### Re: [Cfrg] ISE seeks help with some crypto drafts

Dan Brown <danibrown@blackberry.com> Fri, 08 March 2019 22:31 UTC

Return-Path: <danibrown@blackberry.com>

X-Original-To: cfrg@ietfa.amsl.com

Delivered-To: cfrg@ietfa.amsl.com

Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AFFB127876 for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 14:31:46 -0800 (PST)

X-Virus-Scanned: amavisd-new at amsl.com

X-Spam-Flag: NO

X-Spam-Score: -2.6

X-Spam-Level:

X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no

Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EY8WQgpqOJnl for <cfrg@ietfa.amsl.com>; Fri, 8 Mar 2019 14:31:43 -0800 (PST)

Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AB171310A1 for <cfrg@irtf.org>; Fri, 8 Mar 2019 14:31:42 -0800 (PST)

Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Mar 2019 17:31:41 -0500

Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT103CNC.rim.net ([fe80::b8:d5e:26a5:f4d6%17]) with mapi id 14.03.0415.000; Fri, 8 Mar 2019 17:31:40 -0500

From: Dan Brown <danibrown@blackberry.com>

To: "D. J. Bernstein" <djb@cr.yp.to>, "cfrg@irtf.org" <cfrg@irtf.org>

Thread-Topic: [Cfrg] ISE seeks help with some crypto drafts

Thread-Index: AQHU1dM/p85Q6yZz20KPF5U9AuzEyaYCCP8SgABbrwD//8E1sA==

Date: Fri, 08 Mar 2019 22:31:39 +0000

Message-ID: <810C31990B57ED40B2062BA10D43FBF501DA17BD@XMB116CNC.rim.net>

References: <B536DE62-B202-4484-91AE-DDF7C3DD9503@gmail.com> <20190308183926.4615.qmail@cr.yp.to>

In-Reply-To: <20190308183926.4615.qmail@cr.yp.to>

Accept-Language: en-US, en-CA

Content-Language: en-US

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

x-originating-ip: [10.65.160.250]

Content-Type: multipart/signed; micalg="2.16.840.1.101.3.4.2.1"; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0097_01D4D5D4.C9293110"

MIME-Version: 1.0

Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_JtnWu3HFr1fHDxUUPwWWxjndEo>

