IETF Logo Mail Archive

[CFRG] Comments on draft-irtf-cfrg-aead-properties-09.txt

"MINEMATSU KAZUHIKO(峯松 一彦)" <k-minematsu@nec.com> Tue, 04 February 2025 08:08 UTC

Return-Path: <k-minematsu@nec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36AA6C14F700 for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2025 00:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nec.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddhrrJNBWnQB for <cfrg@ietfa.amsl.com>; Tue, 4 Feb 2025 00:08:23 -0800 (PST)
Received: from TY3P286CU002.outbound.protection.outlook.com (mail-japaneastazlp170100001.outbound.protection.outlook.com [IPv6:2a01:111:f403:c405::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7BFC14F6BE for <cfrg@irtf.org>; Tue, 4 Feb 2025 00:08:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=C8dgmZ6kI9YxobCshWlQnf3Noe/Py8layXN3deAbk4fGgR/fDF5DjqYMrLerGwedZ1xqNYbWgyTYRzfeLefICQO8w3Zk01MmxXF/RXTBYNXrE+GrY0XK1e8h4AgP0DIFEFCWdUZ627I2fAuJ0Oro6kiIFuL3xoIBB29NzqwwVgDB6UU1IigaxTBld5tRpgqpOvXLLgJJDM/JEYPRpdZRmOutzSWNSPd4YLXlohnw3Xo0xp1kDlDLqp8AFjP9fIObuEo5xNeMN55ps99C3EPhAjn2hKDHEq6/C7yEfE5d/7Oahw+GHqwu/1VBm3IMJuTOfuhjQlrK4JBwYlIxX0Ugng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=pCuRVwxUsPNiVelHmb6Mn4LFcFTsg5UWXpfavZRb7NY=; b=lraV7ILMCXQtnI/ghZXEqNz9WuCiQ37854iAMmM8AKJDmSRZHzZN35j08+NJ0rl0OBZJn4ArPdsAiT7rR/IthW/IrCe3D/f8hWt5HpMfIwr6L4hl4YGTrJByDSWdXGGtGQvcyLaKMIrolFYSvcd+SUHfEgcP7Q8pX14Cn6l3wntTaBKk/EbKq+662CgDI0+ZF911EInclsAv+40/+/PIVozNDiMvsWCAhZ9MXyT48mEySDZr3hGXU07CKBjZnfETf4zE+kN3r28KwJDOXsGolTlYuM/GlZRfdamsuqAZAgC+GfT1BRb4zhZWJ8WFJDEVfda/8zv0zdhycaeGdlMBjg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nec.com; dmarc=pass action=none header.from=nec.com; dkim=pass header.d=nec.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nec.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pCuRVwxUsPNiVelHmb6Mn4LFcFTsg5UWXpfavZRb7NY=; b=m0XXZsM+wzlTAvWds+z8bcON91A3dgFF0cdJpOp/v8iYkQrRbF2r6LPOWBHf5ejrbIPVpiPAtIyeDeGc28THaJtiMclAzdCQZ3lOH61v9baq0GX0Gf0gVy7+2Rn3/YAjSKwWDRzFBltdo5yd7ARitazRDCdRyJ47e8sQrLmo1TWJvR0yz1HFpP+PY627O24iFzFY7FQfbultyxGTHSXUlhvuV5yVpI0bL3H6jUfko14JqTCMTCCC6YmsHkMKI1CRyZdJ3XHhh9KErKLOo3NUopFzrnviQXqbtq14WAzxQFmjzpp19LZomuaktULKsg8wAEhIvul2YQNc25H2WQwJMw==
Received: from TYWPR01MB11376.jpnprd01.prod.outlook.com (2603:1096:400:3f6::8) by TYBPR01MB5565.jpnprd01.prod.outlook.com (2603:1096:404:802e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8398.25; Tue, 4 Feb 2025 08:08:18 +0000
Received: from TYWPR01MB11376.jpnprd01.prod.outlook.com ([fe80::a414:5ac6:4746:f8e1]) by TYWPR01MB11376.jpnprd01.prod.outlook.com ([fe80::a414:5ac6:4746:f8e1%5]) with mapi id 15.20.8398.025; Tue, 4 Feb 2025 08:08:17 +0000
