IETF Logo Mail Archive

Re: [Cfrg] Do we need a selection contest for AEAD?

Mihir Bellare <mihir@eng.ucsd.edu> Fri, 19 June 2020 19:12 UTC

Return-Path: <mihir@eng.ucsd.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011F63A0DB0 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 12:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eng.ucsd.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gojhbHekQMQ for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 12:12:19 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7903A0DBC for <cfrg@irtf.org>; Fri, 19 Jun 2020 12:12:18 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id dr13so11284972ejc.3 for <cfrg@irtf.org>; Fri, 19 Jun 2020 12:12:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/0YPbZBGjxCPmWV0X+/MLShw5G9pT0CgKZ9AG9Raf1M=; b=YF9ftzxoWgVBymSgiZNtmucXiL5vTkujyLEVmNnkUizEb0EeqbXTTulfGkgykppYwT nrxjP81qKJepbYdBCeKCLD6i4KZYqLQp7TjWfWFCJs9umLyG6q/UcLNIKU7iXoWx61V/ lH+toS/+S9CQm4X982pZ0P/ToN0oY5tBg5hF0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/0YPbZBGjxCPmWV0X+/MLShw5G9pT0CgKZ9AG9Raf1M=; b=umvbR5gUPQhyLnauNfKwA+el+KXdK1llLIrHWa2jAcjxEOw9ugy9UcF7hdQvx3um/T /ZuFoTnBmRNmxY//4vDXpAVtU9ah7MzmdgM9SxYDNQUXE2bTQ/FycQlHnwz6oNiH/qkD JjkEqEbNZXNVmTJSdAuMBK8BReQnYLjKSJf98dIKw+BEHZPQcthfgGMU/GWYOT/9+KdX cZXjDLznRXI8Bt3yMSEnWfYlbPEw3yCMiRIXFwzWa2eiQZI1He32clWic/CqRq5bnwws IAjXf5Sit7EDMZTwCy1egD4kgUQKnpXfawmQO7hMlh1G2aj+rIuT/hPH6WNstdfC0Bek 7VzQ==
X-Gm-Message-State: AOAM531A8YTkhsdnsQWcE/4HPPOyjAiC5CEx54pm/yWQPOi27xgoM2Zc Ph5wE7QGXkS7K6+rsGzZpip9FlOgNSc1sJPBUNcR5it1bhY=
X-Google-Smtp-Source: ABdhPJweXvNFORH4xWri4wUZz8j92WBcH2+tilpHMp983J66/N3+g6awVIK7IgOwlpvVQgV4H3KXSZU+nP4Aq4wQNYw=
X-Received: by 2002:a17:906:bcf3:: with SMTP id op19mr4939005ejb.208.1592593936894; Fri, 19 Jun 2020 12:12:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
In-Reply-To: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
From: Mihir Bellare <mihir@eng.ucsd.edu>
Date: Fri, 19 Jun 2020 12:11:40 -0700
Message-ID: <CACEhwkR5nyjZ8kEdDkDSTj06cQd5JTgzMurMpbWU7naB5Hm32g@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000e16cb605a874abaa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Vl0UTdbXwE7N0xirJMwyrgb0Ozo>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 19:12:21 -0000

With regard to requirements for the mode, I would suggest to also consider
adding nonce hiding.

AEAD is understood as providing message privacy for any choices of nonces,
as long as they don't repeat. (Ignoring the nonce-misuse aspect, which is
orthogonal to what follows.) But, as pointed out in [BNT19]
<https://eprint.iacr.org/2019/624>, this isn't really true. There are
choices of non-repeating nonces that, if transmitted with the ciphertext as
necessary to allow decryption, compromise message privacy. This does not
contradict the AEAD definition, because the syntax of the latter gives the
decryptor the nonce and leaves the implementer to ensure it gets there.
Nonce hiding AE (which has a modified syntax and security definition, as
per the above paper) fills this gap.

This problem does not arise with random nonces. But the promise of AEAD was
to provide privacy with arbitrary nonces. A standard should either do this
fully (nonce hiding) or come with restrictions to only use, say, random
nonces.

Nonce hiding is also of interest for anonymity and meta-data privacy. With
regular AEAD, nonces that are sequence numbers can (if visible to the
adversary) reveal information, as pointed out by Bernstein
<https://groups.google.com/g/crypto-competitions/c/n5ECGwYr6Vk/m/bsEfPWqSAU4J>
and
CHAE <https://chae.cr.yp.to/whitepaper.html>. This is prevented in part by
nonce hiding.

For such reasons, nonce hiding is targeted in the AE mode of QUIC.

Mihir

On Fri, Jun 19, 2020 at 10:32 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com>
wrote:

> Dear CFRG,
>
> The chairs would like to ask for opinions whether it seems reasonable to
> initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes
> and recommend a mode (or several modes) for the IETF.
>
> We’ve recently had a CAESAR contest, and, of course, its results have to
> be taken into account very seriously. In addition to the properties that
> were primarily addressed during the CAESAR contest (like protection against
> side-channel attacks, authenticity/limited privacy damage in case of nonce
> misuse or release of unverified plaintexts, robustness in such scenarios as
> huge amounts of data), the following properties may be especially important
> for the usage of AEAD mechanisms in IETF protocols:
> 1) Leakage resistance.
> 2) Incremental AEAD.
> 3) Commitment AEAD (we've had a discussion in the list a while ago).
> 4) RUP-security (it was discussed in the CAESAR contest, but the finalists
> may have some issues with it, as far as I understand).
> 5) Ability to safely encrypt a larger maximum number of bytes per key
> (discussed in QUIC WG)..
>
> Does this look reasonable?
> Any thoughts about the possible aims of the contest?
> Any other requirements for the mode?
>
> Regards,
> Stanislav, Alexey, Nick
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email