[CFRG] Re: Comments on draft-irtf-cfrg-aead-properties-09.txt
Andrey Bozhko <andbogc@gmail.com> Tue, 04 February 2025 12:44 UTC
Return-Path: <andbogc@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90AEC18DBB6 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2025 04:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pP98GtJYiWz2 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2025 04:44:05 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D56EBC1840FC for <cfrg@irtf.org>; Tue, 4 Feb 2025 04:44:05 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-2165448243fso10547095ad.1 for <cfrg@irtf.org>; Tue, 04 Feb 2025 04:44:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738673045; x=1739277845; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/qddsGTuibY8p1Wl9k4dDvkxEWbQzjlOH9A0ZznxJA8=; b=YT79gXAPnhR2kp7xSeuVZX0wWT3fbRUfwFVWWeA0a2tYAdBmc/iL15/IWB5FSdfUDE BrTZYdwo2XlPPvnSFSmkA+z0G4Tu9BR83XQzTqZ/ZeeNJunocU+k9S85ovEC+oqyvc3i raTg9w40GUi2TUxlrGv/Zlyj9PdB/Oaw+hfG+MzPFJE4wYwup7Rd18pHpputAMJ0qSyI 9erwR6S5RFWhuHIDhrMeoSL/iF10RvQz12RF8bZdajYjxNesLCdAKeNN/ERjbGYiQPNR UgwfyCE7er3w4Ye5y4D4uOOdNGact2HPjTHOVFTSUUhAIgEkgWdCCebGjft5s6C7gfyY Gp0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738673045; x=1739277845; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/qddsGTuibY8p1Wl9k4dDvkxEWbQzjlOH9A0ZznxJA8=; b=bIGFPVN/RLAdFnUkjZRloLjBytO1DatkDNJc+4vxIQKOeLmhnQ1Zs7HrTBXbTitcdY JpJ5BHUsMwHuKPWVSTVPRsq1OlN3t+5QDkIQXF5bW6PBfDn2dhvIo2fxTt3Yxkbus+p1 tThOLGcsPiCw/bHteRNjHpSGlyh/UBHP5FOyJkZCEq8dBJmTsIWFbK/PWF+jfNuEpNA/ dMSjlJFH8asxZMEv4+0f6XxIDcB/RXbOPoF5sSH141WlHaQsHIi54E6n/HNDnwH+BzwL IONWRl4PHmnubytBNwUzGHvwSUaD/WD8qWgyDlcBDmnjBFxgIiV91zky1uFJtjI7gkNw 0wmQ==
X-Gm-Message-State: AOJu0YxqICWv/aZPnts1wDgtemnjwXdiZJSAJ0N6qUxHVrE+u7jjA50+ XwNEz86Yc+poHvgVlDTDudDJ9ppuoa4kCUhvK9JHG7r8MzK1Sgv4KUh6TzyF8ftJZnok7Yixthr c4+3IXFZiY7q+otsoD1zccKIBnx0=
X-Gm-Gg: ASbGnctJdv0CwB6pb26CPb5wLnC/E/XWdPaeHxGhuVSbX8xoNf3vaBcyDPnmruyAEUF SIS9Dn/6YtFBnfvqOf37Yvm3eEwJH0TrnydNrSKy+aA4fP+zmRtthRiQ6MqWaSqicxGU/FRJr
X-Google-Smtp-Source: AGHT+IF6VQL3uyAiy1FHdYRpGlGlUE7AanNDbH3dHz7ZrtXj/m7P+gj3b0DX6C7OANXcBB3hR53M3b2G8jHQybye/7w=
X-Received: by 2002:aa7:930b:0:b0:726:8366:40ca with SMTP id d2e1a72fcca58-72fd0bbd6dcmr37033049b3a.1.1738673045114; Tue, 04 Feb 2025 04:44:05 -0800 (PST)
MIME-Version: 1.0
References: <TYWPR01MB11376A75B2A0784379E19EA06EAF42@TYWPR01MB11376.jpnprd01.prod.outlook.com>
In-Reply-To: <TYWPR01MB11376A75B2A0784379E19EA06EAF42@TYWPR01MB11376.jpnprd01.prod.outlook.com>
From: Andrey Bozhko <andbogc@gmail.com>
Date: Tue, 04 Feb 2025 13:43:54 +0100
X-Gm-Features: AWEUYZkZBOkvNisuGMHjrzgx_5VQyV05zEIvaNhrS5TPtOVRtyBeN0PoSQYdMiI
Message-ID: <CAMd8_Zr98rooQaKZp-EzqhE1oRbgGet-vbHVJtMC23GZ3uk8DQ@mail.gmail.com>
To: "MINEMATSU KAZUHIKO(峯松 一彦)" <k-minematsu=40nec.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003c1b40062d505df3"
Message-ID-Hash: JSOTDKJI2MTT2LP7GDMP2Q4GOI5G5TSC
X-Message-ID-Hash: JSOTDKJI2MTT2LP7GDMP2Q4GOI5G5TSC
X-MailFrom: andbogc@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "cfrg@irtf.org" <cfrg@irtf.org>, "INOUE AKIKO(井上 明子)" <a_inoue@nec.com>, IWATA Tetsu <iwata.tetsu.f6@f.mail.nagoya-u.ac.jp>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: Comments on draft-irtf-cfrg-aead-properties-09.