Re: [Cfrg] RFCs for wider-block RC6 and OCB
"David McGrew (mcgrew)" <mcgrew@cisco.com> Thu, 18 October 2018 17:01 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE22A12F1A2 for <cfrg@ietfa.amsl.com>; Thu, 18 Oct 2018 10:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.565
X-Spam-Level:
X-Spam-Status: No, score=-14.565 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.064, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q8StIAy6N8MR for <cfrg@ietfa.amsl.com>; Thu, 18 Oct 2018 10:01:23 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C4E128CE4 for <cfrg@ietf.org>; Thu, 18 Oct 2018 10:01:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8290; q=dns/txt; s=iport; t=1539882083; x=1541091683; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=jSLlO8ZilguJh9RUOeGA9O8a4WafppyuWTTTkEDDEUY=; b=XKRO0Myu30Hnm5NCZd3NV0CQWaIxt2mYzcOIfjGsiMH3C8rJSqVpYDLi WWTL/EE93Uhlgheif7GdV3aGbosFHxj0ZtUC+H2ljY4tRgs3H6ZdaXmyb +UgvHLJbL4ohY6lxI6X9gfMcIcZaSckG6eb0xxV2VMlaiWTumTugTLlsE g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAACnu8hb/4gNJK1kDgsBAQEBAQEBAQEBAQEHAQEBAQEBgVEEAQEBAQELAYFVBSpmfygKg2uIF4wbgWglepYVFIFmCwEBGAuESQIXhGwhNA0NAQMBAQIBAQJtHAyFOQEBAQEBAgEBDBURMQkLDAQCAQgRAwECAQICJgICAiULFQgIAgQOBRSCQUsBggEPpl2BLoQ+Pz2EYgWBC4Q3hDkfgRUeF4IAgREnDBOCFwcugxsBAQECAYEhBCAYF4JsMYImAoY5glqLG4oKCQKGWYYwg1wXimuFPIxMiVECERSBJh04gVVwFTsqAYJBgiMahiCCO4UEOm+KHoEfAQE
X-IronPort-AV: E=Sophos;i="5.54,397,1534809600"; d="scan'208";a="187998845"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2018 17:01:22 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id w9IH1MZM029464 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Oct 2018 17:01:22 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 18 Oct 2018 12:01:21 -0500
Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1395.000; Thu, 18 Oct 2018 12:01:21 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] RFCs for wider-block RC6 and OCB
Thread-Index: AQHUZVj9mIj2A7KqRkqyJIg5fBWb6aUkVNqAgADg9oCAAFLkAP//xcCA
Date: Thu, 18 Oct 2018 17:01:21 +0000
Message-ID: <99160401-33C3-420F-840C-500F22395B5E@cisco.com>
References: <E617CD1F-AD92-42CA-B054-5CFD20AF4A6E@krovetz.net> <5ADB017E-5D48-48C9-92CB-445B7294D652@rhul.ac.uk> <855AD21F-85D0-400C-BE07-1ED585C98530@cisco.com> <FEBCC9C0-11D2-411E-B150-CCBE28886B8C@ll.mit.edu>
In-Reply-To: <FEBCC9C0-11D2-411E-B150-CCBE28886B8C@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.155.84.214]
Content-Type: text/plain; charset="utf-8"
Content-ID: <3C0C7C685F63174E8A3432CE732C271C@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.13, xch-aln-003.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ZbFmepeRY9qmDGgGcz0CkrmTTVg>
Subject: Re: [Cfrg] RFCs for wider-block RC6 and OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2018 17:01:26 -0000
Hi Uri, On 10/18/18, 12:29 PM, "Cfrg on behalf of Blumenthal, Uri - 0553 - MITLL" <cfrg-bounces@irtf.org on behalf of uri@ll.mit.edu> wrote: >Smaller block sizes are easier to deal with in austere systems (memory, performance, etc.), whose concerns are only tactical. I see two issues here. First, what implementation advantages do small blocks have on rc5/rc6 on austere systems; is there an implementation study that quantifies those advantages? Second, do we think that the implementers in those scenarios would understand and respect the block count limits? We live in an era where people who use a 64-bit block cipher in an internet protocol without understanding the birthday bound can end up getting unwanted publicity like https://sweet32.info/SWEET32_CCS16.pdf. We should strongly discourage the use of small block ciphers for general internet scenarios. As a research direction, small block ciphers used with beyond-the-birthday-bound modes of operation could be interesting, but that’s a tangent. > >Fire general use, 128-bit block seems a good balance. > >There are apps where larger block size is desired, e.g., for reasons you outlined. Sure, but for an RFC, these should be documented. Best David > >IMHO, the "Internet community" that is comprised of many diverse communities with different use cases and needs, would definitely benefit from adoption of this draft. > >Regards, >Uri > >Sent from my iPhone > >> On Oct 18, 2018, at 10:33, David McGrew (mcgrew) <mcgrew@cisco.com> wrote: >> >> Hi Ted (and Kenny), >> >> This is an interesting research direction, though it