Re: [Cfrg] Kravatte-SANSE
Gilles Van Assche <gilles.vanassche@st.com> Tue, 06 November 2018 17:16 UTC
Return-Path: <gilles.vanassche@st.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B5D7130DE7 for <cfrg@ietfa.amsl.com>; Tue, 6 Nov 2018 09:16:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Level:
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbXWnR7axbsy for <cfrg@ietfa.amsl.com>; Tue, 6 Nov 2018 09:15:59 -0800 (PST)
Received: from mx07-00178001.pphosted.com (mx07-00178001.pphosted.com [62.209.51.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28F4212F1AB for <cfrg@irtf.org>; Tue, 6 Nov 2018 09:15:58 -0800 (PST)
Received: from pps.filterd (m0046037.ppops.net [127.0.0.1]) by mx07-.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id wA6HF17Y017565; Tue, 6 Nov 2018 18:15:56 +0100
Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by mx07-00178001.pphosted.com with ESMTP id 2nh2ax0m2t-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 06 Nov 2018 18:15:56 +0100
Received: from zeta.dmz-eu.st.com (zeta.dmz-eu.st.com [164.129.230.9]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id A40C534; Tue, 6 Nov 2018 17:15:55 +0000 (GMT)
Received: from Webmail-eu.st.com (sfhdag6node2.st.com [10.75.127.17]) by zeta.dmz-eu.st.com (STMicroelectronics) with ESMTP id 21D9CA592; Tue, 6 Nov 2018 17:15:55 +0000 (GMT)
Received: from [10.137.2.67] (10.75.127.50) by SFHDAG6NODE2.st.com (10.75.127.17) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 6 Nov 2018 18:15:54 +0100
To: Russ Housley <housley@vigilsec.com>
CC: IRTF CFRG <cfrg@irtf.org>
References: <42866222-0a32-28df-665c-ad916e69c2a3@st.com> <78385742-DE3F-40F3-9D2D-9A7F78B9FD21@vigilsec.com>
From: Gilles Van Assche <gilles.vanassche@st.com>
Openpgp: preference=signencrypt
Autocrypt: addr=gilles.vanassche@st.com; keydata= xsDiBD8SkBwRBADFdM4ygHSMHFx6T5i2h1kJYurvDCbak3XS/+n6xLU6MXePU3PD6Onpuc9g 2lEFnVko+SrjK0+2VJOdwd5tDel1EkAVEwbB8mDNDaxyalhiLw7CQEgZVpFGgMOaFiUPUhYZ KwwkzKf9IDb5uG+DmUTSNBBBNohnhSDo9ZHxZejNPQCg/7Wg+vfKwyrniTAVOwmyzh86FgcD /RZrWc9oqkbwhJGiRtGZyZuARtDvWxwFs35UfbySbiBRrhHNezR+0XP2iI2bOSCNr2k2pP0r WA7UgQ1x/RQ+D9Abgd/P2fFSgaodKQ3MjPoKo8FS0yAMFt7crOaRQm/IuHauUXWfw4VyeXcG gKm1sMV9ApK0Xh0NLERJ9F5FtQRaA/42+3Np6IRPEqRAlyg1uAJzBa7QAXd1QTWxkzEImHvr w1Xdvo6OYNnOPe8XVoMjdY3BaZ/arKmeyScsEKczeWqNXuIPhCYo24sRw0Ug2ztnUZzyhkHQ I4BAo7uP0KC84SzTBR4ZEHZ4NJe8szxCE29DbgJ7w82WEN8fq1pytxZ2Ms0rR2lsbGVzIFZh biBBc3NjaGUgPGdpbGxlcy52YW5hc3NjaGVAc3QuY29tPsK3BBARAgB3BQJYpYPyFwoAAYAl 4V1V5bnd3l+yv2GEFv/VwMI2IBQAAAAAABYAAWtleS11c2FnZS1tYXNrQHBncC5jb22NCAsJ CAcDAgEKAhkBFhhsZGFwOi8vcGdwLXNtZC5zdC5jb20FGwMAAAADFgIBBR4BAAAABBUICQoA CgkQc/9XCxoSKFjLDwCfQM7xiXDWVlNoNoyBQMi/kEYG6oQAnifl72lD+g5rmSxgjML5t9Pi w66rzsFNBD8SkBwQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz 0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24rnRPxfx2vIPF RzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhOSdvNILSd5JEHNmszbDgN RR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgR jXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7 AAICCACzlrAg+Re240hxYkSqg8XOPMsVA7LUu+ukInygJM20pTY0y9mVl4JxNucTnsa98Y5k umgx5f2kvoWIWyo7iTFVebFJd/DUW7TGtnwt6fM+yvGReh3HfrIvjnogkSD09stPCsqMrASn He7wFwrKlBKNC1ePdKtk6BUyrjjbNFgLXak3E9A4ISXV31c43iRz/y2GNg8GljbnKwyyBgsx +oHIqiyz3S0lsFqHhkocYQrobm1HIAGCZsKSIIGQRVtNijq+4gxG/dnD2RlLHCoQEk6vdsmg EOvD3Ylqk85j2VV9gdnVWDbCZeo+RmX4ZzOc5JA0e/rCh2H8VS+WDdmNo+fowkwEGBECAAwF Aj8SkBwFGwwAAAAACgkQc/9XCxoSKFjvmgCfYxaz3jP35HUmtYu5DSH+fktMwuQAoMitXa0b 5wlXzvzHaXtqpPhetYjM
