IETF Logo Mail Archive

Re: [Cfrg] Please review/comment on draft-moskowitz-hip-new-crypto-02

John Mattsson <john.mattsson@ericsson.com> Thu, 03 October 2019 16:41 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C891200B9 for <cfrg@ietfa.amsl.com>; Thu, 3 Oct 2019 09:41:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kgObf4XgvY7 for <cfrg@ietfa.amsl.com>; Thu, 3 Oct 2019 09:41:23 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10073.outbound.protection.outlook.com [40.107.1.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 652141200A4 for <cfrg@irtf.org>; Thu, 3 Oct 2019 09:41:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KO6EplVbOUdO7Hlq6Z/EDmhyUByXkPg8PEmZZ932vowI/e3veIhIByihNk8sJHU/xj0k0R5IvpF/DIwA9xAK8sE5b1lUwUlbfUbfLOPJP1Bb5xwcdZqqu+EblnTW/rAuUBUZr7qMrfiyrgP1Qmjn6iEwJzMIQHaMPl3z8HMZ3kxwOEp0RhuJQgmkNQsgX7PZPiujP5XGqJXICnjQSPs+dpSpZs34h5KQm5q5gSAw549SjTXjs8kNNHMXT4DOquO9qywhtAf4SvXAbwp0AOm4hFEDuoctwsK3/j+84+msySCvRQwiGCDveNe+4XXKGLTbkFXKswNthuOa/jNvc7P76w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VkiAoBM0cMygTb2F7en35hQ6a741Ow/xWrGFnRGkn80=; b=ZdpWaOIP/O0bfsLCNEP5l3eOOR4szdMbizgTzEr+LWL0gDVF6IDB7kY6TedJvU6YH5qmn0RbFHZGQRCzAkFpIFbT30nDax5j3jqfLUWYYvL/OOK4PDmYhuyv6rmVOTtFZVAXvwe6hbMjCpgMld474e05ooXL2LJlBDF7b8zpbMI0RRbVp0+jmuI9gi/U2XAjGxsNv6Mc19By7cBuoF7cy+Yp2u2S3tnGFjU432dMNtc5Ugr6kHcd9K3YD1KwL6c2kt3k4Aig2R0A8WkqgXvvEmr+y2n8dbmFkc5nqaNN/TLUQgg8QeXPvkXEcGr5IB2rEWgevYL8R3/2eLf2TfhtQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VkiAoBM0cMygTb2F7en35hQ6a741Ow/xWrGFnRGkn80=; b=rOgpF5I8wouv6DIZ09GhANsSzA+uC7fCfd57YxBq6Tb9g0L6O1EhIrBrVHOS7mNT9l6J/gqAJ/Liu4maVMli4NmylvXld616U0SBx2GONW79FsXGVlmkCTWYVeu7Bt/FvgxcG7M0SoumkMbLeRH87Hheeup3QSFtE1989wrVr90=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB4267.eurprd07.prod.outlook.com (20.176.161.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Thu, 3 Oct 2019 16:41:20 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2327.021; Thu, 3 Oct 2019 16:41:20 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] Please review/comment on draft-moskowitz-hip-new-crypto-02
Thread-Index: AQHVegHRaehQRwvSPUy/0KDuuxiZmqdJObcA///h9oCAACSZgA==
Date: Thu, 03 Oct 2019 16:41:20 +0000
Message-ID: <9DEAB1F6-3BA8-4D8C-B05A-2C2021175310@ericsson.com>
References: <9d0c79d6-3e98-9e24-9c32-e57e4fb23ae0@htt-consult.com> <777D0CE8-45D8-44C5-B8C0-854E4B04812E@ericsson.com> <a6064fa5-4d23-375a-bbe6-f64f7a8c58f3@htt-consult.com>
In-Reply-To: <a6064fa5-4d23-375a-bbe6-f64f7a8c58f3@htt-consult.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f34b3359-34f3-4695-ac62-08d748208545
x-ms-traffictypediagnostic: HE1PR07MB4267:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <HE1PR07MB4267258E13414BC4691350B8899F0@HE1PR07MB4267.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01792087B6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(376002)(39860400002)(346002)(366004)(189003)(199004)(76176011)(102836004)(66446008)(76116006)(66946007)(6486002)(66556008)(66476007)(26005)(64756008)(71200400001)(36756003)(66066001)(236005)(54896002)(186003)(446003)(6306002)(71190400001)(2906002)(6512007)(6506007)(53546011)(256004)(25786009)(478600001)(66574012)(606006)(99286004)(14454004)(6246003)(8676002)(476003)(966005)(8936002)(110136005)(7736002)(6436002)(33656002)(561944003)(58126008)(229853002)(86362001)(5660300002)(81156014)(11346002)(44832011)(3846002)(486006)(2616005)(316002)(81166006)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4267; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jP8vmr0yo5TNQxvZswNkX1Pgko2WQe8rU6myeAygq1W4ExrzQ8qJG0Hyua8hLaCZrOA2o7RZW+M70rfC3gsZrHlJ7EGr2NWI88b0PopCZQdDPbBC68qrAkLLup7FErTFTSg8CZ3QlsoEaI1Lcofw8gjKwVO5Ynxiu4tCXZ9Y1YGTz543Lb+H1V1ImQPgaRzVgjbIwjo5NJKoALZsw1/ad+PsHNmdOC5Cecm2a80mdf6Ib2NpAlxMf3AunBMI6OozH55LeH2LvR8yIUCo22js6eV3leb1j2u+4czr3t2sh/rbup21/uIL2yjWGjsgBh6wg99s1LgrpJQ53bBb3lGs1uvB5L844paNqY3VvwxIqNdnP5N0xDKpmeDR+Y/WJAhFSl+UVt9NQQiloOj+gREfzvGKF3lmj7TU/rCE/fXihnk+ZmXzLJxBx2apiQkH+ZV3XXFjw6ckNxtRG9e1brN9wA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9DEAB1F63BA84D8CB05A2C2021175310ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f34b3359-34f3-4695-ac62-08d748208545
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Oct 2019 16:41:20.6474 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: h7ewaQ+oS05Waf+iEHfOuovDTtIR1jnNZF+LbJ4VfszlhBrFNTWMR5IhhAH0hx3zAE/xmNcU+IubDUBoK2/KRDqaZHO5GuBsBnb3VW6ulP8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4267
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/jSBNcC26Xq5G33TNP0JKKAzkocE>
Subject: Re: [Cfrg] Please review/comment on draft-moskowitz-hip-new-crypto-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 16:41:29 -0000

