Re: [Cfrg] SIV for non-AES ciphers first draft

Neil Madden <neil.e.madden@gmail.com> Mon, 26 November 2018 09:41 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 719BC130F85 for <cfrg@ietfa.amsl.com>; Mon, 26 Nov 2018 01:41:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQOsA114f7Xm for <cfrg@ietfa.amsl.com>; Mon, 26 Nov 2018 01:41:47 -0800 (PST)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5A9B130F7F for <cfrg@ietf.org>; Mon, 26 Nov 2018 01:41:42 -0800 (PST)
Received: by mail-wr1-x434.google.com with SMTP id 96so18137905wrb.2 for <cfrg@ietf.org>; Mon, 26 Nov 2018 01:41:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=E80F0+Sr2tre28IG+MSdjXyOhZhcLcJ6cUAcBkMzgkw=; b=KU0W+sz0hzqGm4IJzysTeRvTeH7pqp6F1F1Y3ch5x60wOco5wR1lL/gA/ABkIQxZPc U6UmHgU/ZowBR8DdVEp0DGrCtsObtti1OjiA72o8eUcuzj1h+9lm1XsFDAqBN0wt8C7U GZAn19HgZuSJJi9/B8W8oQvn1STcKHFG8ZWdIT75fSmXtkhb/3NkkhWzfsCXqvk52lXq zHYJEgN0vhkfVQHkKNdBb5c/Fvzja1AibG0DJpSUeKlGX6ynK0EShA6D3YhtyLLUfBK7 zr3wrbZ7R/zzJSDJ3tTIgIthadViHMVrE98DPNNhqf1nn9LZrc2JyVIRfV3moatesTLc UqNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=E80F0+Sr2tre28IG+MSdjXyOhZhcLcJ6cUAcBkMzgkw=; b=RnN2+B5T/6u1SxVgoLd9Hayj0RO00FEimtP9vUBtDxubH+yiqnTjScGnchTUweEIWl LyDGcJgxbKZodZBlo8PqkMFPHIhgKFAm/9qiOMyLiKP6Vpcuiney+1r3DUz2TNGUb6TH tNQCXRcFCO9sbof85+dTODoaHa+9W6YZfwjF5UTAFyZ/TysxjFEs9/6axGsw1o83Msev EqjIX5mRPbicG5Hmc/1xp2zIIQsR+70fxRBAHOv7NQWzFextIew34sFoqlMB8VvaKLPJ Z2qmONn4VpBJH8+jG1k5SeiPfAgQHEWmRgEh2XqvAix8hl4IQtrEtQLwwdccmV7Dew61 TyjA==
X-Gm-Message-State: AA+aEWYATCtG2/qJk16KNvkEs9bLMSLQfXqPiBHQyVIW92IFVZeaBvQe h18ifqXcHNPO0EXZ6XOka4U=
X-Google-Smtp-Source: AFSGD/V+mhngJzJh/TPmD273Azdmf2ICiCYj6+MkxsymTvtpDZsyq+lTENacOMWLRnthm8xUQUndNQ==
X-Received: by 2002:adf:fb4c:: with SMTP id c12mr4694728wrs.297.1543225300842; Mon, 26 Nov 2018 01:41:40 -0800 (PST)
Received: from guest2s-mbp.lan (41.167.189.80.dyn.plus.net. [80.189.167.41]) by smtp.gmail.com with ESMTPSA id o81sm206998wmd.10.2018.11.26.01.41.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 01:41:40 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\))
From: Neil Madden <neil.e.madden@gmail.com>
In-Reply-To: <A7D10A25-1DC1-4633-A745-64EF35BD1F8B@usfca.edu>
Date: Mon, 26 Nov 2018 09:41:38 +0000
Cc: cfrg@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <82273196-5DAC-4127-90B2-E7C3874A84D8@gmail.com>
References: <0D91AF7A-F26F-4E20-A009-B7D75BF8107D@gmail.com> <A7D10A25-1DC1-4633-A745-64EF35BD1F8B@usfca.edu>
To: Paul Lambert <plambert@usfca.edu>
X-Mailer: Apple Mail (2.3445.101.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rl3PbDjsxwd8EfLSeaR6LOAKZQ8>
Subject: Re: [Cfrg] SIV for non-AES ciphers first draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Nov 2018 09:41:55 -0000

I’m not wedded to HMAC-SHA256, so Blake2 is an attractive option. I went with HMAC-SHA256 because it seems good enough and fairly ubiquitous.

If we went for Blake2 then there are a number of decisions to be made:

1. Do we pick Blake2b or Blake2s? My mild preference would be for the s variant as both cipher and MAC then work well on 32-bit systems and it requires less RAM.

2. Do we go for 256-bit auth tag (as now), or take advantage of Blake2’s variable length output to produce a 192-bit tag, exactly matching the nonce required for XChaCha? A 256-bit auth tag is probably excessive for most uses.

3. Do we use Blake2’s native keyed hash support or use HMAC-Blake2? See [1] for some arguments in favour of using HMAC, but then keyed Blake2 is (presumably) faster.

[1] http://noiseprotocol.org/noise.html#hash-functions-and-hashing

— Neil

> On 26 Nov 2018, at 08:07, Paul Lambert <plambert@usfca.edu> wrote:
> 
> On the draft …
> Given the benefits of Blake2 and it’s similar construction to ChaCha, why not use Blake2 instead of HMAC-SHA-256?
> 
> Paul
> 
> 
>> On Nov 22, 2018, at 9:22 AM, Neil Madden <neil.e.madden@gmail.com> wrote:
>> 
>> I have now uploaded a (very rough) first draft describing how to extend the SIV mode of operation to non-AES ciphers and MACs, as previously discussed on this list.
>> 
>> The I-D is available here: https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dmadden-2Dgeneralised-2Dsiv_&d=DwIGaQ&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=5WQpmA8deCCE8ehAcBhR-0SwNWDHfNA7dEo1IVxbNUM&s=Bs8DJzvOJ6KwhzN8Yti0sRCdOT5r02Ho7m3qmNKJpuI&e=
>> The source is on Github here: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_NeilMadden_draft-2Dmadden-2Dgeneralised-2Dsiv&d=DwIGaQ&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=5WQpmA8deCCE8ehAcBhR-0SwNWDHfNA7dEo1IVxbNUM&s=qgsdZqOvSNNunN3u9v69TfSUfrP3mW7OV865Ui6qq8E&e=
>> 
>> Feedback welcome. Hopefully I’ve managed to wrestle xml2rfc to produce the right output.
>> 
>> Kind regards,
>> 
>> Neil Madden
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_cfrg&d=DwIGaQ&c=qgVugHHq3rzouXkEXdxBNQ&r=oIg4FfS8P761BlhMPJ2ys3IvSyH4XQ12Mbj_mXrCAJs&m=5WQpmA8deCCE8ehAcBhR-0SwNWDHfNA7dEo1IVxbNUM&s=g8oGz_kyMuTTp26sl6yblddFB_S1C5LiXRE9KKXhvxw&e=
>