IETF Logo Mail Archive

Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04

Andrey Bozhko <andbogc@gmail.com> Mon, 08 April 2024 12:27 UTC

Return-Path: <andbogc@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EBDDC14F6F0 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 05:27:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6DefZkzUSGK for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 05:27:50 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC666C14F6ED for <cfrg@irtf.org>; Mon, 8 Apr 2024 05:27:50 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id ada2fe7eead31-479c39b78dbso1758778137.2 for <cfrg@irtf.org>; Mon, 08 Apr 2024 05:27:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712579269; x=1713184069; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DjojDBM7xLv5c6vK3OuHgmzSh9yGKc40bz2h+nzC/6o=; b=I+PpC/umgXFRoLJxjqOF4Mf4ph3DehHXslMEcZcyjTBbwRF/1FIcLM25R/KBvww6+K Uah8N8OnIUcbt68oqyu2TghNPrDpaqZleVzTjehbO3FQRFaQbVevNNcWx2sxMyHZ4hH8 JXIaOdSkQsP4G2Q63US2m4BE98X1+XCfxidVr60850NO4TT+Of9/8hN67FfHv7nv6TCO EfyDkrsydazATKQqV+1v7bZGcJ4YuSOIoTBE40Q/Fm4kEcppCJU30IY/3XXI/1J7HXwk ex7CHZ9px3/hZeGLnNGGPKLVvYO0REma+mB+n1WH3nWBVy0gRxs80FN1RKzQc4DZrc/H AnTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712579269; x=1713184069; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DjojDBM7xLv5c6vK3OuHgmzSh9yGKc40bz2h+nzC/6o=; b=aiJt/D8ExlcGPHhRYnnk0dJx9W3e9rkFXgZiv4DsXQXwtx/nOMx9RuSppCUi3UCNcI lolrVPRqjQWrmM3ykeNpdF8pzMpRokfFwoWQTPYUqNHe+QGtRXQ77R1AUf2ugWZSU8zJ 3VUL0B7l/nslU/Nm/RnQ585d39NSB1eqhySvrE9hAglj4Tevg4GxX8zMfEiq8MaHi5L2 jpyguD9UUcu/xTpDUVTcn+CyUeY9pKNdQiAwwnMYnnnMG50udQ679fnEyO/P6rO7ZH1H KW2CqD4SApe17Iwj4zJSEe+aJYGjV6b4Zq7UA3y8vlT2GlpDR0infOhhRx6EklD/0baW UNfw==
X-Gm-Message-State: AOJu0YxB+Y8/WZJTAkTbr1qlhXKzTAaVdkyhtfJ0NuqT3iZjQBe4igOy G5047KjqDVL/S3stfFeyrn87f/reZ4PJJKS0rQNlRcTP+wxok/APy72kjGxhLpmo2kK1pBtEEii gq+qRFr8MGTr+APBQVct0xLwbzHuGJ14iGh2f2A==
X-Google-Smtp-Source: AGHT+IG/DXsEuJmm1hGq53enAAT6ySlunMhlgkB7um1+HO2hvx7c6xXwWhMPGF5M8/KnHG9a4+I5oWuU84S6tOkebMo=
X-Received: by 2002:a05:6102:201a:b0:479:e833:2228 with SMTP id p26-20020a056102201a00b00479e8332228mr4593416vsr.12.1712579269353; Mon, 08 Apr 2024 05:27:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=6_61XHw5=YR1xNWcwX6nD8EpLEpyw9am1LEKgTPirXg@mail.gmail.com> <LV8PR11MB8748ACDDFF9ACD91A034162AA13B2@LV8PR11MB8748.namprd11.prod.outlook.com> <CAMd8_ZoGjZu08Pn4xTyG9fRcHTbunkip9N7b8EHr9v2P4DOTyg@mail.gmail.com> <LV8PR11MB8748230602BFAF47A1986DE6A13A2@LV8PR11MB8748.namprd11.prod.outlook.com> <CAMd8_Zo3HVerks47DikkxMTK=3rT-yCxoJVafGCKAxTcLJEc5Q@mail.gmail.com> <LV8PR11MB87482E1931211ADC91BCBCE6A13D2@LV8PR11MB8748.namprd11.prod.outlook.com>
In-Reply-To: <LV8PR11MB87482E1931211ADC91BCBCE6A13D2@LV8PR11MB8748.namprd11.prod.outlook.com>
From: Andrey Bozhko <andbogc@gmail.com>
Date: Mon, 08 Apr 2024 15:27:38 +0300
Message-ID: <CAMd8_ZroOyeCs=GS6Cedu+GzaOApk-SVE7ibpnLOJLw_8_JgoA@mail.gmail.com>
To: "Tereschenko, Aleksandr V" <aleksandr.v.tereschenko@intel.com>, stephen.farrell@cs.tcd.ie
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000ffea0b061594eead"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/U-HJMo5Rm6ioqwNB5yh5iNy-t6M>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 12:27:55 -0000

Hi all,

just for the record, I-D draft version -06 recently published does address
> all my comments


Alexander, thank you for the confirmation. I'm glad to hear that!

