Re: [CFRG] AEAD limits
Dmitry Belyavsky <beldmit@gmail.com> Tue, 17 November 2020 09:35 UTC
Return-Path: <beldmit@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCD6E3A0D7C for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 01:35:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id encIiIxPPIgG for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 01:35:14 -0800 (PST)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE4DA3A0D7A for <cfrg@ietf.org>; Tue, 17 Nov 2020 01:35:13 -0800 (PST)
Received: by mail-ej1-x62c.google.com with SMTP id i19so28456193ejx.9 for <cfrg@ietf.org>; Tue, 17 Nov 2020 01:35:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B+DVJJbli3ujZGmrZuK1qoEfQGCeZR7Xbnf1d8Cr3dc=; b=OhZAPGQ8bDzaVajoQvAviEaTJUn1huY0qR7LmBD/6ehVFNL3l13wSJQQDaiOPiT1eG Fg/ShvFf46Pe3Dp5wtTaR14xRvqLKizEScpLyQklAyF5xvCzCoovKyy7l2U/CNgQI3Gb XSfK5d9G1HTd9EHGuji+VWE2GAPrmxCyjN9iGp5YmGplASB2/WsifOR9gbvBGTRtX9u2 OvH7VqztLgoSiVaai7tSbWvudSE6ACbAx8nxI5dWab9e/F74mQCA2i3e9937BZEyW9zC Hz5IpO4mFVOMPVBbdcSCY3yS+cAKvrvUa0wbCFczxcernCRSgMTemogI9RktaDgemYen pi1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B+DVJJbli3ujZGmrZuK1qoEfQGCeZR7Xbnf1d8Cr3dc=; b=COHYT33ihBI0nw1u7oklT4OxGNJZD24+cX2qRvVJ+3cwt5/C+JnS1g0QF6zeeqH3Ys byGsX+mVwtF52pgn5wkWpIxnzOEinOXzCsyTSDrChS/eP43CqK9Q2Go5KwC+zfjkwCs7 dsymSevoez8B8Drl0QILwGW8rhU9lPE10OXdRC7/KJRVnNsG96FgqVxz/R0mGIqryrhp 373+K9gIXIyPeMh4AMNAjedDf9GSu12jGICupAhd5FRsnVpz7ozQglOl8c91B0QeH3Nn CaszfCMdWwe4Z/4TWpi7KO+EFAjG2Gx3p6JdElhFwp6Z+mQy0qJ27RJKCEEAU+41BCyq Iq+A==
X-Gm-Message-State: AOAM532uw1iDFkXxodVzj7k2LseV2PS0X26PoMa+GJnytTbqtRCYGSes r0ZZV10WFBWk4/RyJJ/4+UStt0yfZdOdy2mTPIc=
X-Google-Smtp-Source: ABdhPJykBsG5OFeZQpfvez/3+KMol6cPyOoiu7zpXq6V14fHpm9jiTaSmqSNJBXTR2GGQaOMTTovC9wxm88D99cWhDo=
X-Received: by 2002:a17:906:ae95:: with SMTP id md21mr17771214ejb.425.1605605712392; Tue, 17 Nov 2020 01:35:12 -0800 (PST)
MIME-Version: 1.0
References: <F87F3593-6BF7-433C-ACB9-C83EDE36989D@gmail.com> <4606546D-7C6D-4980-AEE1-2C9927F6B093@ericsson.com>
In-Reply-To: <4606546D-7C6D-4980-AEE1-2C9927F6B093@ericsson.com>
From: Dmitry Belyavsky <beldmit@gmail.com>
Date: Tue, 17 Nov 2020 12:35:01 +0300
Message-ID: <CADqLbzJP1P61+RXBC2waJaWz25C21YgDHtqAGE7sw-L-qAu1sQ@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: Yoav Nir <ynir.ietf@gmail.com>, "<cfrg@ietf.org>" <cfrg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022f67f05b44a36ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gT5gJIjZswOel2QZD9sFrpgO334>
Subject: Re: [CFRG] AEAD limits
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 09:35:16 -0000
I agree with the idea of such a table, but do we really think it's stable enough to make it a part of RFC? On Tue, Nov 17, 2020 at 12:07 PM John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org> wrote: > Hi, > > I think such a table would be a good idea. I think the table would be > “example limits” rather than “actual limits” and should contain values for > different values of p, l_p, and l_aad. This would give implementors (or > people writing drafts) some guidance. It would also work like a form of > test vectors. Without examples it is hard for a user of the document to > check if they calculated the limits correctly. > > For non-constrained environments where re-keying is easy, I think the > conclusions are simple, don’t use CCM and re-key frequently. For the > constrained IoT world (which currently use AES-CCM with 32 and 64 bit > MACs), I think the analysis gets more complicated and I think there are a > lot of other factors than p, l_p, and l_aad that needs to be considered. I > tried to summarize this in a mail to LAKE: > > https://mailarchive.ietf.org/arch/msg/lake/jxnTTX2L6HM9ZeVrQ4TNHdISulA/ > > Cheers, > John > > -----Original Message----- > From: CFRG <cfrg-bounces@irtf.org> on behalf of Yoav Nir < > ynir.ietf@gmail.com> > Date: Tuesday, 17 November 2020 at 08:41 > To: "<cfrg@ietf.org>" <cfrg@ietf.org> > Subject: [CFRG] AEAD limits > > Following up on my mostly failed attempt to raise the issue at the meeting. > > I still think we need to have, at least in an appendix, a table with > actual limits in either bytes or packets. > > Sure, this requires setting at least p and l. p can be chosen arbitrarily > (2^(-65)? 2^(-57)?), although I’d like an explanation of why a certain > number makes sense. l can be the row of the table. > > For example, for p = 2^(-65) and l=1024 we get for AES-GCM that q<=2^22, > so the table can show for this value of l 4 million packets and/or 4 GB. > For ChaCha20-Poly1305 you’d get v<=2^28 so you’d get 256 million packets or > 256 GB. With p at 2^(-57) you get other numbers. Still useful regardless > or which value of p is chosen. > > And one nit: Please change the description of p in Table 1 from > “Adversary attack probability” to “Adversary attack success probability" > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > > https://protect2.fireeye.com/v1/url?k=d31878d1-8c83419c-d318384a-86b568293eb5-e5d58f0c6ea46c4c&q=1&e=d3b7c45d-3795-4e54-888a-da4eb737f746&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- SY, Dmitry Belyavsky
- [CFRG] AEAD limits Yoav Nir
- Re: [CFRG] AEAD limits John Mattsson
- Re: [CFRG] AEAD limits Dmitry Belyavsky
- Re: [CFRG] AEAD limits John Mattsson