From: "MINEMATSU KAZUHIKO(峯松 一彦)" <k-minematsu@nec.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Comments on draft-irtf-cfrg-aead-properties-09.txt
Thread-Index: Adt22x+t9Nzr+BTwS/uMl9ft9ATelg==
Date: Tue, 04 Feb 2025 08:08:10 +0000
Deferred-Delivery: Tue, 4 Feb 2025 08:08:00 +0000
Message-ID: <TYWPR01MB11376A75B2A0784379E19EA06EAF42@TYWPR01MB11376.jpnprd01.prod.outlook.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nec.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: TYWPR01MB11376:EE_|TYBPR01MB5565:EE_
x-ms-office365-filtering-correlation-id: 71206ed0-b240-4d86-299b-08dd44f31522
x-ld-processed: e67df547-9d0d-4f4d-9161-51c6ed1f7d11,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018;
x-microsoft-antispam-message-info: CthVWxYP8tSY9jPKFDCXrfEQthV2P5iVZfuR56tkJnsbEzrfFBM0BVDBcXldrwadK8RVUvvPTLvGluJRaYv9PWKWE/vV5yppT0F9M1fyX2rRsKYCFFLxG+EhLPp2c+XBJ2IjABCcbdjI0ZTR5IBkxKUFidOqJsglKOwo0M6HGoSe1ZtGBoMW1yd/SdDV00dMUOPv7i9WmmW7I6RqUiKsg40zU9NWpVTvqL2COiwTPQHB17kUqMVMA7uRYNgpZAkIifqkpwgCe8NmqUwuJGvvicd5v43E/4hXvy6rn/AsdgRKpB7i8CDaX2+uUo+omPNW+uE0WqaGwui1XDP8HkLj+HCFvbceRKF7vQqGowkYm/EWVzMByoXToMutah+/TyC7aXHGlbiJ34ekkA/qMlJPxbFxGPgnYHsmP9cK51eiS2gqIbMYHCO3NPFhi0snO2XlMrzmMi95nSSEW/cjuS3MvK86JoXmFxy0gtlKUpogZ5/EhvfYWrr/L/K1dmrWTmM/4HSTh5MI+hAn4qXTaaCyVBVxSxCls8l/hpXwd3wKiKGFgA92aReLDeweNPNESyBVd5s9pElzkcTfaVQsxD4iFIgsdGRZQ5ohs2WbvxxPm1fp5PGdiCGztElfBTqxV1uRycl1WA8WSpn/y0WMYeACAKs1yv+a6GN1rjzEXRUx8YidEWdhoH43+SxPocB33zuKX3pNpNoRE9OgLW2cyjPthK/V827d1hoEG8OmKoOsZQry6gT1iNQuSaPdcyhzKzF4ITaLFemnhV4rWhfbBBobx6wSxLmNMVKc1LGJpQk4ApsuhoAkCfBBKGnDPACGjY4XrsNVMk3j6MK8T+yXc1jPva3MTiWNZ0iqoj3oKifJoWAG5F0NrPF/aASPC9u/yBXcVvLSCWZgOwrPRbN+dD6x5nB3MAHYvMmBVBR7On3pkfFx/2OUtxKHP1vmtpxFmcpLymxJS63wvGtTRAGjQG91G2wCXa+YO0TKPffkQ+vRh5iYFhMxf7qM4M48u1DR3J83qKN40KyL4u5ec/gfJXV85H4tg700yMZXMZGMcBUmGyIyMey6bHe0xQTyJbAzEhFjnv7nX2ZGRus34O02JyvswXsSPa3v6mXXWhuIR6F9JaRF2tMvbK5K+t1U6zmthxhZrI10M34X6UunF/zV3a3uYZ3QwsqFSUgSANHAA6t/H2plB2z600l80bFB6Myuo6sgqRePLX7MgXQx7GQQEBAqqtwqqn2Vioo4XTS+Po6GSsyW7ldwP7Q6MYW1d3B1VetQ+mIoblVoaHEri5AkyhcLjqfJup2pAxkJiLYroGcRB4XskZg0amp9sOseoGYegz3n5A/50WcArdzBr4tN+wMeGdxJQ3Kfr7FCUIL7sw5wbz8u/w++oShS+aahEIeitAG8Gpy1PBmjctR1VjaTuqYL+g==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:ja;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:TYWPR01MB11376.jpnprd01.