[Cfrg] Do we need a selection contest for AEAD?
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Fri, 19 June 2020 17:32 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1A9C3A0CD3 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 10:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_hrfn-uP_BL for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 10:32:15 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C1BF3A0D00 for <cfrg@irtf.org>; Fri, 19 Jun 2020 10:32:15 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id z9so12374672ljh.13 for <cfrg@irtf.org>; Fri, 19 Jun 2020 10:32:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=q/6UkHBhnrcxyE1dUhnME0gLIYIJdiX2w1moMRmNzTY=; b=hLd7qkmH5Av535YsXLCds09cF5/1xr/zQv3ITYQcfJS5xvJAxhErH7/63vxSq/o1eC z1BdZ8ibRYnkZ3w6pvG4NI4WDXSQJP1d7Nc5Vp/ghLvOzfk3fhc4zbvu0U/xe1zcgmKt aakVVstn+ZyGQaVKgXqM5SO5Ld/T7a7tqCJWaiLkiZV47j042xCYVe6u5J6BNeyddt/f 4icy1EnqZBOE8z2+7KvHar4nQVUqdLRnsqh8MnAXqMOvs6OcS9xQHdcO6tpl+fgEmRVl xiIh6Ir7gUvXIljO7YuTaBwbmd8eY2H2dCCko7aw/jnXRhlhynhpWrAME+UD+BUsfMJF NyHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=q/6UkHBhnrcxyE1dUhnME0gLIYIJdiX2w1moMRmNzTY=; b=cr0NRuE5TbN1Eyy17Gs2L1t3q5I8FxDfKquAx4mxouuaHq1KpoLWIKVKhyIjJedlxU wQkI8sAbb5bO8KGZ1SPSZLYVCuCVL9sd1RLHmHGaF8/pgFpF2Ga+uUj0U4phkyb2fDsZ RDhG2JA8UEdMx+2IEajU1YMyd9jtu5hGlgsxBj8vtvs5TCCRyadFDRf7//QU6K4XJOk6 Bz/YrrMop66lHH8KgaMD8QdXarzaWeHaWHK978rrTqSMGoNFF0ZEIyCqHSLZ0qQhyYNB i2nkDeffPy5tc22NHwa/mxYGQzgGZOONUvmF4ABaPvSQtXKNviZvOpVKi6aiQX8UTnL3 SL1A==
X-Gm-Message-State: AOAM532esYqxFEpoEPZ9cFrai4VpsDtBrGUW3F0rTlEcb+/kFdhJ/7OD 8AdGPTCP+ha/WF/6qGUyjfeVhBfwY1dkpzWrt5byxbOahTc=
X-Google-Smtp-Source: ABdhPJxDGCwubahURJB/Hh1XcW3OT7LbdKT8mdomgMgoOGGmwx+7vGrYXiSFGrdACRkwSkBWRKmR5BQXVbHNub1IGCk=
X-Received: by 2002:a2e:974a:: with SMTP id f10mr2443278ljj.283.1592587933077; Fri, 19 Jun 2020 10:32:13 -0700 (PDT)
MIME-Version: 1.0
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Fri, 19 Jun 2020 20:32:03 +0300
Message-ID: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000000653a305a873462f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mMlfV3wKrcGYeHUFNzeO5jV-7y8>
Subject: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 17:32:17 -0000
Dear CFRG, The chairs would like to ask for opinions whether it seems reasonable to initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes and recommend a mode (or several modes) for the IETF. We’ve recently had a CAESAR contest, and, of course, its results have to be taken into account very seriously. In addition to the properties that were primarily addressed during the CAESAR contest (like protection against side-channel attacks, authenticity/limited privacy damage in case of nonce misuse or release of unverified plaintexts, robustness in such scenarios as huge amounts of data), the following properties may be especially important for the usage of AEAD mechanisms in IETF protocols: 1) Leakage resistance. 2) Incremental AEAD. 3) Commitment AEAD (we've had a discussion in the list a while ago). 4) RUP-security (it was discussed in the CAESAR contest, but the finalists may have some issues with it, as far as I understand). 5) Ability to safely encrypt a larger maximum number of bytes per key (discussed in QUIC WG). Does this look reasonable? Any thoughts about the possible aims of the contest? Any other requirements for the mode? Regards, Stanislav, Alexey, Nick
- [Cfrg] Do we need a selection contest for AEAD? Stanislav V. Smyshlyaev
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Eric Rescorla
- Re: [Cfrg] Do we need a selection contest for AEA… Daniel Franke
- Re: [Cfrg] Do we need a selection contest for AEA… Wasa Bee
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Paul Grubbs
- Re: [Cfrg] Do we need a selection contest for AEA… Yevgeniy Dodis
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mridul Nandi
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Stephen Farrell
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Michael StJohns