Re: [Cfrg] new authenticated encryption draft
"John Wilkinson" <wilkjohn@gmail.com> Fri, 15 September 2006 01:37 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GO2dh-0005bX-VG; Thu, 14 Sep 2006 21:37:09 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GO2dh-0005bR-5s for cfrg@ietf.org; Thu, 14 Sep 2006 21:37:09 -0400
Received: from ug-out-1314.google.com ([66.249.92.168]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GO2df-0002MB-Ph for cfrg@ietf.org; Thu, 14 Sep 2006 21:37:09 -0400
Received: by ug-out-1314.google.com with SMTP id 72so107282ugd for <cfrg@ietf.org>; Thu, 14 Sep 2006 18:37:06 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KnEcWTwUMougObN9osFb8YS/jPXE+dcfH5f/8YEi+2mGmP2+HRhd7DyzbAF0rjVJKgPhjylQj+blKOVEu4aJ3ishlN9gpgj5epoCXz5Kmr1uQl/5qFXUGy6x2HAmbiwF7WW8KZSELoMqXxapfNrFc4IP5XZkT6cCoar/pHd1T4g=
Received: by 10.67.100.17 with SMTP id c17mr5172951ugm; Thu, 14 Sep 2006 18:37:06 -0700 (PDT)
Received: by 10.67.123.15 with HTTP; Thu, 14 Sep 2006 18:37:05 -0700 (PDT)
Message-ID: <f207274d0609141837m28cf6400v7cc1a643275f8beb@mail.gmail.com>
Date: Thu, 14 Sep 2006 21:37:05 -0400
From: John Wilkinson <wilkjohn@gmail.com>
To: cfrg@ietf.org
Subject: Re: [Cfrg] new authenticated encryption draft
In-Reply-To: <1C7CA0AE-3BCC-437B-891F-0D2831BFBFBC@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com> <da7b3ce30608201147u12c0c2f6s61694713e59cfa4a@mail.gmail.com> <p06230910c10e98a55c4c@10.30.1.9> <f207274d0608221905t2797ca6ew2a769dd5d9e3d410@mail.gmail.com> <3D640F53-58F3-4AE4-AEFC-145BBD9BC9A0@cisco.com> <f207274d0609011652m3bb76587xdd6cd9e1d3140e63@mail.gmail.com> <7BA4156B-14B4-4BB1-BEAD-2237F5B3834D@cisco.com> <f207274d0609111132w655f9b7er2e55c20e67973da5@mail.gmail.com> <1C7CA0AE-3BCC-437B-891F-0D2831BFBFBC@cisco.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
David, Can you point me to an existing randomized AEAD specification that might have a more detailed rationale its randomness? I'm having a hard time understanding why this is necessary. It seems to me that almost any device on a network will have some sort of unique identifier associated with it, e.g., a MAC or IP address. This could be used to guarantee a unique nonce as input to the AEAD algorithm. It seems to me that your specification allows two types of AEAD schemes that aren't interchangeable: 1) The deterministic AEAD schemes, which accept as input a nonce, and which have a redundant output--the IV. 2) The randomized AEAD schemes, which accept as input an "IV contribution" (which may be reused), and which have an internal source of randomness which is used to generate the IV, which is then returned to the user. I tend to think that the internal source of randomness required for the second class of schemes will be extremely difficult to design in a portable (between architectures) way. In fact, I can't think of any crypto specifications at this level that assume, as part of the specification, an internal source of randomness. Usually, the randomness is a required input, not an output. How would GCM or EAX or CCM be specified if the algorithms required an internal source of randomness? They would have to reference a particular class of certified hardware random number generators. Personally--and this is only my opinion--I find it much cleaner to separate the specifications of AEAD schemes and sources of randomness. Let all AEAD schemes be specified to be deterministic, and to accept at input a nonce. Let random number generation be handled in another component, that may have to be more machine-specific. I'd like to hear others' opinions on this. -John _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew