Re: [Cfrg] new authenticated encryption draft
daw@cs.berkeley.edu (David Wagner) Tue, 29 August 2006 08:21 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHyqS-0005Tg-0U; Tue, 29 Aug 2006 04:21:16 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GHyqP-0005TW-SC for cfrg@ietf.org; Tue, 29 Aug 2006 04:21:13 -0400
Received: from taverner.cs.berkeley.edu ([128.32.168.222]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GHyqO-0004Tv-Dp for cfrg@ietf.org; Tue, 29 Aug 2006 04:21:13 -0400
Received: from taverner.cs.berkeley.edu (localhost.localdomain [127.0.0.1]) by taverner.cs.berkeley.edu (8.13.7/8.13.7) with ESMTP id k7T8KqFB006836 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <cfrg@ietf.org>; Tue, 29 Aug 2006 01:20:53 -0700
Received: (from news@localhost) by taverner.cs.berkeley.edu (8.13.7/8.13.7/Submit) id k7T8KqA5006835 for cfrg@ietf.org; Tue, 29 Aug 2006 01:20:52 -0700
To: cfrg@ietf.org
Path: not-for-mail
From: daw@cs.berkeley.edu
Newsgroups: isaac.lists.ietf-cfrg
Subject: Re: [Cfrg] new authenticated encryption draft
Date: Tue, 29 Aug 2006 08:20:52 +0000
Organization: University of California, Berkeley
Lines: 93
Message-ID: <ed0td4$5l7$1@taverner.cs.berkeley.edu>
References: <74A5A0C3-8E6E-47B4-A67B-C51ED97B2897@mindspring.com>
NNTP-Posting-Host: taverner.cs.berkeley.edu
X-Trace: taverner.cs.berkeley.edu 1156839652 5799 128.32.168.222 (29 Aug 2006 08:20:52 GMT)
X-Complaints-To: news@taverner.cs.berkeley.edu
NNTP-Posting-Date: Tue, 29 Aug 2006 08:20:52 +0000 (UTC)
X-Newsreader: trn 4.0-test76 (Apr 2, 2001)
Originator: daw@taverner.cs.berkeley.edu (David Wagner)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b5d20af10c334b36874c0264b10f59f1
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
David A. McGrew wrote: >Authenticated Encryption (draft-mcgrew-auth-enc-00.txt) This looks like a useful document. Thanks for putting this together. Here are a slew of minor comments: Saying that the IV is generated by the AEAD algorithm seems a little unusual. Many AEAD algorithms permit the application to provide a nonce to the AEAD algorithm, which is used for encryption (and for decryption). This might be more flexible, because it allows the nonce to be meaningful to the application in some special cases. For instance, you can use nonce = sector number for disk encryption (well, not actually, because disk encryption has to be length-preserving, but you get the idea). It could also fit into your framework, as a case of an AEAD algorithm where the IV is taken to be exactly the IV contribution, and where the mode documents that IV contributions must not repeat. Perhaps this is what you are trying to address with your "IV contribution"? I prefer to use the term "nonce" when the only requirement is that nonces must not repeat. I tend to use "IV" when there are stricter requirements (such as that IVs be uniformly random and unpredictable). You don't use the term "AEAD" consistently. In one place, you say that an AEAD algorithm has two operations, encryption and decryption. In some other places, you seem to use AEAD to refer solely to the encryption operation, and AAD for the decryption operation. Be consistent. One option is to always use AEAD vs AAD to refer to encryption vs decryption. Alternatively, when you are referring to just the encryption operation, use "AEAD encryption algorithm" instead of just "AEAD algorithm". (For instance, when you say the IV is an output of the AEAD algorithm, you might mean that it is an output of the AEAD encryption algorithm -- obviously, it is not an output of the decryption algorithm, but rather an input). By your definitions, no secure stateless AEAD algorithm can be deterministic, because the IV has to have some randomness in it. Did you perhaps mean that deterministic means the ciphertext output of the encryption algorithm is a deterministic function of the inputs and of the IV generated, or did you actually mean what you write? I don't know why you require that the IV contribution be included "verbatim" in the IV. (I don't even know what the word "verbatim" means, precisely.) This seems like a peculiar requirement with no purpose that I can discern. Your document doesn't state any requirements on the IV contribution. Therefore, you should say that the mode specification must specify any requirements on the IV contribution (e.g., that it be non-repeating) that an application is required to abide by. I don't think it's wise to vary the length of the authentication tag separately for each packet. The tag length should be bound to the key and should never change for the lifetime of the key. I don't think you should be saying that the IV is authenticated internally to the algorithm. The receiver should only be looking at the decrypted plaintext and the authenticated data; higher layers at the receiving side should not be looking at the IV. Thus, I'm not sure in what sense one can say that the IV is authenticated. Standard security definitions promise nothing about that. Moreover, you should not be promising that the decryption operation will detect incorrect IV values, because that is not necessarily guaranteed by standard security definitions (for instance, imagine if the last bit of the IV is ignored by both the encryption and decryption operation; then an attacker who flips that last bit while the IV is in transit will go undetected, but no harm will be done). It is, however, accurate to say that no security failure results when the decryption operation is provided with an incorrect IV, as long as you define "security failure" to mean that the decryption operation returns some plaintext as valid (without FAILing) when that plaintext was never processed by the encryption operation. I think you mean the IV may be transported along with the ciphertext (not "plaintext"). I think the sentence "The entire IV need not be transmitted; it is sufficient to provide the receiver with enough information to allow the IV to be reconstructed." is confusing. You are describing two algorithms. It is enough to say that the IV output by the encryption operation must be provided as input to the decryption operation. The question of how it is provided to the decryption operation is up to the lower layers (or to the application, depending on how you look at it), but that question is 'none of your business' (i.e., it is irrelevant to an AEAD spec). The first paragraph of Section 3 looks like a repeat of things already stated earlier. Skip it? Is there any value in defining a generic composition, like AEAD_AES_128_HMAC_SHA1, except that it uses AES-CMAC instead of SHA1-HMAC? This would be for systems that have AES but don't want to implement SHA1 (e.g., embedded systems; hardware). -- David _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft Greg Rose
- Re: [Cfrg] new authenticated encryption draft Ted Krovetz
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Scott Fluhrer
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Hal Finney
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David Wagner
- RE: [Cfrg] new authenticated encryption draft Santosh Chokhani
- Re: [Cfrg] new authenticated encryption draft Ken Raeburn
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- RE: [Cfrg] new authenticated encryption draft Blumenthal, Uri
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft D. J. Bernstein
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- RE: [Cfrg] new authenticated encryption draft Doug Whiting
- Re: [Cfrg] new authenticated encryption draft Steven M. Bellovin
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- RE: [Cfrg] new authenticated encryption draft Tom Shrimpton
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft John Wilkinson
- Re: [Cfrg] new authenticated encryption draft Phillip Rogaway
- Re: [Cfrg] new authenticated encryption draft David A. McGrew
- Re: [Cfrg] new authenticated encryption draft David McGrew
- [Cfrg] AES-based key derivation David McGrew