Subject: Re: [Cfrg] ISE seeks help with some crypto drafts

X-BeenThere: cfrg@irtf.org

X-Mailman-Version: 2.1.29

Precedence: list

List-Id: Crypto Forum Research Group <cfrg.irtf.org>

List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>

List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>

List-Post: <mailto:cfrg@irtf.org>

List-Help: <mailto:cfrg-request@irtf.org?subject=help>

List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>

X-List-Received-Date: Fri, 08 Mar 2019 22:31:46 -0000

> -----Original Message----- > From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of D. J. Bernstein > > Time for security reviewers is a precious resource in cryptography. It should be True. *** Hmm, hints of the Monty Hall problem: given the prize behind door OCB2, maybe we should switch from door OCB3 to door OCB1? (Given only these choices ... ;). *** I was very shaken to hear about OCB2 being broken. *** A non-precious security review follows. The results are extremely harsh towards OCB3 and OCB1, but presumably, the harsh results can be refuted by a more serious security review. Assume that [Breakablity of OCBn] for n=1,2,3,... is a random variable, taking Boolean values, having an independent identical distribution (IID), with a common probability p of being true (each OBCn independently breakable with prob p). The observed data is that at least one of OCB{1-3} is breakable, because OCB2 has been broken. The likelihood of such an observation is L = 1-(1-p)^3 = 3p - 3p^2 + p^3. (Similarly, the likelihood is just p for the simpler observation that at least OCB2 is breakable.) A maximum likelihood estimate (MLE) puts p=1 (to maximize L, and this is the unique maximum of L), which means MLE tells us to infer that both OCB1 and OCB3 are 100% breakable. To infer otherwise, means we need more (1) observations, (2) different assumptions, or (3) a different inference method (arguably MLE is too crude). To defend the MLE inference method, suppose that there had been no observations of breakability in OCB{1-3}. This means the number of breakables could be any of {0-3}. This event has likelihood 1, and does not depend on p. Then MLE method tells us that all values of p maximizes the likelihood, so the inference for p is actually a set, now the whole interval [0,1]. This inference interval does not inspire much confidence, of course. (Indeed, it is a formal general reason no to immediately trust any-old new algorithm XYZ.) But the inference interval [1,1] (i.e., p=1) seems worse than [0,1]. The simple MLE method is consistent with intuition, that if one observes (assumedly related) algorithms Doe1, Doe2, Doe3, ..., Doe7, all broken, but Doe8 is not (yet) broken one might prefer an (assumedly) unrelated algorithm Joe over Doe9 (unless you know Joe is really Joe9 and is (assumedly) related to broken Joe{1-8}, e.g. if you ask 8 ordinary Joes off the street etc.) For an example of an inference strategy different from MLE, we could try an optimistic benefit-of-the-doubt method. By this, I mean to presume that p is as a low as possible, subject to some lower bound on likelihood, say 0.05. With L = 1-(1-p)^3 > 0.05, we conclude that p > 0.017, which (in my opinion) is not nearly low enough. This kind of benefit-of-the-doubt inference method is perhaps fine in some applications, but seem intuitively unjustifiable in security (*). (*) On the other hand, saying the inference p in interval [1,1] is worse than the inference p in [0,1], is essentially granting slight benefit-of-the-doubt, allowing optimists to imagine that p in [0,1] might be small. Pessimists may see not difference in these inferences. However, when choosing the least bad options, interval [0,1] seems better. Again, a better inference would at least have (1) better observations, and (2) better assumptions. Better observations could include the number of reviewers, the time spent; better assumptions could include various other unknown variables, such as, existing of breaks, severities of breaks, difficulty of finding breaks reviewer's skill or efforts, and then assumptions about the probability for these variables, such as, independence of security reviewers chances of finding an attack (if it exists). I realize that the consensus practice does not attempt use the formal statistical inference described above to present security review data, whether that of CFRG, other standards, various crypto competitions, academic reviews and so on. I do not object to that practice, since the security review is the "precious resource", while statistical formality is just a nuisance. Regardless, if such formal inferences could be made, OCB3 may well fare comparably with the other state-of-the-art algorithms (e.g. GCM), for all I know. Nevertheless, the point is that the related OCB2 has dug OCB3 into a shallow hole, which, yes, can be gotten out of, but requires extra effort to regain (my) confidence.