Stephen, could you please confirm if the latest version of the draft
addresses your concerns as well? Thank you in advance!

Regards,
Andrey


On Wed, Apr 3, 2024 at 5:49 PM Tereschenko, Aleksandr V <
aleksandr.v.tereschenko@intel.com> wrote:

> (Looks like this email thread got too big for the mail list limitations
> and my reply seems to have been stuck in moderation, let me try a plaintext
> version + Andrey's email directly for robustness. Apologies for any
> duplicates!)
>
>
> Thank you too, and just for the record, I-D draft version -06 recently
> published does address all my comments, great job!
>
> Regards,
> Alexander Tereschenko (he/him)
> Intel Product Assurance and Security (IPAS) Crypto Team
> -------------------------------------------------------------
> Intel Technology Poland sp. z o.o. - ul. Slowackiego 173, 80-298 Gdansk -
> KRS 101882 - NIP 957-07-52-316
>
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------
>
> From: Andrey Bozhko <andbogc@gmail.com>
> Sent: Sunday, March 31, 2024 13:02
> To: Tereschenko, Aleksandr V <aleksandr.v.tereschenko@intel.com>
> Cc: CFRG <cfrg@irtf.org>
> Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
>
> >>> maybe a short note would still be helpful then
>
> Sure! I completely agree with you on that. I'll make the corresponding
> changes and publish the updated version within 1-2 days.
> Thanks for the discussion!
> Regards,
> Andrey
>
> On Sat, 30 Mar 2024 at 01:19 Tereschenko, Aleksandr V <mailto:
> aleksandr.v.tereschenko@intel.com> wrote:
> Thanks Andrey, both make sense to me.
>
> For #1, maybe a short note would still be helpful then, to acknowledge its
> existence and avoid this same question being raised later on (or popping up
> in reader's head)? A condensed version of your clarification below would
> work perfectly I think, e.g., something along the lines of: "There is also
> a well-known weaker notion - Leakage Resilience, but this document makes a
> conscious choice to focus on a stronger Leakage Resistance one, following
> the framework established in [Guo et al., Bellizia et al.], for its better
> practicality and comprehensiveness".
>
> This is just to aim the reader with necessary references, should they need
> to dig deeper (in the spirit of the I-D) + address the potential question
> (which, given the widespread use of the term may be quite natural).
>
> It would also be a nod to what Bellizia et al. mention about that notion:
> "We insist that this observation does not invalidate the interest of the
> leakage-resilience setting: whether (stronger) leakage-resistance or
> (weaker) leakage-resilience is needed depends on application constraints".
>
> Either way, kudos for a nice document!
>
> regards,
> Alexander Tereschenko (he/him)
> Intel Product Assurance and Security (IPAS) Crypto Team
> -------------------------------------------------------------
> Intel Technology Poland sp. z o.o. - ul.
> https://www.google.com/maps/search/Slowackiego+173,+80-298+Gdansk?entry=gmail&source=g
> - KRS 101882 - NIP 957-07-52-316
>
> From: CFRG <mailto:cfrg-bounces@irtf.org> On Behalf Of Andrey Bozhko
> Sent: Friday, March 29, 2024 10:24
> To: Tereschenko, Aleksandr V <mailto:aleksandr.v.tereschenko@intel.com>
> Cc: CFRG <mailto:cfrg@irtf.org>
> Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
>
> Hi Alexander,
>
> Thank you for the review and very interesting comments! Please find some
> answers and explanations below.
>
> 1. I considered adding resilience in the sense of [1] when writing that
> section as well. However, after discussions with reviewers of earlier
> versions, it was decided to only leave resistance following the [2,3] line
> of work. The main reason here was that the framework of [2,3] is better
> developed, allows for comprehensive and intuitive analysis, and is tailored
> for real-life schemes. Another reason is that initial papers in which
> resilience and resistance were introduced consider different leakage models
> (e.g., partial and full leakages). Explaining these differences in the
> draft would have led to introducing confusion rather than reducing it. So,
