Re: [Cfrg] ISE seeks help with some crypto drafts

Dan Brown <danibrown@blackberry.com> Fri, 08 March 2019 22:31 UTC

Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AFFB127876 for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 14:31:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EY8WQgpqOJnl for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 14:31:43 -0800 (PST)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AB171310A1 for <cfrg@irtf.org>; Fri, 8 Mar 2019 14:31:42 -0800 (PST)
Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Mar 2019 17:31:41 -0500
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.03.0415.000; Fri, 8 Mar 2019 17:31:40 -0500
From: Dan Brown <danibrown@blackberry.com>
To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] ISE seeks help with some crypto drafts
Thread-Index: AQHU1dM/p85Q6yZz20KPF5U9AuzEyaYCCP8SgABbrwD//8E1sA==
Date: Fri, 8 Mar 2019 22:31:39 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501DA17BD@XMB116CNC.rim.net>
References: <B536DE62-B202-4484-91AE-DDF7C3DD9503@gmail.com> <20190308183926.4615.qmail@cr.yp.to>
In-Reply-To: <20190308183926.4615.qmail@cr.yp.to>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.250]
Content-Type: multipart/signed; micalg=2.16.840.1.101.3.4.2.1; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0097_01D4D5D4.C9293110"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_JtnWu3HFr1fHDxUUPwWWxjndEo>
Subject: Re: [Cfrg] ISE seeks help with some crypto drafts
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 22:31:46 -0000

> -----Original Message-----
> From: Cfrg <cfrg-bounces@irtf.org>; On Behalf Of D. J. Bernstein
> 
> Time for security reviewers is a precious resource in cryptography. It
should be

True.

***

Hmm, hints of the Monty Hall problem: given the prize behind door OCB2,
maybe we should switch from door OCB3 to door OCB1? (Given only these
choices ... ;).

***

I was very shaken to hear about OCB2 being broken.

***

A non-precious security review follows. 

The results are extremely harsh towards OCB3 and OCB1, but presumably, the
harsh results can be refuted by a more serious security review.

Assume that [Breakablity of OCBn] for n=1,2,3,... is a random variable,
taking Boolean values, having an independent identical distribution (IID),
with a common probability p of being true (each OBCn independently breakable
with prob p).

The observed data is that at least one of OCB{1-3} is breakable, because
OCB2 has been broken.  The likelihood of such an observation is L =
1-(1-p)^3  = 3p - 3p^2 + p^3.  (Similarly, the likelihood is just p for the
simpler observation that at least OCB2 is breakable.)

A maximum likelihood estimate (MLE) puts p=1 (to maximize L, and this is the
unique maximum of L), which means MLE tells us to infer that both OCB1 and
OCB3 are 100% breakable.  To infer otherwise, means we need more (1)
observations, (2) different assumptions, or (3) a different inference method
(arguably MLE is too crude).

To defend the MLE inference method, suppose that there had been no
observations of breakability in OCB{1-3}.   This means the number of
breakables could be any of {0-3}.  This event has likelihood 1, and does not
depend on p.  Then MLE method tells us that all values of p maximizes the
likelihood, so the inference for p is actually a set, now the whole interval
[0,1].   This inference interval does not inspire much confidence, of
course. (Indeed, it is a formal general reason no to immediately trust
any-old new algorithm XYZ.)  But the inference interval [1,1] (i.e., p=1)
seems worse than [0,1].  The simple MLE method is consistent with intuition,
that if one observes (assumedly related) algorithms Doe1, Doe2, Doe3, ...,
Doe7, all broken, but Doe8 is not (yet) broken one might prefer an
(assumedly) unrelated algorithm Joe over Doe9 (unless you know Joe is really
Joe9 and is (assumedly) related to broken Joe{1-8}, e.g. if you ask 8
ordinary Joes off the street etc.)

For an example of an inference strategy different from MLE, we could try an
optimistic benefit-of-the-doubt method.  By this, I mean to presume that p
is as a low as possible, subject to some lower bound on likelihood, say
0.05.  With L = 1-(1-p)^3 > 0.05, we conclude that p > 0.017, which (in my
opinion) is not nearly low enough.   This kind of benefit-of-the-doubt
inference method is perhaps fine in some applications, but seem intuitively
unjustifiable in security (*).  

(*) On the other hand, saying the inference p in interval [1,1] is worse
than the inference p in [0,1], is essentially granting slight
benefit-of-the-doubt, allowing optimists to imagine that p in [0,1] might be
small.  Pessimists may see not difference in these inferences.  However,
when choosing the least bad options, interval [0,1] seems better.

Again, a better inference would at least have (1) better observations, and
(2) better assumptions.  Better observations could include the number of
reviewers, the time spent; better assumptions could include various other
unknown variables, such as, existing of breaks, severities of breaks,
difficulty of finding breaks reviewer's skill or efforts, and then
assumptions about the probability for these variables, such as, independence
of security reviewers chances of finding an attack (if it exists).  

I realize that the consensus practice does not attempt use the formal
statistical inference described above to present security review data,
whether that of CFRG, other standards, various crypto competitions, academic
reviews and so on.  I do not object to that practice, since the security
review is the "precious resource", while statistical formality is just a
nuisance.    

Regardless, if such formal inferences could be made, OCB3 may well fare
comparably with the other state-of-the-art algorithms (e.g. GCM), for all I
know. Nevertheless, the point is that the related OCB2 has dug OCB3 into a
shallow hole, which, yes, can be gotten out of, but requires extra effort to
regain (my) confidence.