IETF Logo Mail Archive

Re: [Cfrg] Do we need a selection contest for AEAD?

Thomas Peyrin <thomas.peyrin@gmail.com> Fri, 19 June 2020 18:17 UTC

Return-Path: <thomas.peyrin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF8C3A0CD6 for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 11:17:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rmOWU5pGqula for <cfrg@ietfa.amsl.com>; Fri, 19 Jun 2020 11:17:19 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 494993A0CCE for <cfrg@irtf.org>; Fri, 19 Jun 2020 11:17:19 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id d4so7998693otk.2 for <cfrg@irtf.org>; Fri, 19 Jun 2020 11:17:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JlycPp2qgdVAH/PTwGODOmcBQ/Ps0tiSfZTGsCa0mNg=; b=o7b9VPPaTiZsGJFhaoa/x56fSQVBLzuu2Kvk+PHmzP5Vc5lRlsdUUJnPas3qgAvSBI 0TMI0o3ablTmhbB8QV5jMwrZL5DWxk5d2Fsl/P7/z25nZoJVn+fJP8AyVBWX9b9oxc3W lSYc0L/qS3/Ae3FYHV4c/0CSSefY4cqTpjqy55INl/KUeb+tP0z4YY+zgfRvjp8SofKi 7rl6Fez1u89hXuEO9PepSHgfSHHSaRY+wYY6CxPNlcHVPXQCHJsHZTxhF/zX4I7X5lhu +on596iW5B18mFj9jro13LKJKM0/36loWG9eS0GN3Bm9+oId8TVnCpLkTF8GqN9xZ5J6 TerA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JlycPp2qgdVAH/PTwGODOmcBQ/Ps0tiSfZTGsCa0mNg=; b=D9UDKik7o3ZiC31pkr3GiZZIHgFMyvlUtH9LHcFPkbcwngWqWeM87pXVC8O05A9fKv RQJE60+1rgeOGp/wLE7hzqBk2dKOiFMfKhuv7gfAtubKvja7O2Ifu8yXrEy71YhUBY2l 0ZJlp9qhHfVad4z3yMbTS2YLQskgm48me2wSTA1FMnKTmhwHB8lMEDrNFYTmfgZjT+E8 3lpB/Z12lzhv+n/qVUpPIT1eQX3EEjtEEKQsjOjM8hrBxOWGTEc/XcFFxgG2OJ1dHRM6 2tC1ttWDKv9oVaC3RmVOpFIPRSwQrkn2mtyJ7DqfRgzR1os4O74jB7s28WUpFI5zejUZ S2uA==
X-Gm-Message-State: AOAM531MVcmKG/fQmH1i8xTtpAMCNtKTPGSrM2Xi18nhHx+Tsk02cEF0 y/jBSNxr2tdRmdiZ/vWHipEvcuMA00GoDA/bgpI=
X-Google-Smtp-Source: ABdhPJwA7LHF8xzVildvZq+KKZWrnowfVVUpgwnopTQf+KZMsPC6pXtkHEg1rFdxBQm6GBRP7N5HBLvNFLBXYXKm/6U=
X-Received: by 2002:a05:6830:1490:: with SMTP id s16mr4258235otq.74.1592590638543; Fri, 19 Jun 2020 11:17:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6=QJuG9mshppB6qeryk6qekVKgi9D=WqGoa_L4sNgtYLg@mail.gmail.com> <CAA0wV7TXftZXeteCy3=N_4ezXRTL852_R1kCCPYGFEhQNHGw2Q@mail.gmail.com> <4CFDB50C-6281-4AC8-A9DF-D0F79BF58C5C@ll.mit.edu>
In-Reply-To: <4CFDB50C-6281-4AC8-A9DF-D0F79BF58C5C@ll.mit.edu>
From: Thomas Peyrin <thomas.peyrin@gmail.com>
Date: Sat, 20 Jun 2020 02:17:07 +0800
Message-ID: <CAA0wV7SjS8OA+QEPN6Dip09Y2Sp5=4WJkTVkRa2O0gnZf_m54w@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000048769d05a873e72c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/oP7g4WT7bB_X2VXe7_YFfHV_Zzg>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2020 18:17:22 -0000

Dear Uri,

Yes. We recommend to use a tag size of 128 bits for our mode, but in case a
smaller tag size \tau is required, the security claims will drop according
to \tau.

Regards,

Thomas.


---------- Forwarded message ---------
De : Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
Date: sam. 20 juin 2020 à 01:51
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
To: Thomas Peyrin <thomas.peyrin@gmail.com>, Stanislav V. Smyshlyaev <
smyshsv@gmail.com>
Cc: CFRG <cfrg@irtf.org>


Can you provide/compute security bounds for truncated synthetic IV?  Some
(niche) use cases require it.



*From: *Cfrg <cfrg-bounces@irtf.org> on behalf of Thomas Peyrin <
thomas.peyrin@gmail.com>
*Date: *Friday, June 19, 2020 at 1:47 PM
*To: *"Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
*Cc: *CFRG <cfrg@irtf.org>
*Subject: *Re: [Cfrg] Do we need a selection contest for AEAD?



Dear all,



I will be actually sending an RFC draft of Deoxys in the coming weeks like
I promised a few months ago (really sorry, with the COVID-19 confining with
young kids at home, I couldn't advance on it). It will contain misuse
resistant mode (with stronger guarantees than AES-GCM-SIV), leakage
resilient mode with different levels of resilience, the possiblity to
encrypt 2^124 bytes per key. We are currently analyzing the INT-RUP
security of it. All this for about the same efficiency as AES-GCM-SIV.



Regards,



Thomas.





Le sam. 20 juin 2020 à 01:32, Stanislav V. Smyshlyaev <smyshsv@gmail.com
<smyshsv@gmail..com>> a écrit :

Dear CFRG,

The chairs would like to ask for opinions whether it seems reasonable to
initiate an AEAD mode selection contest in CFRG, to review
modern AEAD modes and recommend a mode (or several modes) for the IETF.

We’ve recently had a CAESAR contest, and, of course, its results have to be
taken into account very seriously. In addition to the properties that were
primarily addressed during the CAESAR contest (like protection against
side-channel attacks, authenticity/limited privacy damage in case of nonce
misuse or release of unverified plaintexts, robustness in such scenarios as
huge amounts of data), the following properties may be especially important
for the usage of AEAD mechanisms in IETF protocols:

1) Leakage resistance.
2) Incremental AEAD.
3) Commitment AEAD (we've had a discussion in the list a while ago).
4) RUP-security (it was discussed in the CAESAR contest, but the finalists
may have some issues with it, as far as I understand).

5) Ability to safely encrypt a larger maximum number of bytes per key
(discussed in QUIC WG)..


Does this look reasonable?
Any thoughts about the possible aims of the contest?
Any other requirements for the mode?

Regards,

Stanislav, Alexey, Nick

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email