Bith Ketje and Keyak were in the CEASER final round, but not chosen for the final portfolio. It is a bit disappointing that there is no report from the competition. I understand that wring reports take time, but the lack of any reasoning behind the chosen ciphers reduces the value of the competition a bit.

XOODYAK in the NIST lightweight competition used the XOODOO permutation which they say is inspired by KECCAC-p.

John

From: Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Thursday, 3 October 2019 at 18:31
To: John Mattsson <john.mattsson@ericsson.com>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Please review/comment on draft-moskowitz-hip-new-crypto-02

I think it was Ketje as the Keccak CEASAR proposal.  As I understand it, Koodyak is the Keccak proposal in Round 2 of the NIST competition.  Perhaps I need to study Koodyak a bit more.

https://csrc.nist.gov/projects/lightweight-cryptography/round-2-candidates

On 10/3/19 12:17 PM, John Mattsson wrote:
Interesting! Specifing some AEAD based on Keccac seems to make sense.

I noted that Keyak was not chosen in the CEASAR final portfolio, do anyone know why? I cannot find any report from the
CEASAR competition…..

Are any Keccac based ciphers submitted to the NIST's lightweight crypto competition? If I remember correctly NIST was previously talking about standardizing a Keccac based AEAD, but I have not seen any info on that for a while.