- Re: [Cfrg] dragonfly, was: Re: Time to recharter … Peter Gutmann
- Re: [Cfrg] dragonfly, was: Re: Time to recharter … Dan Harkins
- Re: [Cfrg] dragonfly, was: Re: Time to recharter … Andy Lutomirski
- [Cfrg] ISE seeks help with some crypto drafts RFC ISE (Adrian Farrel)
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Paul Wouters
- Re: [Cfrg] ISE seeks help with some crypto drafts Salz, Rich
- Re: [Cfrg] ISE seeks help with some crypto drafts David Wong
- Re: [Cfrg] ISE seeks help with some crypto drafts D. J. Bernstein
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Tony Arcieri
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Stephen Farrell
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Tony Arcieri
- Re: [Cfrg] ISE seeks help with some crypto drafts Dan Brown
- Re: [Cfrg] ISE seeks help with some crypto drafts John Mattsson
- Re: [Cfrg] ISE seeks help with some crypto drafts Tony Arcieri
- Re: [Cfrg] ISE seeks help with some crypto drafts Aaron Zauner
- Re: [Cfrg] ISE seeks help with some crypto drafts Aaron Zauner
- Re: [Cfrg] ISE seeks help with some crypto drafts Aaron Zauner
- Re: [Cfrg] ISE seeks help with some crypto drafts mcgrew
- Re: [Cfrg] ISE seeks help with some crypto drafts Aaron Zauner
- Re: [Cfrg] ISE seeks help with some crypto drafts Tony Arcieri
- Re: [Cfrg] ISE seeks help with some crypto drafts Ted Krovetz
- Re: [Cfrg] ISE seeks help with some crypto drafts Paul Hoffman
- Re: [Cfrg] ISE seeks help with some crypto drafts Tony Arcieri
- Re: [Cfrg] ISE seeks help with some crypto drafts Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Paul Wouters
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Watson Ladd
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Paul Wouters
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Paul Hoffman
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… S Moonesamy
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Benjamin Kaduk
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Uri Blumenthal
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Ted Krovetz
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Benjamin Kaduk
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Tony Arcieri
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Uri Blumenthal
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Stephen Farrell
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Tony Arcieri
- [Cfrg] Time to recharter CFRG as a working group?… StJohns, Michael
- Re: [Cfrg] Time to recharter CFRG as a working gr… Tony Arcieri
- Re: [Cfrg] Time to recharter CFRG as a working gr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] ISE seeks help with some crypto drafts Peter Gutmann
- Re: [Cfrg] ISE seeks help with some crypto drafts Salz, Rich
- Re: [Cfrg] ISE seeks help with some crypto drafts Salz, Rich
- Re: [Cfrg] Time to recharter CFRG as a working gr… John Mattsson
- Re: [Cfrg] [secdir] ISE seeks help with some cryp… Valery Smyslov
- Re: [Cfrg] Time to recharter CFRG as a working gr… Mathy Vanhoef
- Re: [Cfrg] dragonfly, was: Re: Time to recharter … Peter Gutmann
- Re: [Cfrg] Time to recharter CFRG as a working gr… Michael StJohns
- Re: [Cfrg] Time to recharter CFRG as a working gr… Richard Barnes
- Re: [Cfrg] Time to recharter CFRG as a working gr… Salz, Rich
- Re: [Cfrg] Time to recharter CFRG as a working gr… Stephen Farrell
- Re: [Cfrg] Time to recharter CFRG as a working gr… Michael StJohns
- Re: [Cfrg] Time to recharter CFRG as a working gr… denis bider
- Re: [Cfrg] Time to recharter CFRG as a working gr… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Time to recharter CFRG as a working gr… Richard Barnes
- Re: [Cfrg] Time to recharter CFRG as a working gr… Daniel Kahn Gillmor
- Re: [Cfrg] Time to recharter CFRG as a working gr… Michael StJohns
- Re: [Cfrg] Time to recharter CFRG as a working gr… Paterson Kenneth
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Paul Wouters
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Uri Blumenthal
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Tony Arcieri
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Tony Arcieri
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Paterson Kenneth
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… denis bider
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Watson Ladd
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Melinda Shore
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Uri Blumenthal
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… denis bider
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Martin Thomson
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Peter Gutmann
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Melinda Shore
- Re: [Cfrg] Time to recharter CFRG as a working gr… mcgrew
- Re: [Cfrg] [secdir] Time to recharter CFRG as a w… Donald Eastlake
- Re: [Cfrg] Time to recharter CFRG as a working gr… Michael StJohns
- Re: [Cfrg] Time to recharter CFRG as a working gr… mcgrew
- Re: [Cfrg] Time to recharter CFRG as a working gr… StJohns, Michael
- Re: [Cfrg] Time to recharter CFRG as a working gr… Stephen Farrell
- Re: [Cfrg] Time to recharter CFRG as a working gr… Martin Thomson
- [Cfrg] dragonfly, was: Re: Time to recharter CFRG… Dan Harkins
- Re: [Cfrg] dragonfly, was: Re: Time to recharter … Tony Arcieri
- Re: [Cfrg] dragonfly, was: Re: Time to recharter … Björn Haase
- Re: [Cfrg] ISE seeks help with some crypto drafts Eric Rescorla
- Re: [Cfrg] ISE seeks help with some crypto drafts Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] ISE seeks help with some crypto drafts Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] ISE seeks help with some crypto drafts Eric Rescorla
- Re: [Cfrg] ISE seeks help with some crypto drafts mcgrew
- Re: [Cfrg] ISE seeks help with some crypto drafts Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] ISE seeks help with some crypto drafts mcgrew
- Re: [Cfrg] ISE seeks help with some crypto drafts Ted Krovetz
- Re: [Cfrg] ISE seeks help with some crypto drafts Benjamin Kaduk