is not yet entirely clear how the internet community would benefit from its adoption. I have some questions and comments that are focused on usage. >> >> What is the rationale for larger-block OCB? Is it intended to improve security against cryptanalytic attacks in scenarios where other AEADs are currently used? Or to allow each individual key to be used to encrypt a much larger volume of data? The security considerations in ocb-wideblock says "a given key should be used to encrypt at most 2^(BLOCKLEN/2-16) blocks”, so actual guidance is consistent with the latter rationale. What are the scenarios where AEAD needs to encrypt more than 2^52 bytes with a single key, and thus BLOCKLEN > 128 is needed? In communication security, we change keys more often than that because we can and because keys can be compromised through side channels and system security issues. I would guess that file/data encryption scenarios are the intended target, and if that’s right, it would be worth some discussion. >> >> The ocb-wideblock draft could call out the security benefits of larger block sizes more strongly, and could change the security considerations in a way that moves users away from the birthday bound. >> >> I’m confident in the security analysis behind the ocb-wideblock draft, but the security of an RC5/RC6 instantiation of that mode depends crucially on the ability of those ciphers to look like a PRP as their block size gets larger. The security considerations of the rc5/rc6 draft does touch on this, saying that "Each doubling of w should increase the number of rounds by four”, but it does not cite any cryptanalysis of those ciphers with larger block sizes, other than the work of the cipher design team, unless I’m missing something. While that design team has a sterling reputation, independent analysis is important. The RC6 cryptanalysis literature from the time of the AES competition was focused on a 128-bit block size. The draft ought to cite a more detailed justification for the security of wider-block rc5/rc6. >> >> I am totally missing the rationale for using *smaller* block sizes, and I think they should be removed from the draft, unless there is some compelling use case that they are targeting. In that event, the use of smaller block sizes should be restricted by strong guidance. >> >> best >> >> David >> >> >>> On 10/17/18, 6:07 PM, "Cfrg on behalf of Paterson, Kenny" <cfrg-bounces@irtf.org on behalf of Kenny.Paterson@rhul.ac.uk> wrote: >>> >>> Dear Ted, >>> >>> Thanks for bringing this ID to CFRG's attention. >>> >>> The chairs would like to encourage people to continue to express their views on whether CFRG should adopt this ID as a CFRG work item or not. People can do that on-list or privately to the chairs if they prefer. >>> >>> Thanks, >>> >>> Kenny (for the chairs) >>> >>> >>> -----Original Message----- >>> From: Cfrg <cfrg-bounces@irtf.org> on behalf of Ted Krovetz <ted@krovetz.net> >>> Date: Tuesday, 16 October 2018 at 15:03 >>> To: "cfrg@ietf.org" <cfrg@ietf.org> >>> Subject: [Cfrg] RFCs for wider-block RC6 and OCB >>> >>> Hello, >>> >>> About six months ago I put together an Internet-Draft that specified how to use the authenticated-encryption algorithm OCB and a block cipher without 128-bit blocks. This was in response to a few researchers and developers who had expressed interest in such a thing. As an exemplar I wrote RC6 (and RC5) code and an Internet-Draft for block lengths other than originally intended. >>> >>> https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/ >>> https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/ >>> >>> My question for CFRG is whether I should pursue these RFCs through the Independent submission channel, or whether there is interest within CFRG to review and/or sponsor the drafts. >>> >>> Thank you, >>> Ted Krovetz >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >>> >>> >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] RFCs for wider-block RC6 and OCB Ted Krovetz
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Pierre Karpman
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Paterson, Kenny
- Re: [Cfrg] RFCs for wider-block RC6 and OCB David McGrew (mcgrew)
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RFCs for wider-block RC6 and OCB David McGrew (mcgrew)
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Ted Krovetz