IETF Logo Mail Archive

Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04

Andrey Bozhko <andbogc@gmail.com> Sun, 31 March 2024 11:02 UTC

Return-Path: <andbogc@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42ED9C14F5FC for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 04:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2u-DzJAmvnK for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 04:02:27 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2345C14F5F8 for <cfrg@irtf.org>; Sun, 31 Mar 2024 04:02:26 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id ada2fe7eead31-4783dca2b17so1215833137.2 for <cfrg@irtf.org>; Sun, 31 Mar 2024 04:02:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711882946; x=1712487746; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OCftB9l+j+0xIfNagsW+hIMMGd8Nk28Xsz2vniKf0y4=; b=YV75bEMMdE7oqm28SzcMmeRfUUVPq0lhv0XKaFUkU+Y9NnzFRL0BZvCQqunLF5zB3V 6wZn59+JUyJz8GLT97MZhFWnhcaGC59H0TkUiLI4r4ebgJjrH2gli5D0jJPt1o9eu/tu rQ4nvzwCpVo0sTMn3dnsEEiz9ieojyyeZD4TLrTUfY15XvqR+ZSMDTBAkYyWg7t11qWB fzfwpPXt11llsDOBECUXYcizI4QeXWZZDta+7tYD96nGWWYwRStoxwjG3ZGiUMfA1MIf 2r3dAAjTDdB5x5kFEZ94QnSCcqZZZ6T2jNNs0MTvJxmt8kU4vnviQmrJXOq6CuShT3Rv +R3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711882946; x=1712487746; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OCftB9l+j+0xIfNagsW+hIMMGd8Nk28Xsz2vniKf0y4=; b=aoF/YBfCFE6IPxbjMeIM4DC/4XV6wRMuFWYFLSXkKzcvcX7Vw2OrgxzpmOaUtbiWdU VmSF7DPZ1Oo4IWpUxZNUB6mlPuPsC38OYuND+jaCcJZoImgSadxLOG4B3AYsHq3IcNNE X2vjBMD9e56UKxxWBBFZ/mW9f3+WDhs51iAGEtPROxTDwBuHPhGMqU88nM+UsLE71GKV ywlJU3/1/akPeuQ1eUNKqThYsXcRWPP8HrpYhe8AsY1BpC/SrK98ojnrQvTrmxDk1yJg N7AMpUx2CEs+7T8uO5IVF+lUr0pwfiYGJfCFdCr/R7EbMz7+DdRki5FCNIU+MvkK4Scc fu5Q==
X-Gm-Message-State: AOJu0YytNqYJfg/yJeh728cPXmQIPaJ8kJqBeobVsB1qXmBICqP7FyZs RhnUugZM2BSqC4ADA0tiXeWwVbFeqoNbCSHaVELwul51dLhxCA0c1/Uj2ZpV/Bct5DNtBwovVyh 0DqRpmYzhwbXVOpMemq5UJTg5RJg=
X-Google-Smtp-Source: AGHT+IGTiJgt4uGxAgdyPBZ90zFFBM+KpTIcT86+7iI/XYB2dBtV9kafHFYM29q7a+pnYrD886B3P5y0ITRu2qHmemw=
X-Received: by 2002:a67:fc95:0:b0:478:4e0e:3ea5 with SMTP id x21-20020a67fc95000000b004784e0e3ea5mr4173087vsp.11.1711882945332; Sun, 31 Mar 2024 04:02:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=6_61XHw5=YR1xNWcwX6nD8EpLEpyw9am1LEKgTPirXg@mail.gmail.com> <LV8PR11MB8748ACDDFF9ACD91A034162AA13B2@LV8PR11MB8748.namprd11.prod.outlook.com> <CAMd8_ZoGjZu08Pn4xTyG9fRcHTbunkip9N7b8EHr9v2P4DOTyg@mail.gmail.com> <LV8PR11MB8748230602BFAF47A1986DE6A13A2@LV8PR11MB8748.namprd11.prod.outlook.com>
In-Reply-To: <LV8PR11MB8748230602BFAF47A1986DE6A13A2@LV8PR11MB8748.namprd11.prod.outlook.com>
From: Andrey Bozhko <andbogc@gmail.com>
Date: Sun, 31 Mar 2024 15:01:38 +0400
Message-ID: <CAMd8_Zo3HVerks47DikkxMTK=3rT-yCxoJVafGCKAxTcLJEc5Q@mail.gmail.com>
To: "Tereschenko, Aleksandr V" <aleksandr.v.tereschenko@intel.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000da8e490614f2ce87"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/d0-R76DbiT-H8UIZXCveURflxfc>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 11:02:31 -0000

