Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?

Paul Hoffman <> Sat, 24 February 2018 15:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 610C01270FC for <>; Sat, 24 Feb 2018 07:31:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AGfsfzwOQXoR for <>; Sat, 24 Feb 2018 07:31:08 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AA04F12025C for <>; Sat, 24 Feb 2018 07:31:08 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 24 Feb 2018 07:31:07 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Sat, 24 Feb 2018 07:31:07 -0800
From: Paul Hoffman <>
To: "" <>
Thread-Topic: [Cfrg] [Ext] Re: Analysis of ipcrypt?
Thread-Index: AQHTrUH0MeO6VVxatU2H2XlK7gdaSqO0JsgAgAANyIA=
Date: Sat, 24 Feb 2018 15:31:06 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; boundary="Apple-Mail=_BCE47EDB-C214-424E-AE3F-650091F293AF"; protocol="application/pkcs7-signature"; micalg="sha1"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 24 Feb 2018 15:31:10 -0000

On Feb 24, 2018, at 6:41 AM, Greg Rose <> wrote:
>> On Feb 23, 2018, at 23:34 , Jean-Philippe Aumasson <> wrote:
>> Seconding David. We're talking tokenization more than encryption. In the context where I created ipcrypt we just needed to obfuscate the PII data (such as IP addresses) in a deterministic and format-preserving way.
> Now I'm confused. Is there a requirement for invertability or not? The problem, if it isn't invertible, is that it will act as a hash, and you can expect collisions after only about 60k entries. Are there consequences to that?

This is a problem that is being debated by the users of the system.

- Invertability is a great feature if we can get it without concern that it lets an attacker with a lot of known pairs recover the key so they can then deanonymize all the pairs. 

- Non-invertable (current proposal is truncate32(AES128(32_bit_address, 128_bit_random_key))) causes collisions, but those collisions only affect researchers looking over a dataset who are trying to determine why party X sent a particular stream of messages. When there are collisions, two parties' streams get merged; however, with mix-and-truncate, there the attacker cannot determine the key from lots of known pairs.

There is a difficult balance: the party anonymizing the data has a much higher cost if the data is deanonymized than the benefit that is going to the party reading the data. One safe way to anonymize the addresses is to set them all to, but that makes them useless to the readers. The question is how far beyond that simple safe mechanism the anonymizing party should go, and at what cost. That's not a question that can be handled in CFRG (and it's not clear we will handle it well in the DNS operators fora).

--Paul Hoffman