IETF Logo Mail Archive

Re: [Cfrg] RFCs for wider-block RC6 and OCB

Ted Krovetz <ted@krovetz.net> Sat, 03 November 2018 18:35 UTC

Return-Path: <ted@krovetz.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07044128C65 for <cfrg@ietfa.amsl.com>; Sat, 3 Nov 2018 11:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.122
X-Spam-Level:
X-Spam-Status: No, score=-1.122 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=krovetz-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BEer27E2OMUp for <cfrg@ietfa.amsl.com>; Sat, 3 Nov 2018 11:35:25 -0700 (PDT)
Received: from mail-pf1-x436.google.com (mail-pf1-x436.google.com [IPv6:2607:f8b0:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C217A126F72 for <cfrg@ietf.org>; Sat, 3 Nov 2018 11:35:25 -0700 (PDT)
Received: by mail-pf1-x436.google.com with SMTP id n11-v6so2499598pfb.6 for <cfrg@ietf.org>; Sat, 03 Nov 2018 11:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krovetz-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=ggeZyr+CV7V8Xc35BWrB7IGaij1Gi4VtskTYw3X8hPI=; b=qMEo/IZmLeUDsK/SiG1IEeyilBApMf/c4A+AGRT0NnVANxLpP/V6Oyz27Q4dQNYbNa Ic7gBHO40yntnRSVLhTTjrE+yiCSx/aUx9CrxV+Pb19vxFf/KkUIY9VAjgfOk8kOyQX/ ZCjAzsUpepeWGlQL8j7Bt3jsqIt5j8kDoVFMGqVXGSyx5myGTkf47yIb6fSuOkMAB5UU U1QRt5VGK4hHWPO09AjaG+GKVH9ipvQa2+evkEGBSvCAWjIN/6MQxfGZClhY5tYP2ML3 +IIyRNDWts5fDwaR4iapZW975opX7r3xA1csm3UrATMrY3643af0nh/aCPc+kwqAOzGB TMPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=ggeZyr+CV7V8Xc35BWrB7IGaij1Gi4VtskTYw3X8hPI=; b=pVzZN29Hruu3xjitqtKhqChIZYkCbEK3do0i65YVJ4UOQ3yht5YcZBe3DwQmywKV/y 9P0Wegf47MZLW0SbmS9ycIXg2BSf+qHwf+TF/HKy/l8zJKQzEkgAFO8BSsPKUZ9Ygt9h VGvtzE+7Qcg8geYAbN67eDc6BR547k771vHjP87wjbYppEXsuxQ5L4okO54Ed+BK6HzI JJETqZK54BU/ednUAC3CEtozn8FDf3r/Uu3klTfBKHOQpbNMjyCvS1vX1mB+WCM3ZxDa AM7owauYU5iY/zMlV+Vo9T3C254lePbtSzcPkEM/N16KsJxIPWnjG101Wcs+6VlgTzri 64wQ==
X-Gm-Message-State: AGRZ1gKMakidrAR0/8Z+rHSCe3uwAdTZowHF8UkHWBQSybXu+zrHVENa 2f1zFQNBrx1/7Ezrre7VOEyMwzGLxuk=
X-Google-Smtp-Source: AJdET5eaG2DE1rJBjP7RIiU00zim9qmZk8taV7nFoYzMt+8WbN9MM0LkA/izoCjXqETXWPC9sbZ6Og==
X-Received: by 2002:a62:5343:: with SMTP id h64-v6mr16109618pfb.226.1541270124821; Sat, 03 Nov 2018 11:35:24 -0700 (PDT)
Received: from [192.168.1.100] (99-113-71-118.lightspeed.frokca.sbcglobal.net. [99.113.71.118]) by smtp.gmail.com with ESMTPSA id h2-v6sm22891314pfc.6.2018.11.03.11.35.23 for <cfrg@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 03 Nov 2018 11:35:24 -0700 (PDT)
From: Ted Krovetz <ted@krovetz.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
Date: Sat, 03 Nov 2018 11:35:22 -0700
References: <E617CD1F-AD92-42CA-B054-5CFD20AF4A6E@krovetz.net> <5ADB017E-5D48-48C9-92CB-445B7294D652@rhul.ac.uk> <855AD21F-85D0-400C-BE07-1ED585C98530@cisco.com>
To: "cfrg@ietf.org" <cfrg@ietf.org>
In-Reply-To: <855AD21F-85D0-400C-BE07-1ED585C98530@cisco.com>
Message-Id: <CE1EF44A-EA80-486A-A13E-AC9581632748@krovetz.net>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mwWCGBb8hmOcq1YCE-In6fCxDl0>
Subject: Re: [Cfrg] RFCs for wider-block RC6 and OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Nov 2018 18:35:28 -0000

David,

Thank you for taking the time to respond to my query about the OCB draft. I'm sorry to be so slow in answering your questions, but I was waiting to see if there were more comments.

