Re: [Cfrg] Do we need a selection contest for AEAD?
Mihir Bellare <mihir@eng.ucsd.edu> Fri, 19 June 2020 19:12 UTC
Return-Path: <mihir@eng.ucsd.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 011F63A0DB0 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 12:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eng.ucsd.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gojhbHekQMQ for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 12:12:19 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7903A0DBC for <cfrg@irtf.org>; Fri, 19 Jun 2020 12:12:18 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id dr13so11284972ejc.3 for <cfrg@irtf.org>; Fri, 19 Jun 2020 12:12:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eng.ucsd.edu; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/0YPbZBGjxCPmWV0X+/MLShw5G9pT0CgKZ9AG9Raf1M=; b=YF9ftzxoWgVBymSgiZNtmucXiL5vTkujyLEVmNnkUizEb0EeqbXTTulfGkgykppYwT nrxjP81qKJepbYdBCeKCLD6i4KZYqLQp7TjWfWFCJs9umLyG6q/UcLNIKU7iXoWx61V/ lH+toS/+S9CQm4X982pZ0P/ToN0oY5tBg5hF0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/0YPbZBGjxCPmWV0X+/MLShw5G9pT0CgKZ9AG9Raf1M=; b=umvbR5gUPQhyLnauNfKwA+el+KXdK1llLIrHWa2jAcjxEOw9ugy9UcF7hdQvx3um/T /ZuFoTnBmRNmxY//4vDXpAVtU9ah7MzmdgM9SxYDNQUXE2bTQ/FycQlHnwz6oNiH/qkD JjkEqEbNZXNVmTJSdAuMBK8BReQnYLjKSJf98dIKw+BEHZPQcthfgGMU/GWYOT/9+KdX cZXjDLznRXI8Bt3yMSEnWfYlbPEw3yCMiRIXFwzWa2eiQZI1He32clWic/CqRq5bnwws IAjXf5Sit7EDMZTwCy1egD4kgUQKnpXfawmQO7hMlh1G2aj+rIuT/hPH6WNstdfC0Bek 7VzQ==
X-Gm-Message-State: AOAM531A8YTkhsdnsQWcE/4HPPOyjAiC5CEx54pm/yWQPOi27xgoM2Zc Ph5wE7QGXkS7K6+rsGzZpip9FlOgNSc1sJPBUNcR5it1bhY=
X-Google-Smtp-Source: ABdhPJweXvNFORH4xWri4wUZz8j92WBcH2+tilpHMp983J66/N3+g6awVIK7IgOwlpvVQgV4H3KXSZU+nP4Aq4wQNYw=
X-Received: by 2002:a17:906:bcf3:: with SMTP id op19mr4939005ejb.208.1592593936894; Fri, 19 Jun 2020 12:12:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
In-Reply-To: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
From: Mihir Bellare <mihir@eng.ucsd.edu>
Date: Fri, 19 Jun 2020 12:11:40 -0700
Message-ID: <CACEhwkR5nyjZ8kEdDkDSTj06cQd5JTgzMurMpbWU7naB5Hm32g@mail.gmail.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000e16cb605a874abaa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Vl0UTdbXwE7N0xirJMwyrgb0Ozo>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 19:12:21 -0000
With regard to requirements for the mode, I would suggest to also consider adding nonce hiding. AEAD is understood as providing message privacy for any choices of nonces, as long as they don't repeat. (Ignoring the nonce-misuse aspect, which is orthogonal to what follows.) But, as pointed out in [BNT19] <https://eprint.iacr.org/2019/624>, this isn't really true. There are choices of non-repeating nonces that, if transmitted with the ciphertext as necessary to allow decryption, compromise message privacy. This does not contradict the AEAD definition, because the syntax of the latter gives the decryptor the nonce and leaves the implementer to ensure it gets there. Nonce hiding AE (which has a modified syntax and security definition, as per the above paper) fills this gap. This problem does not arise with random nonces. But the promise of AEAD was to provide privacy with arbitrary nonces. A standard should either do this fully (nonce hiding) or come with restrictions to only use, say, random nonces. Nonce hiding is also of interest for anonymity and meta-data privacy. With regular AEAD, nonces that are sequence numbers can (if visible to the adversary) reveal information, as pointed out by Bernstein <https://groups.google.com/g/crypto-competitions/c/n5ECGwYr6Vk/m/bsEfPWqSAU4J> and CHAE <https://chae.cr.yp.to/whitepaper.html>. This is prevented in part by nonce hiding. For such reasons, nonce hiding is targeted in the AE mode of QUIC. Mihir On Fri, Jun 19, 2020 at 10:32 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > Dear CFRG, > > The chairs would like to ask for opinions whether it seems reasonable to > initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes > and recommend a mode (or several modes) for the IETF. > > We’ve recently had a CAESAR contest, and, of course, its results have to > be taken into account very seriously. In addition to the properties that > were primarily addressed during the CAESAR contest (like protection against > side-channel attacks, authenticity/limited privacy damage in case of nonce > misuse or release of unverified plaintexts, robustness in such scenarios as > huge amounts of data), the following properties may be especially important > for the usage of AEAD mechanisms in IETF protocols: > 1) Leakage resistance. > 2) Incremental AEAD. > 3) Commitment AEAD (we've had a discussion in the list a while ago). > 4) RUP-security (it was discussed in the CAESAR contest, but the finalists > may have some issues with it, as far as I understand). > 5) Ability to safely encrypt a larger maximum number of bytes per key > (discussed in QUIC WG).. > > Does this look reasonable? > Any thoughts about the possible aims of the contest? > Any other requirements for the mode? > > Regards, > Stanislav, Alexey, Nick > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] Do we need a selection contest for AEAD? Stanislav V. Smyshlyaev
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Eric Rescorla
- Re: [Cfrg] Do we need a selection contest for AEA… Daniel Franke
- Re: [Cfrg] Do we need a selection contest for AEA… Wasa Bee
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Paul Grubbs
- Re: [Cfrg] Do we need a selection contest for AEA… Yevgeniy Dodis
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mridul Nandi
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Stephen Farrell
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Michael StJohns