Re: [Cfrg] Do we need a selection contest for AEAD?
Thomas Peyrin <thomas.peyrin@gmail.com> Fri, 19 June 2020 18:17 UTC
Return-Path: <thomas.peyrin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF8C3A0CD6 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 11:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmOWU5pGqula for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 11:17:19 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 494993A0CCE for <cfrg@irtf.org>; Fri, 19 Jun 2020 11:17:19 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id d4so7998693otk.2 for <cfrg@irtf.org>; Fri, 19 Jun 2020 11:17:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JlycPp2qgdVAH/PTwGODOmcBQ/Ps0tiSfZTGsCa0mNg=; b=o7b9VPPaTiZsGJFhaoa/x56fSQVBLzuu2Kvk+PHmzP5Vc5lRlsdUUJnPas3qgAvSBI 0TMI0o3ablTmhbB8QV5jMwrZL5DWxk5d2Fsl/P7/z25nZoJVn+fJP8AyVBWX9b9oxc3W lSYc0L/qS3/Ae3FYHV4c/0CSSefY4cqTpjqy55INl/KUeb+tP0z4YY+zgfRvjp8SofKi 7rl6Fez1u89hXuEO9PepSHgfSHHSaRY+wYY6CxPNlcHVPXQCHJsHZTxhF/zX4I7X5lhu +on596iW5B18mFj9jro13LKJKM0/36loWG9eS0GN3Bm9+oId8TVnCpLkTF8GqN9xZ5J6 TerA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JlycPp2qgdVAH/PTwGODOmcBQ/Ps0tiSfZTGsCa0mNg=; b=D9UDKik7o3ZiC31pkr3GiZZIHgFMyvlUtH9LHcFPkbcwngWqWeM87pXVC8O05A9fKv RQJE60+1rgeOGp/wLE7hzqBk2dKOiFMfKhuv7gfAtubKvja7O2Ifu8yXrEy71YhUBY2l 0ZJlp9qhHfVad4z3yMbTS2YLQskgm48me2wSTA1FMnKTmhwHB8lMEDrNFYTmfgZjT+E8 3lpB/Z12lzhv+n/qVUpPIT1eQX3EEjtEEKQsjOjM8hrBxOWGTEc/XcFFxgG2OJ1dHRM6 2tC1ttWDKv9oVaC3RmVOpFIPRSwQrkn2mtyJ7DqfRgzR1os4O74jB7s28WUpFI5zejUZ S2uA==
X-Gm-Message-State: AOAM531MVcmKG/fQmH1i8xTtpAMCNtKTPGSrM2Xi18nhHx+Tsk02cEF0 y/jBSNxr2tdRmdiZ/vWHipEvcuMA00GoDA/bgpI=
X-Google-Smtp-Source: ABdhPJwA7LHF8xzVildvZq+KKZWrnowfVVUpgwnopTQf+KZMsPC6pXtkHEg1rFdxBQm6GBRP7N5HBLvNFLBXYXKm/6U=
X-Received: by 2002:a05:6830:1490:: with SMTP id s16mr4258235otq.74.1592590638543; Fri, 19 Jun 2020 11:17:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com> <CAA0wV7TXftZXeteCy3=N_4ezXRTL852_R1kCCPYGFEhQNHGw2Q@mail.gmail.com> <4CFDB50C-6281-4AC8-A9DF-D0F79BF58C5C@ll.mit.edu>
In-Reply-To: <4CFDB50C-6281-4AC8-A9DF-D0F79BF58C5C@ll.mit.edu>
From: Thomas Peyrin <thomas.peyrin@gmail.com>
Date: Sat, 20 Jun 2020 02:17:07 +0800
Message-ID: <CAA0wV7SjS8OA+QEPN6Dip09Y2Sp5=4WJkTVkRa2O0gnZf_m54w@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000048769d05a873e72c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oP7g4WT7bB_X2VXe7_YFfHV_Zzg>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 18:17:22 -0000
Dear Uri, Yes. We recommend to use a tag size of 128 bits for our mode, but in case a smaller tag size \tau is required, the security claims will drop according to \tau. Regards, Thomas. ---------- Forwarded message --------- De : Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> Date: sam. 20 juin 2020 à 01:51 Subject: Re: [Cfrg] Do we need a selection contest for AEAD? To: Thomas Peyrin <thomas.peyrin@gmail.com>, Stanislav V. Smyshlyaev < smyshsv@gmail.com> Cc: CFRG <cfrg@irtf.org> Can you provide/compute security bounds for truncated synthetic IV? Some (niche) use cases require it. *From: *Cfrg <cfrg-bounces@irtf.org> on behalf of Thomas Peyrin < thomas.peyrin@gmail.com> *Date: *Friday, June 19, 2020 at 1:47 PM *To: *"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> *Cc: *CFRG <cfrg@irtf.org> *Subject: *Re: [Cfrg] Do we need a selection contest for AEAD? Dear all, I will be actually sending an RFC draft of Deoxys in the coming weeks like I promised a few months ago (really sorry, with the COVID-19 confining with young kids at home, I couldn't advance on it). It will contain misuse resistant mode (with stronger guarantees than AES-GCM-SIV), leakage resilient mode with different levels of resilience, the possiblity to encrypt 2^124 bytes per key. We are currently analyzing the INT-RUP security of it. All this for about the same efficiency as AES-GCM-SIV. Regards, Thomas. Le sam. 20 juin 2020 à 01:32, Stanislav V. Smyshlyaev <smyshsv@gmail.com <smyshsv@gmail..com>> a écrit : Dear CFRG, The chairs would like to ask for opinions whether it seems reasonable to initiate an AEAD mode selection contest in CFRG, to review modern AEAD modes and recommend a mode (or several modes) for the IETF. We’ve recently had a CAESAR contest, and, of course, its results have to be taken into account very seriously. In addition to the properties that were primarily addressed during the CAESAR contest (like protection against side-channel attacks, authenticity/limited privacy damage in case of nonce misuse or release of unverified plaintexts, robustness in such scenarios as huge amounts of data), the following properties may be especially important for the usage of AEAD mechanisms in IETF protocols: 1) Leakage resistance. 2) Incremental AEAD. 3) Commitment AEAD (we've had a discussion in the list a while ago). 4) RUP-security (it was discussed in the CAESAR contest, but the finalists may have some issues with it, as far as I understand). 5) Ability to safely encrypt a larger maximum number of bytes per key (discussed in QUIC WG).. Does this look reasonable? Any thoughts about the possible aims of the contest? Any other requirements for the mode? Regards, Stanislav, Alexey, Nick _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Do we need a selection contest for AEAD? Stanislav V. Smyshlyaev
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Eric Rescorla
- Re: [Cfrg] Do we need a selection contest for AEA… Daniel Franke
- Re: [Cfrg] Do we need a selection contest for AEA… Wasa Bee
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Paul Grubbs
- Re: [Cfrg] Do we need a selection contest for AEA… Yevgeniy Dodis
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… Mridul Nandi
- Re: [Cfrg] Do we need a selection contest for AEA… Thomas Peyrin
- Re: [Cfrg] Do we need a selection contest for AEA… Mihir Bellare
- Re: [Cfrg] Do we need a selection contest for AEA… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… David McGrew (mcgrew)
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Martin Thomson
- Re: [Cfrg] Do we need a selection contest for AEA… Stephen Farrell
- Re: [Cfrg] Do we need a selection contest for AEA… Jim Schaad
- Re: [Cfrg] Do we need a selection contest for AEA… Michael StJohns