> it was more or less a weighted decision to focus only on leakage resistance
> in the draft.
>
> 2. Indeed, that would be nice. I will add a corresponding sentence to the
> “Note” paragraph in the mu security section. However, I think it is
> reasonable to only mention indistinguishability as a targeted security
> notion in the “Security notion” paragraph.
>
> [1] Barwell, G., et al., “Authenticated encryption in the face of protocol
> and side channel leakage”, https://eprint.iacr.org/2017/068.pdf
>
> [2] Guo, C., et al., "Authenticated Encryption with Nonce Misuse and
> Physical Leakages: Definitions, Separation Results and Leveled
> Constructions",
> https://link.springer.com/chapter/10.1007/978-3-030-30530-7_8
>
> [3] Bellizia, D., et al., "Mode-Level vs. Implementation-Level Physical
> Security in Symmetric Cryptography: A Practical Guide Through the
> Leakage-Resistance Jungle",
> https://link.springer.com/chapter/10.1007/978-3-030-56784-2_13
>
> Regards,
> Andrey
>
> On Thu, 28 Mar 2024 at 20:26 Tereschenko, Aleksandr V <mailto:
> aleksandr.v.tereschenko@intel.com> wrote:
> Hello everyone,
>
> Apologies for slightly missing the formal RGLC deadline, hopefully this
> feedback is still useful. I've reviewed the draft (version -05 though, but
> replying in this RGLC thread about -04 for continuity) and overall I think
> this is a useful document that is ready for publication. Establishing
> common language for complex things like those security and implementation
> properties is certainly helpful and should lead to fewer mistakes, i.e.,
> better security, so I find the document's primary goal laudable.
>
> I also have a couple of minor comments, listed in no particular order
> below.
>
> 1. Section 4.3.4 mentions leakage resistance without mentioning leakage
> *resilience*, which is a distinct and weaker notion also widely used (e.g.,
> [1] or [2]). Given that, I'd suggest mentioning it as well, by e.g.,
> following the approach used in section 4.3.7. Nonce Misuse and adding
> resilience-related text like "<…> provides security (resilience or
> resistance) <…>" to the main definition, and then definitions of both
> resilience and resistance as sub-items under it.
> 2. Section 4.3.5. Multi-User Security: as shown in the referenced BT16
> paper and as it authors emphasize, there's also a potentially distinct and
> relevant "mu kr" notion in addition to the "mu ind" one, maybe it's worth
> mentioning too? I admit that unlike with the leakage resistance/resilience,
> this distinction does not seem to be widespread in other papers, so just
> wanted to bring that up for consideration, given the emphasis in the paper.
> 3. Typo: "commiting" -> "committing" (Section 4.3.2 "Examples: <…>")
> 4. Typo: "i.e," -> "i.e.," (Section 4.3.8 "Q2 model: <…>")
>
> [1] https://link.springer.com/chapter/10.1007/978-3-030-56784-2_13
> [2] https://link.springer.com/chapter/10.1007/978-3-030-30530-7_8
>
> regards,
> Alexander Tereschenko (he/him)
> Intel Product Assurance and Security (IPAS) Crypto Team
>
> From: CFRG <mailto:cfrg-bounces@irtf.org> On Behalf Of Stanislav V.
> Smyshlyaev
> Sent: Tuesday, March 5, 2024 09:44
> To: CFRG <mailto:cfrg@irtf.org>
> Cc: mailto:cfrg-chairs@ietf.org; mailto:
> draft-irtf-cfrg-aead-properties@ietf.org
> Subject: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
>
> Dear CFRG participants,
>
> This message is starting 3 weeks RGLC on
> draft-irtf-cfrg-aead-properties-04 ("Properties of AEAD Algorithms") that
> will end on March 26th 2024. If you've read the document and think that it
> is ready (or not ready) for publication as an RFC, please send a message in
> reply to this email or directly to CFRG chairs (mailto:
> cfrg-chairs@ietf.org). If you have detailed comments, these would also be
> very helpful at this point.
>
> We've got a review of the draft by Russ Housley (on behalf of the Crypto
> Review Panel):
> https://mailarchive.ietf.org/arch/msg/crypto-panel/aNQc4kc0DFlSPy_ohUttM4QEVXc/
> Russ has confirmed that his comments have been addressed.
>
> Thank you,
> Stanislav, for CFRG chairs
>

v2.23.0 | Report a Bug | By Email