Message-ID: <502c954e-3484-ffff-662b-a1833bf633c0@st.com>
Date: Tue, 06 Nov 2018 18:17:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <78385742-DE3F-40F3-9D2D-9A7F78B9FD21@vigilsec.com>
Content-Type: multipart/alternative; boundary="------------C976C46F89C8EF3BBEDADDB0"
Content-Language: en-US
X-Originating-IP: [10.75.127.50]
X-ClientProxiedBy: SFHDAG6NODE3.st.com (10.75.127.18) To SFHDAG6NODE2.st.com (10.75.127.17)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-06_08:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/o-62rw_LG_Beh5En7ihlkOditLI>
Subject: Re: [Cfrg] Kravatte-SANSE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 17:16:03 -0000
Hi Russ, The tag authenticates the exact sequence, so any missing or reordered message will cause a mismatch. I guess the best is to use sessions on top of a layer that handles the delivery of messages. A possible way to use sessions is to authenticate the exchange between a client and a server, where they take turns as sender/receiver. If the client sends a request to the server, the tag on the server's reply automatically binds it to the client's request. Then, even a simple confirmation from the server cannot be replayed on another request. Kind regards, Gilles On 4/11/18 01:57, Russ Housley wrote: > Gilles: > > I am interesting in the property that "each tag authenticates all > messages already sent so far in the session". I have not had an > opportunity to review the references provided. Does this mechanism > work even if some of the messages are not delivered? > > Russ > > >> *From: *Gilles Van Assche <gilles.vanassche@st.com >> <mailto:gilles.vanassche@st.com>> >> *Subject: **[Cfrg] Kravatte-SANSE* >> *Date: *November 2, 2018 at 8:52:21 AM EDT >> *To: *<cfrg@irtf.org <mailto:cfrg@irtf.org>> >> >> (sorry, with the correct subject this time…) >> >> Dear all, >> >> On a related note, we published at ToSC last year (and presented at FSE >> 2018) the Kravatte pseudo-random function [1], to which an SIV mode can >> be attached. More specifically, we recently specified the SIV-based >> authenticated encryption scheme Kravatte-SANSE [2]. As a feature, it >> also supports sessions, for use cases where multiple messages are >> exchanged and where each tag authenticates all messages already sent so >> far in the session. >> >> This function is based on the 6-round Keccak-p permutation and performs >> well in software without AES hardware acceleration. For instance, >> Kravatte-SANSE processes plaintext and metadata at 1.32 cycles/byte on >> Skylake and at 0.84 c/b on SkylakeX processors. >> >> Would this be of interest to CFRG? >> >> Kind regards, >> Guido, Joan, Seth, Michaël, Gilles and Ronny >> >> [1] https://tosc.iacr.org/index.php/ToSC/article/view/855 >> [2] https://keccak.team/2018/kravatte_sane_sanse.html >> >> >> On 4/10/18 12:12, Neil Madden wrote: >>> Hi, >>> >>> I am interested in adapting the SIV construction to other ciphers >>> and MAC algorithms. As