IETF Logo Mail Archive

[CFRG] Re: RGLC on draft-irtf-cfrg-aead-limits

Mihir Bellare <mbellare@ucsd.edu> Wed, 12 March 2025 21:46 UTC

Return-Path: <mbellare@ucsd.edu>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9CD2FA91E57 for <cfrg@mail2.ietf.org>; Wed, 12 Mar 2025 14:46:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.795
X-Spam-Level:
X-Spam-Status: No, score=-2.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ucsd.edu header.b="dG99VtXF"; dkim=pass (1024-bit key) header.d=ucsd.edu header.b="ip/7zk+j"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id em6_XmkAiaKE for <cfrg@mail2.ietf.org>; Wed, 12 Mar 2025 14:46:56 -0700 (PDT)
Received: from mx0b-0016e101.pphosted.com (mx0b-0016e101.pphosted.com [148.163.141.31]) by mail2.ietf.org (Postfix) with ESMTP id 69714A91E50 for <cfrg@irtf.org>; Wed, 12 Mar 2025 14:46:56 -0700 (PDT)
Received: from pps.filterd (m0151357.ppops.net [127.0.0.1]) by mx0b-0016e101.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 52CK0IIu014535 for <cfrg@irtf.org>; Wed, 12 Mar 2025 14:46:55 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucsd.edu; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=campus; bh=OYUyvw7jUfXPpWJBH4369plOOHf +d0MruBRpRCJMTR8=; b=dG99VtXFJrk1oS5qZwDK+oZQiCEvH5Up0chcNlYzdon rBD20ne0PubzXmVUVWBabRUOiR6H4x9uEoJ716sa9cqdzXUbktEwhjsWlwP99Xua TrEsfoIK/ePNXucTWF9+4QTsdPnSX0ZUT3FZFoZSc8eeZRir9O3bN74F8twyFQ5l FHSjc24ND9CWh3WysU1q5enovjbIg0y6zLt3zx/mpH9Dbhnj/onVmwz6S3lMgZCG vWyvlBfHFMaR6RiyNPZcQ0MQbSQ29bbx9TXezuc6giXcH7kw+UF7VM0R3CUFllnd 1GX61tQ57PE8dbLnSptDZQsfWj0IW5VE7gPBGUdn6IQ==
Received: from mail-yb1-f199.google.com (mail-yb1-f199.google.com [209.85.219.199]) by mx0b-0016e101.pphosted.com (PPS) with ESMTPS id 45au4wbrtu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <cfrg@irtf.org>; Wed, 12 Mar 2025 14:46:54 -0700 (PDT)
Received: by mail-yb1-f199.google.com with SMTP id 3f1490d57ef6-e63d2f62e6aso67304276.2 for <cfrg@irtf.org>; Wed, 12 Mar 2025 14:46:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucsd.edu; s=google; t=1741816014; x=1742420814; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OYUyvw7jUfXPpWJBH4369plOOHf+d0MruBRpRCJMTR8=; b=ip/7zk+j272UqwA2pF0a9JYc25m4td2H4dvdb/dS4yCmJDq2J/sy6dCAfggNYQQzJq nNzCQfi3hxnI//oGREDHGUZQflbx4TD7SyZiVIx9iME/PC0+6DOy1fqHSh22ArrO5u2n vTmT2Td20beGh2hQ9c1dOiwh0q/0Jpp9KRSM4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741816014; x=1742420814; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OYUyvw7jUfXPpWJBH4369plOOHf+d0MruBRpRCJMTR8=; b=YUQgP4xDPLZ6UPf8FPy6sxAL4TyxiU7UnmJIdqcSagSbnNyqvFLEDy/5go9qnF/dwW Vgjb6rM5Qmy8L10Kplw+DBwlGwOnzXwa7boqejkjkmav3zxIgHl/cVZz5DEHlUGv7qAA UKjPNg+8FVJmcPXmp3coenuxk1AtZaPNX+zeGmAAz5xZ2Hpa3GG+vyIkMjg0de3bWm48 65O6kq3Y2mCUfaUgeyUlL9Bu4Y7wUZnd6mqHv5OId8KZUgWJWHmDfJeshpt17d8Ve17p ZFgg+2pJT/ewdgl6HsFadYBS06LgFLj5c6Z/IkUQ1pk7OYm1U9ZuAdc+oXo6FHsKNpya OvAw==
X-Gm-Message-State: AOJu0YzHR7U9jUWQDeV6k5Bl78E6zHpS7FuTBKKS2esRyXhF7xsK5+nu LGhY4VQ6axkyAqckBIRwYnNkDskEDDOX85cmIJ0QV+bJlCJIA8YGqKL+FQY+7RCEUxcJJX6wUyE DQqP1aKzQqea9bUSlz4Am7Y7zsvUtmDrTvEf0okoCcnZW4z9B3GPPvlvNZWChaTlvr24wNMyxBv RZd1US9anOwgSGp3gY890BNjY=
X-Gm-Gg: ASbGncvpVf4qqs21+VPpW0D9fQysz9jkLdmGpkTJmo6aCODjsX3JZAPmj6wHPi3MpJB SfHZNxYVqZxIFrmVvGhXFGeuZvBCJ5jlbsw78Y7Xf8V7GJepLTJ7aaKz3BJFVW/qJKIXZXldE
X-Received: by 2002:a05:6902:18ce:b0:e63:661f:b603 with SMTP id 3f1490d57ef6-e63b51768c6mr5403581276.3.1741816014023; Wed, 12 Mar 2025 14:46:54 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IExWE4ERakdg/w7rbUauNJlK7mHenCXZgbQUUwcGTpP+y0oDsZj5PSkuBP32Vp/L/6Nq80ttJUdj8QOUJquyQ4=
X-Received: by 2002:a05:6902:18ce:b0:e63:661f:b603 with SMTP id 3f1490d57ef6-e63b51768c6mr5403564276.3.1741816013636; Wed, 12 Mar 2025 14:46:53 -0700 (PDT)
MIME-Version: 1.0
References: <AS5PR07MB9675B4B72C3E7956A5DCA1D089CA2@AS5PR07MB9675.eurprd07.prod.outlook.com> <20250306143247.85841.qmail@cr.yp.to> <CABATvwhCiuqzXOaGzV8Q+yB88SONw5zYJMtDU9NSyLk=cpr3Ww@mail.gmail.com> <CABATvwjU=6Br5fyqS=j-2nUJxsU9LTa2PGHjviANWS40Qw5Jfg@mail.gmail.com> <CABATvwgQR64RxEyvHJGudL1KipTR4k9ZCh_TbX_Ch3oK7ZGRyQ@mail.gmail.com> <be5a2807-29a4-4e66-8ea7-cc1a5acd200f@betaapp.fastmail.com>
In-Reply-To: <be5a2807-29a4-4e66-8ea7-cc1a5acd200f@betaapp.fastmail.com>
From: Mihir Bellare <mbellare@ucsd.edu>
Date: Wed, 12 Mar 2025 14:46:17 -0700
X-Gm-Features: AQ5f1JrhQ8UgkVSc7uvrAV2ACfgJZ1e4EVSlWMftv-gurAPv2tzUZlBvGr_7E-o
Message-ID: <CABATvwjvhyzT1WN86dTf4cMaZmUj4fKw3Btgp=nrNRcoVq1n_g@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Content-Type: multipart/alternative; boundary="000000000000c21c9d06302c24d5"
X-campus_gsuite: gsuite_33445511
X-Proofpoint-GUID: 5rJr5MNaNVBbOsaFXqvP49t9DZFq3mNf
X-Proofpoint-ORIG-GUID: 5rJr5MNaNVBbOsaFXqvP49t9DZFq3mNf
pp_allow_relay: proofpoint_allowed
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1093,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-12_06,2025-03-11_02,2024-11-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 clxscore=1015 lowpriorityscore=0 adultscore=0 bulkscore=0 spamscore=0 mlxscore=0 priorityscore=1501 malwarescore=0 suspectscore=0 impostorscore=0 mlxlogscore=999 classifier=spam adjust=-50 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2503120153
Message-ID-Hash: UZWIU4RZRZUQB6O7HYN5G34O4E37XJAX
X-Message-ID-Hash: UZWIU4RZRZUQB6O7HYN5G34O4E37XJAX
X-MailFrom: mbellare@ucsd.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: cfrg@irtf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-aead-limits
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/c2npezuMwJ035sNyokzrGUqfqZI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