> What is the rationale for larger-block OCB?

There are more block ciphers than those that are 128-bits and without modification OCB cannot be used with them. I don't want to speculate why someone would want to use a non-128-bit block cipher, but it seems a reasonable thing to have a good AEAD scheme available for them.

> The ocb-wideblock draft could call out the security benefits of larger block sizes more strongly, and could change the security considerations in a way that moves users away from the birthday bound.

Agreed. Whether the draft goes through CFRG or the independent stream, I'll try to improve it as you suggest.

> the security of an RC5/RC6 instantiation

The RC5/RC6 draft was mainly developed as an example for use with the OCB draft. Since there is so little cryptanalysis at nonstandard lengths, it may be more trouble than it's worth to promote the RC5/RC6 draft. If there's little or no interest in it, I'll drop the RC5/RC6 draft and find other block ciphers to be examples.

> the use of smaller block sizes should be restricted by strong guidance.


I did some of this, but will make it stronger.

-Ted



> On Oct 18, 2018, at 8:33 AM, David McGrew (mcgrew) <mcgrew@cisco.com> wrote:
> 
> Hi Ted (and Kenny),
> 
> This is an interesting research direction, though it is not yet entirely clear how the internet community would benefit from its adoption.  I have some questions and comments that are focused on usage.  
> 
> What is the rationale for larger-block OCB?  Is it intended to improve security against cryptanalytic attacks in scenarios where other AEADs are currently used?   Or to allow each individual key to be used to encrypt a much larger volume of data?   The security considerations in ocb-wideblock says "a given key should be used to encrypt at most 2^(BLOCKLEN/2-16) blocks”, so actual guidance is consistent with the latter rationale.  What are the scenarios where AEAD needs to encrypt more than 2^52 bytes with a single key, and thus BLOCKLEN > 128 is needed?   In communication security, we change keys more often than that because we can and because keys can be compromised through side channels and system security issues.  I would guess that file/data encryption scenarios are the intended target, and if that’s right, it would be worth some discussion.  
> 
> The ocb-wideblock draft could call out the security benefits of larger block sizes more strongly, and could change the security considerations in a way that moves users away from the birthday bound.  
> 
> I’m confident in the security analysis behind the ocb-wideblock draft, but the security of an RC5/RC6 instantiation of that mode depends crucially on the ability of those ciphers to look like a PRP as their block size gets larger.  The security considerations of the rc5/rc6 draft does touch on this, saying that "Each doubling of w should increase the number of rounds by four”, but it does not cite any cryptanalysis of those ciphers with larger block sizes, other than the work of the cipher design team, unless I’m missing something.  While that design team has a sterling reputation, independent analysis is important.  The RC6 cryptanalysis literature from the time of the AES competition was focused on a 128-bit block size.  The draft ought to cite a more detailed justification for the security of wider-block rc5/rc6.  
> 
> I am totally missing the rationale for using *smaller* block sizes, and I think they should be removed from the draft, unless there is some compelling use case that they are targeting.   In that event, the use of smaller block sizes should be restricted by strong guidance.   
> 
> best
> 
> David
> 
> 
> On 10/17/18, 6:07 PM, "Cfrg on behalf of Paterson, Kenny" <cfrg-bounces@irtf.org on behalf of Kenny.Paterson@rhul.ac.uk> wrote:
> 
>> Dear Ted,
>> 
>> Thanks for bringing this ID to CFRG's attention.
>> 
>> The chairs would like to encourage people to continue to express their views on whether CFRG should adopt this ID as a CFRG work item or not. People can do that on-list or privately to the chairs if they prefer.
>> 
>> Thanks,
>> 
>> Kenny (for the chairs)
>> 
>> 
>> -----Original Message-----
>> From: Cfrg <cfrg-bounces@irtf.org> on behalf of Ted Krovetz <ted@krovetz.net>
>> Date: Tuesday, 16 October 2018 at 15:03
>> To: "cfrg@ietf.org" <cfrg@ietf.org>
>> Subject: [Cfrg] RFCs for wider-block RC6 and OCB
>> 
>>   Hello,
>> 
>>   About six months ago I put together an Internet-Draft that specified how to use the authenticated-encryption algorithm OCB and a block cipher without 128-bit blocks. This was in response to a few researchers and developers who had expressed interest in such a thing. As an exemplar I wrote RC6 (and RC5) code and an Internet-Draft for block lengths other than originally intended.
>> 
>>   https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/
>>   https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/
>> 
>>   My question for CFRG is whether I should pursue these RFCs through the Independent submission channel, or whether there is interest within CFRG to review and/or sponsor the drafts.
>> 
>>   Thank you,
>>   Ted Krovetz
>>   _______________________________________________
>>   Cfrg mailing list
>>   Cfrg@irtf.org
>>   https://www.irtf.org/mailman/listinfo/cfrg
>> 
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email