IETF Logo Mail Archive

[Cfrg] Do we need a selection contest for AEAD?

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Fri, 19 June 2020 17:32 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1A9C3A0CD3 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 10:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_10_20=0.093, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2_hrfn-uP_BL for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 10:32:15 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C1BF3A0D00 for <cfrg@irtf.org>; Fri, 19 Jun 2020 10:32:15 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id z9so12374672ljh.13 for <cfrg@irtf.org>; Fri, 19 Jun 2020 10:32:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=q/6UkHBhnrcxyE1dUhnME0gLIYIJdiX2w1moMRmNzTY=; b=hLd7qkmH5Av535YsXLCds09cF5/1xr/zQv3ITYQcfJS5xvJAxhErH7/63vxSq/o1eC z1BdZ8ibRYnkZ3w6pvG4NI4WDXSQJP1d7Nc5Vp/ghLvOzfk3fhc4zbvu0U/xe1zcgmKt aakVVstn+ZyGQaVKgXqM5SO5Ld/T7a7tqCJWaiLkiZV47j042xCYVe6u5J6BNeyddt/f 4icy1EnqZBOE8z2+7KvHar4nQVUqdLRnsqh8MnAXqMOvs6OcS9xQHdcO6tpl+fgEmRVl xiIh6Ir7gUvXIljO7YuTaBwbmd8eY2H2dCCko7aw/jnXRhlhynhpWrAME+UD+BUsfMJF NyHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=q/6UkHBhnrcxyE1dUhnME0gLIYIJdiX2w1moMRmNzTY=; b=cr0NRuE5TbN1Eyy17Gs2L1t3q5I8FxDfKquAx4mxouuaHq1KpoLWIKVKhyIjJedlxU wQkI8sAbb5bO8KGZ1SPSZLYVCuCVL9sd1RLHmHGaF8/pgFpF2Ga+uUj0U4phkyb2fDsZ RDhG2JA8UEdMx+2IEajU1YMyd9jtu5hGlgsxBj8vtvs5TCCRyadFDRf7//QU6K4XJOk6 Bz/YrrMop66lHH8KgaMD8QdXarzaWeHaWHK978rrTqSMGoNFF0ZEIyCqHSLZ0qQhyYNB i2nkDeffPy5tc22NHwa/mxYGQzgGZOONUvmF4ABaPvSQtXKNviZvOpVKi6aiQX8UTnL3 SL1A==
X-Gm-Message-State: AOAM532esYqxFEpoEPZ9cFrai4VpsDtBrGUW3F0rTlEcb+/kFdhJ/7OD 8AdGPTCP+ha/WF/6qGUyjfeVhBfwY1dkpzWrt5byxbOahTc=
X-Google-Smtp-Source: ABdhPJxDGCwubahURJB/Hh1XcW3OT7LbdKT8mdomgMgoOGGmwx+7vGrYXiSFGrdACRkwSkBWRKmR5BQXVbHNub1IGCk=
X-Received: by 2002:a2e:974a:: with SMTP id f10mr2443278ljj.283.1592587933077; Fri, 19 Jun 2020 10:32:13 -0700 (PDT)
MIME-Version: 1.0
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Fri, 19 Jun 2020 20:32:03 +0300
Message-ID: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000000653a305a873462f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mMlfV3wKrcGYeHUFNzeO5jV-7y8>
Subject: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 17:32:17 -0000

Dear CFRG,

The chairs would like to ask for opinions whether it seems reasonable to
initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes
and recommend a mode (or several modes) for the IETF.

We’ve recently had a CAESAR contest, and, of course, its results have to be
taken into account very seriously. In addition to the properties that were
primarily addressed during the CAESAR contest (like protection against
side-channel attacks, authenticity/limited privacy damage in case of nonce
misuse or release of unverified plaintexts, robustness in such scenarios as
huge amounts of data), the following properties may be especially important
for the usage of AEAD mechanisms in IETF protocols:
1) Leakage resistance.
2) Incremental AEAD.
3) Commitment AEAD (we've had a discussion in the list a while ago).
4) RUP-security (it was discussed in the CAESAR contest, but the finalists
may have some issues with it, as far as I understand).
5) Ability to safely encrypt a larger maximum number of bytes per key
(discussed in QUIC WG).

Does this look reasonable?
Any thoughts about the possible aims of the contest?
Any other requirements for the mode?

Regards,
Stanislav, Alexey, Nick

v2.23.0 | Report a Bug | By Email