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RcJgK81tB1ko4sutpoIWZnHGotY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Dear Akiko, Tetsu, and Kazuhiko, Thank you very much for your comments and for sharing your paper—it's an exciting and highly interesting work. Unfortunately, adding (or subdividing) properties won’t be possible at this stage, as the list of properties was finalized some time ago, prior to the technical reviews. However, I believe adding clarifications on examples based on your paper and, in particular, correcting the mention of OCB in the Inverse-Free section (many thanks for catching that!) should be possible during the editorial stage when it’s the draft’s turn in the queue. Additionally, once the draft is published, I plan to maintain a somewhat extended (and experimental) version on GitHub ( https://github.com/AndAlBo/draft-irtf-cfrg-aead-properties) since the field is still actively evolving. I intend to incorporate your comments there in more detail as well. Please feel free to propose any further changes or improvements there. Once again, thank you for your valuable comments! Best, Andrey On Tue, Feb 4, 2025 at 09:08 MINEMATSU KAZUHIKO(峯松 一彦) <k-minematsu= 40nec.com@dmarc.ietf.org> wrote: > Dear all, > > We recently learned about the I-D on AEAD > (draft-irtf-cfrg-aead-properties-09) and found it quite relevant in > practice. > As we published a paper on robustness of common AEs ([IIM25], will appear > at > CT-RSA 2025), we would like to share our comments on the draft. > > In [IIM25], Table 1 provides a comprehensive view on nonce-misuse or RUP > security of GCM/CCM/OCB(3), which would be helpful to improve Sections > 4.3.7 > and 4.3.10 of the draft. Concretely: > 1. Sect 4.3.7, Nonce-misuse resilience confidentiality (NML-Priv in our > paper): it holds for GCM but only with 96-bit nonce. This was shown by > [ADL17]. Our paper shows that CCM has NML-Priv. > 2. Sect 4.3.7, Nonce-misuse resistance (NMR in our paper): NMR could be > further classified into confidentiality (privacy) and authenticity as the > draft did for NML. Then we have two notions, Nonce-misuse resistance > confidentiality/privacy (NMR-Priv) and Nonce-misuse resistance > authenticity/integrity (NMR-Auth). [IIM25] shows that CCM has NMR-Auth > (even > stronger. See below). > 3. Sect 4.3.10: INT-RUP could be classified into the cases where nonce may > be repeated or not. We can also consider combined notions such as NMR + > INT-RUP. > [IIM25] shows that > - GCM has plain INT-RUP (i.e. nonce does not repeat in encryption queries) > - CCM has NMR-INT-RUP (i.e. nonce may repeat at any query). > > As a side note, at Sect 4.4.2 (Inverse-Free), OCB was listed as an example, > which is not correct. If you mean an inverse-free OCB-like parallel AE > mode, > OTR [Min14] would be the right one here. > Moreover, COFB [CIMN17], the base scheme of a NIST LwC finalist GIFT-COFB, > is an inverse-free serial AE mode enabling smaller state than OCB/OTR. > > We hope these comments will help improving the draft. > > Best regards, > Akiko Inoue > Tetsu Iwata > Kazuhiko Minematsu > > > [IIM25] Comprehensive Robustness Analysis of GCM, CCM, and OCB3, Akiko > Inoue, Tetsu Iwata and Kazuhiko Minematsu > https://eprint.iacr.org/2024/1339 (to appear at CT-RSA 2025) > > [Min14] Parallelizable Rate-1 Authenticated Encryption from Pseudorandom > Functions, Kazuhiko Minematsu. EC 2014 > https://eprint.iacr.org/2013/628 > > [CIMN17] Blockcipher-based Authenticated Encryption: How Small Can We Go?, > Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, and Mridul Nandi, CHES > 2017. > https://eprint.iacr.org/2017/649 > _______________________________________________ > CFRG mailing list -- cfrg@irtf.org > To unsubscribe send an email to cfrg-leave@irtf.org >
- [CFRG] Comments on draft-irtf-cfrg-aead-propertie… MINEMATSU KAZUHIKO(峯松 一彦)
- [CFRG] Re: Comments on draft-irtf-cfrg-aead-prope… Andrey Bozhko
- [CFRG] Re: Comments on draft-irtf-cfrg-aead-prope… MINEMATSU KAZUHIKO(峯松 一彦)