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Uwx23rXNRH0sezktal9pPUxxeHjcuhzlwqipNoryQyol6un1YCoNaHf/v00BluU4lJ5piBL6DzrTEI5WpLZNidSHl4TfDYGb3JuKAeeTwFa38ARQznBMw47fvMdTrY8qohHBNCKq3ZMuG3I/zRKc5CxdMEi/m1heJDkOrj/Lzq96rrwympHdaS/M4XMlX+Q6wSEEJhqug6PIHGW7bS+Apvi9rb/o7/FpC/9WTrI6g688wPysBRISxU4a70DKs4JLlZREOpRUeGgeQyYRrO1H3zRZ30AIiwYHDa3g2QOUucuuv91IiMooVTRUn7WJAMvfr0JecfnzWU6EU0zwtzW794x+xsJjb/fqQZlPmFYU7bh2QKT9w7C8qH8JLt88+Gi4C3nJs6Fv7lGDI+gH/LBl9x8ErrJwkTmiRq5XWqUb70MuygqT28e8D8N9trhRz6q6QTvguXvHxBQiTseAqdu1nT9JHmk5lmNHrkxIXT+Hk27YkUbmyu+KByMZly4SpBnPsQNE0ByTIyFEvFKDicQidM8bZMckgiTMY8w+7mcFzQB727ktop8uy2Cy958yQR2FK8DG0d3F4QXDJC3Yki63/wGwQmIm/x40TXj/02YVP2oWA6ghNIUYLv95p/M5/NVYu8bw1L2C9PFRqvHhHEQRMsFL6P+ZxIwt6FsZcAz7SeFjKyC5MNiK6So+IUFTkSJ+CmC7xc9rBP7Eg3yQukQh0myTPwfY9E0ZmIoQnoWXzpVJ3jqCRuVndQi3ARGjLZ7P9Vxs2/DHZKSODbMAQjqKr0QUTwtZZ/sEIVOmOCTZncJ08kA9/zzxcPKLqa+eLSh8I3E/mRZfq76vyh3lgDURFInImjbVMdokeuDzW+NsOnNJCKIgVZz405ZUBaBr2urCJYl22KRNjuYudaG7knQajN/HPMPl+l3Os3WtGjKNan/2kbPI02w6tTpidCGOstSDJQpWhbh50nbB6fUCV88JqFuIDa1ql2t6OfdY8lJY/o2Acpe8iOeHqYgZdCanVHEfzuYku+XXxT/BsGPKEmUt7/FeLZaYV7A+3tH80LjH0ljB6Xn3hP1pqm4STlMFLo2HiFwozpoeAWRDYugD0rWRdcYVnDkUAiUA2bsk6m1GHN1aJZD3SEkWaxQXAWhN5tQEMwaKd6j1r2bv/c5bRbLpm1IxlFU1dttMrPFLLQXU7neRH3DHyXkcF0OpPHzzR1Xcyiqg0ETjvUwCXRW1tx3D/Gwm2nm0iB9Z0RNIPPsb/j7a0mJzZ1pD0sXih276edQj1QEHN0jHp+0z4QGF6PIeEuStOkyZS8/QbjyJFJmDX3ghS16islyh6gqtuCCIjAGdxb2UKKUuOvil38QNJqXxiswWGubeXqKQsyn2i9Pinf5Ue2zkwOzWoc2AGm6IZeuaqtdIH4XaGxNKI1OLsrtlz8EsHA9E/5PH7JYNACcocf4MrhEadmzZIb6ot9lg7/+PaOypZKqto4vQBHzIVug0X4sCyZdFdluRANcxbHqhU7J8hqCK9cwgP7jM34RoQc3CetsQGFMK+1iUNQMhkyZ7RNGYZf8Qc/cIqMVx+Ynh7lp+tcTTgW98Yujo6mZ2AQfl
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00FF_01DB7727.2D535EF0"
MIME-Version: 1.0
X-OriginatorOrg: nec.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TYWPR01MB11376.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 71206ed0-b240-4d86-299b-08dd44f31522
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2025 08:08:17.8682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e67df547-9d0d-4f4d-9161-51c6ed1f7d11
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bVDzfeh7/lvvtEYHSLyjf/bK26xjQrI2gb0ZtJGGSPu+glbOYjm/AksJ7HW2nOTOXXyXK4CjxD2unrk/U2604Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYBPR01MB5565
Message-ID-Hash: HBUA7X6B22SOYRJRMECXOHJ5RJO6V4E6
X-Message-ID-Hash: HBUA7X6B22SOYRJRMECXOHJ5RJO6V4E6
X-MailFrom: k-minematsu@nec.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "INOUE AKIKO(井上 明子)" <a_inoue@nec.com>, IWATA Tetsu <iwata.tetsu.f6@f.mail.nagoya-u.ac.jp>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Comments on draft-irtf-cfrg-aead-properties-09.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/r9FhSuBxEAQcBSCjCBLDrviDWiA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Dear all,