currently specified in RFC 5297, the mode is >>> only defined for a MAC (AES-CMAC) that produces a 128-bit tag >>> length. Furthermore, it assumes that the tag length is exactly the >>> same as the nonce/IV required by the cipher (i.e., also 128-bits for >>> AES-CTR). This restriction to limit the authentication strength of >>> the AEAD based on the length of the required nonce for >>> confidentiality seems somewhat artificial to me. >>> >>> As a concrete example, I am interested in SIV constructions based on >>> XSalsa20 (or XChaCha20 as recently proposed on this list) together >>> with some keyed hash MAC, such as HMAC-SHA256 or Blake2. XSalsa20 >>> requires a nonce of 192-bits, while HMAC-SHA256 produces a MAC tag >>> of 256 bits. I have a draft recommending MRAE modes for JOSE, and >>> would like to include one non-AES algorithm that can be implemented >>> well in software on platforms without AES hardware acceleration. >>> >>> I believe that there are just two adaptions needed to make this work: >>> >>> 1. Adjusting the conditional XOR constant used in the doubling >>> operation in s2v (https://tools.ietf.org/html/rfc5297#section-2.3) >>> to account for other field sizes. >>> 2. Defining the nonce used as input to the cipher as the left-most n >>> bits of the authentication tag returned from s2v, where n is the >>> size of the nonce required by the cipher (i.e., the full tag is >>> output, but a truncation of it is used as the nonce). >>> >>> For step 1, based on the comments in [1] and the table of primitive >>> polynomials from [2], I think the polynomials and corresponding >>> constants to use for different values of n (bit length of MAC >>> output) are: >>> >>> n = 128 gives x^128 + x^7 + x^2 + x + 1 and constant = >>> 0^{120}10000111 (= 0x87 with leading 0s) >>> n = 192 gives x^192 + x^7 + x^2 + x + 1 and constant = >>> 0^{184}10000111 (= 0x87 with more leading 0s) >>> n = 256 gives x^256 + x^10 + x^5 + x^2 + 1 and constant = >>> 0^{245}10000100101 (= 0x00..0425) >>> >>> Is this something that CFRG might support if I submitted a draft? >>> >>> Regards, >>> >>> Neil >>> >>> [1]: http://web.cs.ucdavis.edu/~rogaway/papers/siv.pdf >>> [2]: >>> http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.365.1806&rep=rep1&type=pdf >>> _______________________________________________ >>> Cfrg mailing list >>> Cfrg@irtf.org <mailto:Cfrg@irtf.org> >>> https://www.irtf.org/mailman/listinfo/cfrg >>> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org <mailto:Cfrg@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Extending SIV to other ciphers and MAC alg… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Paterson, Kenny
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Alexandre Anzala-Yamajako
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Tony Arcieri
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… Neil Madden
- Re: [Cfrg] Extending SIV to other ciphers and MAC… John Mattsson
- [Cfrg] Farfalle-SANSE Gilles Van Assche
- [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Kravatte-SANSE Russ Housley
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche
- Re: [Cfrg] Farfalle-SANSE Nick Sullivan
- Re: [Cfrg] Kravatte-SANSE Gilles Van Assche