>>> maybe a short note would still be helpful then

Sure! I completely agree with you on that. I'll make the corresponding
changes and publish the updated version within 1-2 days.

Thanks for the discussion!
Regards,
Andrey

On Sat, 30 Mar 2024 at 01:19 Tereschenko, Aleksandr V <
aleksandr.v.tereschenko@intel.com> wrote:

> Thanks Andrey, both make sense to me.
>
>
>
> For #1, maybe a short note would still be helpful then, to acknowledge its
> existence and avoid this same question being raised later on (or popping up
> in reader's head)? A condensed version of your clarification below would
> work perfectly I think, e.g., something along the lines of: "*There is
> also a well-known weaker notion - Leakage Resilience, but this document
> makes a conscious choice to focus on a stronger Leakage Resistance one,
> following the framework established in [Guo et al., Bellizia et al.], for
> its better practicality and comprehensiveness*".
>
>
>
> This is just to aim the reader with necessary references, should they need
> to dig deeper (in the spirit of the I-D) + address the potential question
> (which, given the widespread use of the term may be quite natural).
>
>
>
> It would also be a nod to what Bellizia et al. mention about that notion: "*We
> insist that this observation does not invalidate the interest of the
> leakage-resilience setting: whether (stronger) leakage-resistance or
> (weaker) leakage-resilience is needed depends on application constraints*
> ".
>
>
>
> Either way, kudos for a nice document!
>
>
>
> regards,
>
> Alexander Tereschenko (he/him)
>
> Intel Product Assurance and Security (IPAS) Crypto Team
>
> -------------------------------------------------------------
>
> Intel Technology Poland sp. z o.o. - ul. Slowackiego 173, 80-298 Gdansk
> <https://www.google.com/maps/search/Slowackiego+173,+80-298+Gdansk?entry=gmail&source=g>
> - KRS 101882 - NIP 957-07-52-316
>
>
>
> *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of * Andrey Bozhko
> *Sent:* Friday, March 29, 2024 10:24
> *To:* Tereschenko, Aleksandr V <aleksandr.v.tereschenko@intel.com>
> *Cc:* CFRG <cfrg@irtf.org>
> *Subject:* Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
>
>
>
> Hi Alexander,
>
>
>
> Thank you for the review and very interesting comments! Please find some
> answers and explanations below.
>
>
>
> 1. I considered adding resilience in the sense of [1] when writing that
> section as well. However, after discussions with reviewers of earlier
> versions, it was decided to only leave resistance following the [2,3] line
> of work. The main reason here was that the framework of [2,3] is better
> developed, allows for comprehensive and intuitive analysis, and is tailored
> for real-life schemes. Another reason is that initial papers in which
> resilience and resistance were introduced consider different leakage models
> (e.g., partial and full leakages). Explaining these differences in the
> draft would have led to introducing confusion rather than reducing it. So,
> it was more or less a weighted decision to focus only on leakage resistance
> in the draft.
>
>
>
> 2. Indeed, that would be nice. I will add a corresponding sentence to the
> “Note” paragraph in the mu security section. However, I think it is
> reasonable to only mention indistinguishability as a targeted security
> notion in the “Security notion” paragraph.
>
>
>
> [1] Barwell, G., et al., “Authenticated encryption in the face of protocol
> and side channel leakage”, https://eprint.iacr.org/2017/068.pdf
>
>
>
> [2] Guo, C., et al., "Authenticated Encryption with Nonce Misuse and
