Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
Andrey Bozhko <andbogc@gmail.com> Sun, 31 March 2024 11:02 UTC
Return-Path: <andbogc@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42ED9C14F5FC for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 04:02:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V2u-DzJAmvnK for <cfrg@ietfa.amsl.com>; Sun, 31 Mar 2024 04:02:27 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2345C14F5F8 for <cfrg@irtf.org>; Sun, 31 Mar 2024 04:02:26 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id ada2fe7eead31-4783dca2b17so1215833137.2 for <cfrg@irtf.org>; Sun, 31 Mar 2024 04:02:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711882946; x=1712487746; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OCftB9l+j+0xIfNagsW+hIMMGd8Nk28Xsz2vniKf0y4=; b=YV75bEMMdE7oqm28SzcMmeRfUUVPq0lhv0XKaFUkU+Y9NnzFRL0BZvCQqunLF5zB3V 6wZn59+JUyJz8GLT97MZhFWnhcaGC59H0TkUiLI4r4ebgJjrH2gli5D0jJPt1o9eu/tu rQ4nvzwCpVo0sTMn3dnsEEiz9ieojyyeZD4TLrTUfY15XvqR+ZSMDTBAkYyWg7t11qWB fzfwpPXt11llsDOBECUXYcizI4QeXWZZDta+7tYD96nGWWYwRStoxwjG3ZGiUMfA1MIf 2r3dAAjTDdB5x5kFEZ94QnSCcqZZZ6T2jNNs0MTvJxmt8kU4vnviQmrJXOq6CuShT3Rv +R3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711882946; x=1712487746; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OCftB9l+j+0xIfNagsW+hIMMGd8Nk28Xsz2vniKf0y4=; b=aoF/YBfCFE6IPxbjMeIM4DC/4XV6wRMuFWYFLSXkKzcvcX7Vw2OrgxzpmOaUtbiWdU VmSF7DPZ1Oo4IWpUxZNUB6mlPuPsC38OYuND+jaCcJZoImgSadxLOG4B3AYsHq3IcNNE X2vjBMD9e56UKxxWBBFZ/mW9f3+WDhs51iAGEtPROxTDwBuHPhGMqU88nM+UsLE71GKV ywlJU3/1/akPeuQ1eUNKqThYsXcRWPP8HrpYhe8AsY1BpC/SrK98ojnrQvTrmxDk1yJg N7AMpUx2CEs+7T8uO5IVF+lUr0pwfiYGJfCFdCr/R7EbMz7+DdRki5FCNIU+MvkK4Scc fu5Q==
X-Gm-Message-State: AOJu0YytNqYJfg/yJeh728cPXmQIPaJ8kJqBeobVsB1qXmBICqP7FyZs RhnUugZM2BSqC4ADA0tiXeWwVbFeqoNbCSHaVELwul51dLhxCA0c1/Uj2ZpV/Bct5DNtBwovVyh 0DqRpmYzhwbXVOpMemq5UJTg5RJg=
X-Google-Smtp-Source: AGHT+IGTiJgt4uGxAgdyPBZ90zFFBM+KpTIcT86+7iI/XYB2dBtV9kafHFYM29q7a+pnYrD886B3P5y0ITRu2qHmemw=
X-Received: by 2002:a67:fc95:0:b0:478:4e0e:3ea5 with SMTP id x21-20020a67fc95000000b004784e0e3ea5mr4173087vsp.11.1711882945332; Sun, 31 Mar 2024 04:02:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=6_61XHw5=YR1xNWcwX6nD8EpLEpyw9am1LEKgTPirXg@mail.gmail.com> <LV8PR11MB8748ACDDFF9ACD91A034162AA13B2@LV8PR11MB8748.namprd11.prod.outlook.com> <CAMd8_ZoGjZu08Pn4xTyG9fRcHTbunkip9N7b8EHr9v2P4DOTyg@mail.gmail.com> <LV8PR11MB8748230602BFAF47A1986DE6A13A2@LV8PR11MB8748.namprd11.prod.outlook.com>
In-Reply-To: <LV8PR11MB8748230602BFAF47A1986DE6A13A2@LV8PR11MB8748.namprd11.prod.outlook.com>
From: Andrey Bozhko <andbogc@gmail.com>
Date: Sun, 31 Mar 2024 15:01:38 +0400
Message-ID: <CAMd8_Zo3HVerks47DikkxMTK=3rT-yCxoJVafGCKAxTcLJEc5Q@mail.gmail.com>
To: "Tereschenko, Aleksandr V" <aleksandr.v.tereschenko@intel.com>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000da8e490614f2ce87"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/d0-R76DbiT-H8UIZXCveURflxfc>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 11:02:31 -0000
>>> maybe a short note would still be helpful then Sure! I completely agree with you on that. I'll make the corresponding changes and publish the updated version within 1-2 days. Thanks for the discussion! Regards, Andrey On Sat, 30 Mar 2024 at 01:19 Tereschenko, Aleksandr V < aleksandr.v.tereschenko@intel.com> wrote: > Thanks Andrey, both make sense to me. > > > > For #1, maybe a short note would still be helpful then, to acknowledge its > existence and avoid this same question being raised later on (or popping up > in reader's head)? A condensed version of your clarification below would > work perfectly I think, e.g., something along the lines of: "*There is > also a well-known weaker notion - Leakage