>
> That is, if you set a target advantage of 2^-50, then you are inherently
> assuming that o is significantly less than 2^n*2^-50 or that term would be
> what determines the advantage that an attacker gains.  Would that sort of
> thing help?
>

Fixing a particular target advantage, and hence a value of o, feels a bit
arbitrary and hard for non-cryptographers to understand intuitively. What
if instead one fixes a target work factor w, defined by 2^w =
adversary-effort / advantage = o/e ? Intuitively this can be interpreted as
the time needed to break the system totally, meaning get advantage about
e=1, which may be more intuitive. An example is w=80 representing 2^{80}
time, although Dan points out that it could be as high as w=94. For
AES-GCM-k, a bound that explicitly reflects time (o) can be extracted from
p.5 of [HTT18 <https://eprint.iacr.org/2018/993.pdf>]. For u=1 user and in
the notation of the draft document it says roughly e \leq o * 2^{-k} + s^2
* 2^{-128}. To ensure the w work factor, the first term just implies w < k,
which we can assume, and from the second we need s/(s^2 * 2^{-128}) \geq
2^w which gives the limit s \leq 2^{128-w}. So for example for w=80 the
limit is s \leq 2^{128-80} = 2^{48}.

Now in this case the advantage is 2^{96} * 2^{-128} = 2^{-32} which is
above your bar of 2^{-50} so would not be admissible in that view but I
think what this view neglects is that the attacker has to invest 2^{48}
time to mount this attack, so the work factor is 2^{48}/2^{-32} = 2^{80} as
desired, meaning it stays in the ballpark of intuitively needing 2^{80}
time. So just another approach, not sure exactly how valid or realistic it
is; I'm sure it has its issues and limitations!

Orthogonally I have a philosophical question. The document gives multi-user
(mu) bounds and Dan has given convincing arguments in their favor, and I
agree with both. My question is, what incentive do individual users have to
use mu limits rather than single-user ones (su) ones? If it is up to a user
(owner of one key) to pick their own limits, they may (selfishly) argue
that they only care that the probability of cracking their key is low
enough and it does not matter if, across all users, there is a break with
probability nearly 1, so they will use su limits. As a rough analogy, if we
consider the set of all people who will drive more than 20 miles tomorrow,
it is nearly certain that, across the planet, one of them will die in a
traffic accident, but an individual driver does not let this preclude them
from driving 20 miles because they are pretty sure that this one person
will not be them. To be clear, I am not at all arguing against mu being the
right metric, and indeed it is and should be in the document; I'm just
curious as to whether mu limits will actually have any impact on choices of
limits made in the wild.

Regards

Mihir

v2.43.4 | Report a Bug | By Email | System Status