> Physical Leakages: Definitions, Separation Results and Leveled
> Constructions",
> https://link.springer.com/chapter/10.1007/978-3-030-30530-7_8
>
>
>
> [3] Bellizia, D., et al., "Mode-Level vs. Implementation-Level Physical
> Security in Symmetric Cryptography: A Practical Guide Through the
> Leakage-Resistance Jungle",
> https://link.springer.com/chapter/10.1007/978-3-030-56784-2_13
>
>
>
> Regards,
>
> Andrey
>
>
>
> On Thu, 28 Mar 2024 at 20:26 Tereschenko, Aleksandr V <
> aleksandr.v.tereschenko@intel.com> wrote:
>
> Hello everyone,
>
>
>
> Apologies for slightly missing the formal RGLC deadline, hopefully this
> feedback is still useful. I've reviewed the draft (version -05 though, but
> replying in this RGLC thread about -04 for continuity) and overall I think
> this is a useful document that is ready for publication. Establishing
> common language for complex things like those security and implementation
> properties is certainly helpful and should lead to fewer mistakes, i.e.,
> better security, so I find the document's primary goal laudable.
>
>
>
> I also have a couple of minor comments, listed in no particular order
> below.
>
>
>
>    1. Section 4.3.4 mentions leakage resistance without mentioning
>    leakage *resilience*, which is a distinct and weaker notion also widely
>    used (e.g., [1] or [2]). Given that, I'd suggest mentioning it as well, by
>    e.g., following the approach used in section 4.3.7. Nonce Misuse and adding
>    resilience-related text like "<…> provides security (resilience or
>    resistance) <…>" to the main definition, and then definitions of both
>    resilience and resistance as sub-items under it.
>    2. Section 4.3.5. Multi-User Security: as shown in the referenced BT16
>    paper and as it authors emphasize, there's also a potentially distinct and
>    relevant "mu kr" notion in addition to the "mu ind" one, maybe it's worth
>    mentioning too? I admit that unlike with the leakage resistance/resilience,
>    this distinction does not seem to be widespread in other papers, so just
>    wanted to bring that up for consideration, given the emphasis in the paper.
>    3. Typo: "commiting" -> "committing" (Section 4.3.2 "Examples: <…>")
>    4. Typo: "i.e," -> "i.e.," (Section 4.3.8 "Q2 model: <…>")
>
>
>
> [1] https://link.springer.com/chapter/10.1007/978-3-030-56784-2_13
>
> [2] https://link.springer.com/chapter/10.1007/978-3-030-30530-7_8
>
>
>
> regards,
>
> Alexander Tereschenko (he/him)
>
> Intel Product Assurance and Security (IPAS) Crypto Team
>
>
>
> *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of *Stanislav V.
> Smyshlyaev
> *Sent:* Tuesday, March 5, 2024 09:44
> *To:* CFRG <cfrg@irtf.org>
> *Cc:* cfrg-chairs@ietf.org; draft-irtf-cfrg-aead-properties@ietf.org
> *Subject:* [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
>
>
>
> Dear CFRG participants,
>
> This message is starting 3 weeks RGLC on
> draft-irtf-cfrg-aead-properties-04 ("Properties of AEAD Algorithms") that
> will end on March 26th 2024. If you've read the document and think that it
> is ready (or not ready) for publication as an RFC, please send a message in
> reply to this email or directly to CFRG chairs (cfrg-chairs@ietf.org). If
> you have detailed comments, these would also be very helpful at this point.
>
>
>
> We've got a review of the draft by Russ Housley (on behalf of the Crypto
> Review Panel):
> https://mailarchive.ietf.org/arch/msg/crypto-panel/aNQc4kc0DFlSPy_ohUttM4QEVXc/
>
> Russ has confirmed that his comments have been addressed.
>
>
>
> Thank you,
>
> Stanislav, for CFRG chairs
>
>

v2.23.0 | Report a Bug | By Email