Resilience, but this document > makes a conscious choice to focus on a stronger Leakage Resistance one, > following the framework established in [Guo et al., Bellizia et al.], for > its better practicality and comprehensiveness*". > > > > This is just to aim the reader with necessary references, should they need > to dig deeper (in the spirit of the I-D) + address the potential question > (which, given the widespread use of the term may be quite natural). > > > > It would also be a nod to what Bellizia et al. mention about that notion: "*We > insist that this observation does not invalidate the interest of the > leakage-resilience setting: whether (stronger) leakage-resistance or > (weaker) leakage-resilience is needed depends on application constraints* > ". > > > > Either way, kudos for a nice document! > > > > regards, > > Alexander Tereschenko (he/him) > > Intel Product Assurance and Security (IPAS) Crypto Team > > ------------------------------------------------------------- > > Intel Technology Poland sp. z o.o. - ul. Slowackiego 173, 80-298 Gdansk > <https://www.google.com/maps/search/Slowackiego+173,+80-298+Gdansk?entry=gmail&source=g> > - KRS 101882 - NIP 957-07-52-316 > > > > *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of * Andrey Bozhko > *Sent:* Friday, March 29, 2024 10:24 > *To:* Tereschenko, Aleksandr V <aleksandr.v.tereschenko@intel.com> > *Cc:* CFRG <cfrg@irtf.org> > *Subject:* Re: [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04 > > > > Hi Alexander, > > > > Thank you for the review and very interesting comments! Please find some > answers and explanations below. > > > > 1. I considered adding resilience in the sense of [1] when writing that > section as well. However, after discussions with reviewers of earlier > versions, it was decided to only leave resistance following the [2,3] line > of work. The main reason here was that the framework of [2,3] is better > developed, allows for comprehensive and intuitive analysis, and is tailored > for real-life schemes. Another reason is that initial papers in which > resilience and resistance were introduced consider different leakage models > (e.g., partial and full leakages). Explaining these differences in the > draft would have led to introducing confusion rather than reducing it. So, > it was more or less a weighted decision to focus only on leakage resistance > in the draft. > > > > 2. Indeed, that would be nice. I will add a corresponding sentence to the > “Note” paragraph in the mu security section. However, I think it is > reasonable to only mention indistinguishability as a targeted security > notion in the “Security notion” paragraph. > > > > [1] Barwell, G., et al., “Authenticated encryption in the face of protocol > and side channel leakage”, https://eprint.iacr.org/2017/068.pdf > > > > [2] Guo, C., et al., "Authenticated Encryption with Nonce Misuse and > Physical Leakages: Definitions, Separation Results and Leveled > Constructions", > https://link.springer.com/chapter/10.1007/978-3-030-30530-7_8 > > > > [3] Bellizia, D., et al., "Mode-Level vs. Implementation-Level Physical > Security in Symmetric Cryptography: A Practical Guide Through the > Leakage-Resistance Jungle", > https://link.springer.com/chapter/10.1007/978-3-030-56784-2_13 > > > > Regards, > > Andrey > > > > On Thu, 28 Mar 2024 at 20:26 Tereschenko, Aleksandr V < > aleksandr.v.tereschenko@intel.com> wrote: > > Hello everyone, > > > > Apologies for slightly missing the formal RGLC deadline, hopefully this > feedback is still useful. I've reviewed the draft (version -05 though, but > replying in this RGLC thread about -04 for continuity) and overall I think > this is a useful document that is ready for publication. Establishing > common