We recently learned about the I-D on AEAD
(draft-irtf-cfrg-aead-properties-09) and found it quite relevant in
practice. 
As we published a paper on robustness of common AEs ([IIM25], will appear at
CT-RSA 2025), we would like to share our comments on the draft.  

In [IIM25], Table 1 provides a comprehensive view on nonce-misuse or RUP
security of GCM/CCM/OCB(3), which would be helpful to improve Sections 4.3.7
and 4.3.10 of the draft. Concretely: 
1. Sect 4.3.7, Nonce-misuse resilience confidentiality (NML-Priv in our
paper): it holds for GCM but only with 96-bit nonce. This was shown by
[ADL17]. Our paper shows that CCM has NML-Priv.
2. Sect 4.3.7, Nonce-misuse resistance (NMR in our paper): NMR could be
further classified into confidentiality (privacy) and authenticity as the
draft did for NML. Then we have two notions, Nonce-misuse resistance
confidentiality/privacy (NMR-Priv) and Nonce-misuse resistance
authenticity/integrity (NMR-Auth). [IIM25] shows that CCM has NMR-Auth (even
stronger. See below).
3.  Sect 4.3.10: INT-RUP could be classified into the cases where nonce may
be repeated or not. We can also consider combined notions such as NMR +
INT-RUP. 
[IIM25] shows that
- GCM has plain INT-RUP (i.e. nonce does not repeat in encryption queries)
- CCM has NMR-INT-RUP (i.e. nonce may repeat at any query).

As a side note, at Sect 4.4.2 (Inverse-Free), OCB was listed as an example,
which is not correct. If you mean an inverse-free OCB-like parallel AE mode,
OTR [Min14] would be the right one here. 
Moreover, COFB [CIMN17], the base scheme of a NIST LwC finalist GIFT-COFB,
is an inverse-free serial AE mode enabling smaller state than OCB/OTR. 

We hope these comments will help improving the draft. 

Best regards,
Akiko Inoue
Tetsu Iwata
Kazuhiko Minematsu


[IIM25] Comprehensive Robustness Analysis of GCM, CCM, and OCB3, Akiko
Inoue, Tetsu Iwata and Kazuhiko Minematsu
https://eprint.iacr.org/2024/1339 (to appear at CT-RSA 2025)

[Min14] Parallelizable Rate-1 Authenticated Encryption from Pseudorandom
Functions, Kazuhiko Minematsu. EC 2014
https://eprint.iacr.org/2013/628

[CIMN17] Blockcipher-based Authenticated Encryption: How Small Can We Go?,
Avik Chakraborti, Tetsu Iwata, Kazuhiko Minematsu, and Mridul Nandi, CHES
2017. 
https://eprint.iacr.org/2017/649

v2.29.0 | Report a Bug | By Email | System Status