Re: [Cfrg] ISE seeks help with some crypto drafts

mcgrew <mcgrew@cisco.com> Mon, 08 April 2019 21:59 UTC

Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3477120052 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 14:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rf_3mCeJF3HV for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2019 14:59:26 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E948120073 for <cfrg@irtf.org>; Mon, 8 Apr 2019 14:59:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33590; q=dns/txt; s=iport; t=1554760766; x=1555970366; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=IpnLAEaChJ4+Isi8qmFeo5/TbYeh/quf28cZOExOIHU=; b=OCjxgQ29Hp46t1zPnmDxFRHeFh9lZMH9tGUAMFV7XbMFD2cFwbHcRz/q Ybrz9XYr6Ko/lLvdAfiXTlEVggAfFfn2LkOyEIhwni8DMmhPuMGlCsWGa PC/ay0NhPQy9/QMN4gOnn0AWP7+ioVEEHfcrpRNuWBgkUWmOz40BlfrS/ Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AZAACqw6tc/4sNJK1lDgwBAQEBAQI?= =?us-ascii?q?BAQEBBwIBAQEBgVQCAQEBAQsBgQ6BAmhRMicKhASTPIINfpdcgWMEDgEBGAE?= =?us-ascii?q?MgxCBNwKFZSI3Bg0BAQMBAQkBAgECbRwMhUoBAQEDAQEBIUsGBQULCQIJDyA?= =?us-ascii?q?BBgMCAicfEQYOBYMiAYFtCA+SDJtlgS+ERQMPL0CEYQWBMAGEXIUmgUQXgT9?= =?us-ascii?q?AgREnH4FOSQcuPoJhAQECAQGBKgESAVWCVDGCJgOKUYJChjeFV4xlCYNOhDW?= =?us-ascii?q?MABqCBYYWiViCaYxthQiKaYJzAhEVgWUiZV0MCHAVOyoBgg0BMz6BKDAXg0y?= =?us-ascii?q?FFIUEVyMBATEBji2BHwGBHwEB?=
X-IronPort-AV: E=Sophos;i="5.60,326,1549929600"; d="scan'208,217";a="459736476"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Apr 2019 21:59:24 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x38LxNiV018590 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Apr 2019 21:59:23 GMT
Received: from rtp-mcgrew-nitro2.cisco.com (10.117.145.147) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 8 Apr 2019 16:59:22 -0500
From: mcgrew <mcgrew@cisco.com>
Message-ID: <168CCCFD-0A5D-4A12-958B-9ADB5B11B83C@cisco.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7ABF367D-DE4E-4D43-9700-16C9BCD41E3F"
MIME-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Mon, 8 Apr 2019 17:59:10 -0400
In-Reply-To: <5DCA3352-8546-4124-AAF6-E0C2E3362AD3@ll.mit.edu>
CC: "<sec-ads@ietf.org>" <sec-ads@ietf.org>, cfrg <cfrg@irtf.org>, "secdir@ietf.org" <secdir@ietf.org>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com> <CABcZeBNxgUsWpgWkUQPVrnaKYRCZud1LvkvQgt_5KX7ZhQ3sSQ@mail.gmail.com> <35FC8AD5-BF45-4C3E-A0A8-0EA426970DEA@ll.mit.edu> <3D2D9C29-6FBB-45F5-ABA8-C52D3583C273@cisco.com> <5DCA3352-8546-4124-AAF6-E0C2E3362AD3@ll.mit.edu>
X-Mailer: Apple Mail (2.3445.104.8)
X-Originating-IP: [10.117.145.147]
X-ClientProxiedBy: xch-rcd-010.cisco.com (173.37.102.20) To XCH-ALN-004.cisco.com (173.36.7.14)
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TT3BDVgh5NgNmSRbkb2tpNHAEEY>
Subject: Re: [Cfrg] ISE seeks help with some crypto drafts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 21:59:30 -0000

Hi Uri,

Please see inline:

> On Apr 8, 2019, at 5:38 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
> 
> Hi Uri,
> 
> 
>> On Apr 8, 2019, at 8:30 AM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu <mailto:uri@ll.mit.edu>> wrote:
>>  
>> Well, we *are* interested in OCB and ciphers with block size != 128 bits, even if we won't necessarily document our use in another RFC.
>  
> The draft on OCB with general block size needs more usage guidance, as I discussed with Ted and you when the drafts were first discussed last year (please see https://cfrg.irtf.narkive.com/QRDFp12y/rfcs-for-wider-block-rc6-and-ocb#post5 <https://cfrg.irtf.narkive.com/QRDFp12y/rfcs-for-wider-block-rc6-and-ocb#post5>).   
>  
> Yes I remember. I will remind Ted.
>  
> It is really important that an RFC provide strong guidance to users, as their target audience is implementers and users that might not understand the security ramifications.  
>  
> Yes I agree with your point here. 
>  
> I am not opposed to publishing this draft, 
>  
> Thanks
>  
> but I see it as a critical next step to fully document the interest that you mention, either in draft-krovetz-ocb-wideblock or in a document that can be referenced by that one, along with usage guidance on when it is a good idea to do AEAD with a wide block cipher or a small block cipher.
>  
> I think it would not be proper to document *my* interest. What IMHO would be good is documenting use cases, benefits and caveats of using blocks wider and shorter than 128 bits.
>  
> The general block size draft would be more appealing if it could be tied to a w != 128 cipher that has withstood significant significant cryptanalysis.   
>  
> Shorter blocks are for special applications only (or for classroom exercises).