language for complex things like those security and implementation > properties is certainly helpful and should lead to fewer mistakes, i.e., > better security, so I find the document's primary goal laudable. > > > > I also have a couple of minor comments, listed in no particular order > below. > > > > 1. Section 4.3.4 mentions leakage resistance without mentioning > leakage *resilience*, which is a distinct and weaker notion also widely > used (e.g., [1] or [2]). Given that, I'd suggest mentioning it as well, by > e.g., following the approach used in section 4.3.7. Nonce Misuse and adding > resilience-related text like "<…> provides security (resilience or > resistance) <…>" to the main definition, and then definitions of both > resilience and resistance as sub-items under it. > 2. Section 4.3.5. Multi-User Security: as shown in the referenced BT16 > paper and as it authors emphasize, there's also a potentially distinct and > relevant "mu kr" notion in addition to the "mu ind" one, maybe it's worth > mentioning too? I admit that unlike with the leakage resistance/resilience, > this distinction does not seem to be widespread in other papers, so just > wanted to bring that up for consideration, given the emphasis in the paper. > 3. Typo: "commiting" -> "committing" (Section 4.3.2 "Examples: <…>") > 4. Typo: "i.e," -> "i.e.," (Section 4.3.8 "Q2 model: <…>") > > > > [1] https://link.springer.com/chapter/10.1007/978-3-030-56784-2_13 > > [2] https://link.springer.com/chapter/10.1007/978-3-030-30530-7_8 > > > > regards, > > Alexander Tereschenko (he/him) > > Intel Product Assurance and Security (IPAS) Crypto Team > > > > *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of *Stanislav V. > Smyshlyaev > *Sent:* Tuesday, March 5, 2024 09:44 > *To:* CFRG <cfrg@irtf.org> > *Cc:* cfrg-chairs@ietf.org; draft-irtf-cfrg-aead-properties@ietf.org > *Subject:* [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04 > > > > Dear CFRG participants, > > This message is starting 3 weeks RGLC on > draft-irtf-cfrg-aead-properties-04 ("Properties of AEAD Algorithms") that > will end on March 26th 2024. If you've read the document and think that it > is ready (or not ready) for publication as an RFC, please send a message in > reply to this email or directly to CFRG chairs (cfrg-chairs@ietf.org). If > you have detailed comments, these would also be very helpful at this point. > > > > We've got a review of the draft by Russ Housley (on behalf of the Crypto > Review Panel): > https://mailarchive.ietf.org/arch/msg/crypto-panel/aNQc4kc0DFlSPy_ohUttM4QEVXc/ > > Russ has confirmed that his comments have been addressed. > > > > Thank you, > > Stanislav, for CFRG chairs > >
- [CFRG] RGLC on draft-irtf-cfrg-aead-properties-04 Stanislav V. Smyshlyaev
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Stephen Farrell
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… John Mattsson
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Chris Barber
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Andrey Bozhko
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Andrey Bozhko
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Jonathan Lennox
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Tereschenko, Aleksandr V
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Andrey Bozhko
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Tereschenko, Aleksandr V
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Andrey Bozhko
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Tereschenko, Aleksandr V
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Andrey Bozhko
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Stephen Farrell
- Re: [CFRG] RGLC on draft-irtf-cfrg-aead-propertie… Andrey Bozhko