2002:a5d:53c3:: with SMTP id a3-v6mr5090036wrw.191.1538663913281; Thu, 04 Oct 2018 07:38:33 -0700 (PDT)
Received: from [172.16.107.230] (188-39-235-130.static.enta.net. [188.39.235.130]) by smtp.gmail.com with ESMTPSA id v16-v6sm4275753wru.31.2018.10.04.07.38.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 04 Oct 2018 07:38:32 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Neil Madden <neil.e.madden@gmail.com>
In-Reply-To: <CAHOTMV+KCeczA4D+ZbeCHDQcRaxaLPCQ6seqGb8+HUsUX99i_g@mail.gmail.com>
Date: Thu, 04 Oct 2018 15:38:31 +0100
Cc: cfrg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B2A6E21-B932-4E44-8562-0837315E2415@gmail.com>
References: <3ACA1E7B-DEAF-4474-8C12-702617F0DF64@gmail.com> <CAHOTMV+KCeczA4D+ZbeCHDQcRaxaLPCQ6seqGb8+HUsUX99i_g@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PCrGdv7Jn7byeYo-QZUhcXSjBfA>
Subject: Re: [Cfrg] Extending SIV to other ciphers and MAC algorithms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Oct 2018 14:38:39 -0000
Hi Tony, On 4 Oct 2018, at 14:25, Tony Arcieri <bascule@gmail.com> wrote: > > I am also interested in alternative SIV modes... > > On Thu, Oct 4, 2018 at 3:12 AM Neil Madden <neil.e.madden@gmail.com> wrote: > As currently specified in RFC 5297, the mode is only defined for a MAC (AES-CMAC) that produces a 128-bit tag length. > > ...specifically I have considered writing an I-D for PMAC, and specifying an RFC 5297-alike construction which swaps in PMAC in lieu of CMAC. I have already implemented this construction in the https://miscreant.io library. Yes, I remember looking at miscreant. It’s a nice design. > > That said... > > As a concrete example, I am interested in SIV constructions based on XSalsa20 (or XChaCha20 as recently proposed on this list) together with some keyed hash MAC, such as HMAC-SHA256 or Blake2. > > I think for IETF protocols you'll almost certainly want to use XChaCha20 over XSalsa20, as the latter has not been specified for IETF work, and is redundant with XChaCha20. Thanks. I started writing some notes on this some time ago, at which point XSalsa20 was published while XChaCha20 was the “obvious” translation of the technique to ChaCha20, but didn’t seem to have a published reference document I could cite. Hopefully that will change if CFRG publish the XChaCha draft that was proposed. > > If you're curious, here is some discussion about instantiating a SIV mode using ChaCha20 and Poly1305 as primitives. This is of course a bit tricky, as in the typical ChaCha20Poly1305 construction the Poly1305 key is derived from the beginning of the ChaCha20 keystream (hence why I assume you're proposing swapping in a PRF like HMAC as the basis of S2V): > > https://github.com/briansmith/ring/issues/413 Yes, pretty much. The other reason was that if I found myself having to implement the mode from scratch, I would be more comfortable implementing SHA-256 or Blake2 than Poly1305, but that is more about my own experience and competence than about the security of the design. If you pair XChaCha20 with Blake2s then you can save some time by just copying + pasting the ChaCha round function, changing the direction of the rotations and you’re 90% done! :-) — Neil
- [Cfrg] Extending SIV to other ciphers and MAC alg… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Paterson, Kenny
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Alexandre Anzala-Yamajako
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Tony Arcieri
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- [Cfrg] Farfalle-SANSE Gilles Van Assche
- [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Kravatte-SANSE Russ Housley
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Farfalle-SANSE Nick Sullivan
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche