IETF Logo Mail Archive

[CFRG] Re: RGLC on draft-irtf-cfrg-aead-limits

Felix Günther <mail@felixguenther.info> Thu, 13 March 2025 17:27 UTC

Return-Path: <SRS0=uYn1=WA=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7BC2DAEAA35 for <cfrg@mail2.ietf.org>; Thu, 13 Mar 2025 10:27:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JXNZ-wY7-qua for <cfrg@mail2.ietf.org>; Thu, 13 Mar 2025 10:27:57 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8A791AEAA30 for <cfrg@irtf.org>; Thu, 13 Mar 2025 10:27:57 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id 98ACA4F208A1; Thu, 13 Mar 2025 18:27:55 +0100 (CET)
Received: from [192.168.178.33] (20.202.40.145.ftth.as8758.net [145.40.202.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id 4BFE94F20839; Thu, 13 Mar 2025 18:27:55 +0100 (CET)
Message-ID: <6f6fe18e-b791-4e8b-a9ec-939be0d67f2f@felixguenther.info>
Date: Thu, 13 Mar 2025 18:27:54 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <AS5PR07MB9675B4B72C3E7956A5DCA1D089CA2@AS5PR07MB9675.eurprd07.prod.outlook.com> <20250306143247.85841.qmail@cr.yp.to> <CABATvwhCiuqzXOaGzV8Q+yB88SONw5zYJMtDU9NSyLk=cpr3Ww@mail.gmail.com> <CABATvwjU=6Br5fyqS=j-2nUJxsU9LTa2PGHjviANWS40Qw5Jfg@mail.gmail.com> <CABATvwgQR64RxEyvHJGudL1KipTR4k9ZCh_TbX_Ch3oK7ZGRyQ@mail.gmail.com> <be5a2807-29a4-4e66-8ea7-cc1a5acd200f@betaapp.fastmail.com> <CABATvwjvhyzT1WN86dTf4cMaZmUj4fKw3Btgp=nrNRcoVq1n_g@mail.gmail.com>
From: Felix Günther <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsJ8BBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBAAoJEFKvAgDT 8XAOVSwAn0QmRYzMtqFZejCnMakizqsaWHJlAJ4jR3nDqw5h3Ct4Xyz1CEQrUdJgz87DTQRN OKpCEBAA9TNoDOa0PVCAWvt9tw06MUw+D0PoAhkl1jlNEzeNatLDQqf6YehHOgtjpgA8tpul DJUq/o3NN15JsUB1el6oQje644owqhEFD8V02Ns3ZK6hGgBRGupp6RKwg70F4z4ukKwCS789 rZdwaq8t+X37NRUP41Y537kgfN2R1BFLB0A19Qb52nsaneBUSgGLXu39bxDrHounoLjMitJa 10ATRcuRny8eJzAuXI8lCURNjCPWJVjXN3gs+z6sA/ebr2inLQT66WIQZi5Q31BNyPGeaai+ 7t7IbpfkhqnbHATDq6vtM8lCem+rsYc3MtN1W4jQZ59ACI3ieu3MouMoN4W5mp0bjB6oNiO1 TTYD3ZUYBeV7ITX47lag7A9MPzBwbRGdetAN1yU5HDv7mgadei/oFlwC4/hD18kYjuHEUxKi CookZZaPQEMTKjBpHhrphSslTXl/tWmMJBoVsgedghWyf39o8ZOTBsQQ1wHwhO9Dc+fwT/Q2 Bw6jdZSzwQVJG13hg/uC6HqxhYfiKHtsiMuqnb5OIM0qkWa3Q/XtRclokk8elTjHYIIM+HBd i2xjys8D+1gVPI8s4NwPRAjc5m/kAXyzbrbg+p+ZVe3IJTE4M/heShLzsoFrZoroE2T38rvT Wsido/8zJZCxJ+JLAR8p8BYKYBJel/pHsvRFwSYbOEMAAwYP/j905vAZ/MJlLrElQ6eVwU2X IBhFmsOtQcVmh3CZw0QuXMA1AQsQe3KLLJSfBEP8Ljz8/Y9mPNu8wmvhw04Px0o7Ns6yOEuv v4CyQzaZwJGvn0lI4UajS7y4mgGFkd1AmPi1/4el9Yp4my88VlOcSe/macm4+MCIAMDegNLx JzErZgOMQJVdSz4rVYaWToTE/DVvRFkuEZgZNnvIv8G46OCZtnnRFv1XQDouxap2tO8yGBQ+ BxBZXqrXtyeVz1weOBIVHycUxi9kGRQ5M99NfrZuInR1382W9YYhqiVgvmvWEsLZFRoGrh8w 1yVkyxw6IGikWlkwq8TLGVlAiqA8AENZZ9bJJVOn57ld6Dvz8c8UvHpvSpUbt3Y3jf0GJbDn lj4v3ZrIxcI3RmUIGf0CQDSpqrUHppgKwiBPSLLRRQruGw7jzLpMqu7ar+2fhNQB3GLSmygi kdYXROfmIIq0J5g/rZLSFQ1GZmL3S8pqS9sJQh0KZEUE+1PtzAoYUYp9btR5Jo3pbyAn6M/g SNlSNDUwa2Eai6fy3fBu1KT1AYgntLzVyJr2Q/Wd85MjF/a9GI5X8lmnvPSAJ/ofSI/bRjLq yNj6frKLrztFV9ucWhKQoQd4iE9qe284KYqdQq4BZUhO4J2nl2rWbEquoFe9ACdIVBIuRoCH EUrreMG0tdymwkkEGBECAAkFAk04qkICGwwACgkQUq8CANPxcA6jYACfYd8EkV8G70iuPkyA HMZZ8W8lWUoAoJElB4EzU8opYiwQw02HRvW/qYuJ
To: Mihir Bellare <mbellare=40ucsd.edu@dmarc.ietf.org>, cfrg@irtf.org
In-Reply-To: <CABATvwjvhyzT1WN86dTf4cMaZmUj4fKw3Btgp=nrNRcoVq1n_g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Message-ID-Hash: 227NEIBN6XB33U5US73D4JVG3VVT3Z6N
X-Message-ID-Hash: 227NEIBN6XB33U5US73D4JVG3VVT3Z6N
X-MailFrom: SRS0=uYn1=WA=felixguenther.info=mail@cdc02.comdc.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: RGLC on draft-irtf-cfrg-aead-limits
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/r6CNAV2-YylAiPdoDhwyWgh4bPU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Hi,