OCB with a w < 128 bit block cipher is a authenticated encryption mechanism, not a length-preserving cipher, so I don’t understand what special applications there are.  

Classroom exercise don’t need an RFC.  If there is no real-world use case where we would recommend that someone use OCB with a w < 128 bit block cipher, then we shouldn’t include that option in an RFC.   

> Longer blocks weren’t 
>  

Essentially the same issue arises with w > 128; what block ciphers have seen enough cryptanalytic scrutiny at that width such that we would feel good recommending their use in some situations?   

Thanks

David

> For smaller block sizes, this could be one of the modern 64-bit ciphers like PRESENT, SIMON, or SPECK, though I don’t think we should be promoting the use of 64-bit modes of operation for general-purpose use.   
>  
> When AES-NI is in most every moderately large CPU? Nah, I’m not suggesting that we promote *general-purpose* use of 64-bit blocks. As I said, special applications only. In general, “you cannot get fired for selecting 128-bit block AES (and in my case – with 256-bit key)”. 😉
>  
> For implementation environments where a 64-bit cipher fits better than AES, it would be really attractive to use an AEAD mode that is secure beyond the birthday bound, as a way to compensate for the significant security degradation due to short blocks.   It would be great if we could leverage whatever interest there is in small block ciphers into some momentum towards higher-security modes of operation.  
>  
> That I’d need to discuss with Phil and Ted. I did not consider wide/generic use of short blocks.
>  
> It looks like the drafts haven’t been updated since they were first posted, though Ted expressed a willingness to update them.
>  
> I’ll need to get hold of Ted. Somehow his email eludes me right now (thanks, IT, for restoring only part of my email folders after the crash).
>  
> Thanks!
>  
>  
>>  
>> Thus, I see your point but disagree with it's apparent conclusion. IMHO the OCB draft should be published. 
>>  
>> Not sure about RC{5,6} - not my cup of tea.
>> 
>> Regards, 
>> Uri
>>  
>> Sent from my iPhone
>> 
>> On Apr 8, 2019, at 08:21, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>> 
>>> These drafts seem quite low value to publish:
>>>  
>>> The existing OCB document [RFC 7253] is cited by exactly zero RFCs (https://datatracker.ietf.org/doc/rfc7253/referencedby/ <https://datatracker.ietf.org/doc/rfc7253/referencedby/>), so having a specification for ciphers with block size != 128 seems of particularly low value. 
>>>  
>>> The existing RC5 document [RFC 2040] has 6 RFC-level citations, but as far as I know, RC5 has practically no usage in IETF protocols. AFAICT, RC6 isn't even specified in an RFC. Thus, test vectors for these algorithms don't seem that interesting.
>>>  
>>> -Ekr
>>>  
>>>  
>>>  
>>>  
>>>  
>>> On Fri, Mar 8, 2019 at 9:20 AM RFC ISE (Adrian Farrel) <rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org>> wrote:
>>>> Hi CFRG and SecDir,
>>>> 
>>>> Ted Krovetz has asked for publication of ...
>>>> 
>>>> https://datatracker.ietf..org/doc/draft-krovetz-ocb-wideblock/ <https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/>
>>>> ....and...
>>>> https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/ <https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/>
>>>> 
>>>> ....in the Independent Stream.
>>>> 
>>>> These are both currently in expired state, but available in the archive.
>>>> 
>>>> At this stage I am looking to know whether anyone feels that publication
>>>> would be a bad thing:
>>>> - at this stage
>>>> - ever
>>>> 
>>>> Please send me your opinions direct (I am not subscribed to this list, but
>>>> will check the archives).
>>>> 
>>>> Please also let me know if you would be willing to be a detailed reviewer
>>>> of this work.
>>>> 
>>>> Thanks,
>>>> Adrian
>>>> -- 
>>>> Adrian Farrel (ISE),
>>>> rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org>_______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>>> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg <https://www.irtf.org/mailman/listinfo/cfrg>