Cheers,
John

From: Cfrg <cfrg-bounces@irtf.org><mailto:cfrg-bounces@irtf.org> on behalf of Robert Moskowitz <rgm-sec@htt-consult.com><mailto:rgm-sec@htt-consult.com>
Date: Thursday, 3 October 2019 at 17:47
To: "cfrg@irtf.org"<mailto:cfrg@irtf.org> <cfrg@irtf.org><mailto:cfrg@irtf.org>
Subject: [Cfrg] Please review/comment on draft-moskowitz-hip-new-crypto-02

This draft adds support of EdDSA, EC25519/EC448, and Keccak hashes and cipher (Keyak) to HIP (rfc 7401).

The interest to this group, is I believe this is the 1st? major adoption of Keccak (FIPS 202, sp800-185, and sp800-56Cr1) in IETF drafts.

KMAC vs HMAC is perhaps the simplest change.  It would seem that KMAC (sp800-185) is more efficient than HMAC and might be of advantage to high capacity situations.

Then there is the KDF based on sp800-56Cr1 (called KEYMAT in HIP lingo).  This is a significant change from RFC5869 and sp800-108.  But I have assurances? that it meets the needed strength requirements.

Finally I am perhaps 'jumping the gun' on NIST's lightweight crypto competition with specifying Keyak, but for a constrained device developer, it means one underlying engine to support.

TBD is a separate draft to amend RFC7402 to add Keyak to HIP's use of ESP (and include diet-ESP).

The only 'hidden' gotcha is EdDSA25519 using SHA512 rather than a cSHAKE256 with 512 bits output (see KEYMAT above).  This has code-size implications to constrained system developers.  Otherwise it is all 'new' crypto.

======================================

A new version of I-D, draft-moskowitz-hip-new-crypto-02.txt

has been successfully submitted by Robert Moskowitz and posted to the

IETF repository.



Name:            draft-moskowitz-hip-new-crypto

Revision: 02

Title:           New Cryptographic Algorithms for HIP

Document date:   2019-10-03

Group:           Individual Submission

Pages:           12

URL:            https://www.ietf.org/internet-drafts/draft-moskowitz-hip-new-crypto-02.txt<https://protect2.fireeye.com/url?k=f5f3e143-a97a3b6f-f5f3a1d8-0cc47ad93da2-a719c860baead1e6&q=1&u=https%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-moskowitz-hip-new-crypto-02.txt>

Status:         https://datatracker.ietf.org/doc/draft-moskowitz-hip-new-crypto/<https://protect2.fireeye.com/url?k=fffb3b7c-a372e150-fffb7be7-0cc47ad93da2-78d83682ccfc8b3a&q=1&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-moskowitz-hip-new-crypto%2F>

Htmlized:       https://tools.ietf.org/html/draft-moskowitz-hip-new-crypto-02<https://protect2.fireeye.com/url?k=f062eb91-aceb31bd-f062ab0a-0cc47ad93da2-22cb8134989de627&q=1&u=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-moskowitz-hip-new-crypto-02>

Htmlized:       https://datatracker.ietf.org/doc/html/draft-moskowitz-hip-new-crypto<https://protect2.fireeye.com/url?k=5d6da924-01e47308-5d6de9bf-0cc47ad93da2-5e91e8000092fe70&q=1&u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-moskowitz-hip-new-crypto>

Diff:           https://www.ietf.org/rfcdiff?url2=draft-moskowitz-hip-new-crypto-02<https://protect2.fireeye.com/url?k=d7be9813-8b37423f-d7bed888-0cc47ad93da2-ef6e3ea349ba4e7c&q=1&u=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-moskowitz-hip-new-crypto-02>



Abstract:

   This document provides new cryptographic algorithms to be used with

   HIP.  The Edwards Elliptic Curve and the Keccak sponge functions are

   the main focus.  The HIP parameters and processing instructions

   impacted by these algorithms are defined.









Please note that it may take a couple of minutes from the time of submission

until the htmlized version and diff are available at tools.ietf.org.



The IETF Secretariat








_______________________________________________

Cfrg mailing list

Cfrg@irtf.org<mailto:Cfrg@irtf.org>

https://www.irtf.org/mailman/listinfo/cfrg<https://protect2.fireeye.com/url?k=774ff9ca-2b9bf53b-774fb951-864685b2085c-c93dad1cd27ae9b5&q=1&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg>

v2.23.0 | Report a Bug | By Email