On 2025-03-12 22:46 +0100, Mihir Bellare 
<mbellare=40ucsd.edu@dmarc.ietf.org> wrote:
>     That is, if you set a target advantage of 2^-50, then you are
>     inherently assuming that o is significantly less than 2^n*2^-50 or
>     that term would be what determines the advantage that an attacker
>     gains.  Would that sort of thing help?
> 
> 
> Fixing a particular target advantage, and hence a value of o, feels a 
> bit arbitrary and hard for non-cryptographers to understand intuitively.

Right, indeed we'll add a discussion of how offline work places an 
additional constraint on single-key limits, namely  o / 2^k.  We won't 
fix a target advantage here.  Where we discuss the specific parameters 
in the example tables (Table 2 + 3, using a 2^-50 target for 
illustration), we'll explicitly add the offline work limits this entails.


The work factor approach is interesting. Given the goal of this draft is 
to provide simple guidance for AEAD users, esp. regarding how to limit 
key usage, I think the focus should be on the bounds incurred by 
encryption/decryption queries though. Ultimately, an AEAD user cannot do 
much about the o / 2^k part(s) of a bound for an AEAD scheme, except for 
selecting a scheme with different k.


> Orthogonally I have a philosophical question. [...] what incentive do 
> individual users have to use mu limits rather than single-user ones (su) 
> ones?

That's a nice philosophical question. Indeed, a single key ("user") 
might want to be selfish. The "user" of this document would however be, 
for example, a protocol designer. When defining a protocol standard, 
"unselfish" data limits are prescribed to limit the overall protocol 
attack surface. The origins of this draft are such data limits derived 
for TLS 1.3, DTLS 1.3, and QUIC. (Possibly this translates back to your 
analogy with speed limits; if so, in Germany we don't seem to have 
gotten the idea yet.)


On 2025-03-11 12:27 +0100, Daniel J. Bernstein <djb@cr.yp.to> wrote:
> Another reason not to ignore PRF terms is that there's a fast PRF attack
> against both AES-128 and AES-256 [...]  maybe all of the cited AES bounds
> are in the part of the literature that removes the issue by starting
> with PRP instead of PRF, but this is something to check carefully [...]

Indeed all the cited AES bounds start with PRP security.


> There are quite a few proofs cited in this draft, and I wonder how
> carefully they've been reviewed

If there are any concrete concerns/corrections regarding bounds in the 
proofs cited in this draft, we can integrate them.


Regards,
Felix

v2.43.4 | Report a Bug | By Email | System Status