IETF Logo Mail Archive

Re: [Cfrg] Halon's Razor -> Re: NSA sabotaging crypto standards

Paul Lambert <paul@marvell.com> Fri, 07 February 2014 21:54 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E534A1A0514 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 13:54:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pgwb7u31wB13 for <cfrg@ietfa.amsl.com>; Fri, 7 Feb 2014 13:54:53 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) by ietfa.amsl.com (Postfix) with ESMTP id AF4251AC4A3 for <cfrg@irtf.org>; Fri, 7 Feb 2014 13:54:53 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id s17LsobU012973; Fri, 7 Feb 2014 13:54:50 -0800
Received: from sc-owa03.marvell.com ([199.233.58.149]) by mx0b-0016f401.pphosted.com with ESMTP id 1ht9vbw5w9-19 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 07 Feb 2014 13:54:50 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA03.marvell.com ([fe80::4561:8e1c:d59b:f770%17]) with mapi; Fri, 7 Feb 2014 13:54:48 -0800
From: Paul Lambert <paul@marvell.com>
To: Tom Shrimpton <teshrim@pdx.edu>
Date: Fri, 07 Feb 2014 13:54:47 -0800
Thread-Topic: [Cfrg] Halon's Razor -> Re: NSA sabotaging crypto standards
Thread-Index: Ac8kQpCCbjU/LB64RgqaDSMyJo6GRwAC8tEg
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D018B81B8684@SC-VEXCH2.marvell.com>
References: <CF1A73B4.2EE4C%paul@marvell.com> <52F540E7.9090002@cs.pdx.edu>
In-Reply-To: <52F540E7.9090002@cs.pdx.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-07_07:2014-02-07, 2014-02-07, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402070131
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Nikos Mavrogiannopoulos <nmav@gnutls.org>
Subject: Re: [Cfrg] Halon's Razor -> Re: NSA sabotaging crypto standards
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 21:54:55 -0000

Tom,

Thank you for your shameless plug... it's very interesting work.  Also, my apologies on  my imprecise statement about SIV.  SIV is very interesting because it is NOT the conventional conservative model - it's clearly not encrypt-then-MAC.   It is an excellent example of out-of-the-conventional-box thinking that would be eliminated if we create arbitrary guidelines for algorithm structure.  

Do send a pointer to the list when it's posted.

Regards,

Paul

]-----Original Message-----
]From: Tom Shrimpton [mailto:teshrim@pdx.edu]
]Sent: Friday, February 07, 2014 12:24 PM
]To: Paul Lambert
]Cc: cfrg@irtf.org; Watson Ladd; Nikos Mavrogiannopoulos
]Subject: Re: [Cfrg] Halon's Razor -> Re: NSA sabotaging crypto standards
]
]
]
]On Fri Feb 7 11:54:30 2014, Paul Lambert wrote:
]>> Show me one cryptographer who recommended MAC-then-Encrypt.
]>> Also, absence of known attacks is not the same as absence of attacks.
]>> Encrypt-then-MAC was the conservative choice.
]>
]> SIV is MAC then encrypt Š in it¹s own unusual manner.
]As one of the designers of SIV, I have to object to saying that SIV is
]MAC-then-encrypt, even if you soften the claim with "in it's own unusual
]manner."  SIV doesn't fit into any of the traditional generic
]composition categories -- MAC-then-encrypt, encrypt-then-MAC, encrypt-
]and-MAC -- for a number of reasons.
]
]For one thing, treating the PRF output as the IV (and the transmitted
]tag!) is quite different that treating it as part of the plaintext to be
]encrypted.
]
]For another, SIV mode neither starts with, nor yields the kind of
]cryptographic object that the Bellare-Namprempre results address.
](I'm pointing to the (excellent) [BN] paper because it has significantly
]shaped the way our community thinks about building AE schemes via MtE,
]EtM and
]E&M.)
][BN] is about producing *probabilistic* AE schemes from *probabilistic*
]encryption, and a MAC.  But SIV is a *deterministic*, nonce-based AE
]scheme, built from an underlying *deterministic*, IV-based encryption
]scheme, and a PRF.
]
]This is something that Phil Rogaway, Chanathip Namprempre and I have
]been thinking about a lot lately -- what is the GC story when one starts
]from nonce-based or IV-based encryption, and a PRF, and wants to produce
]a nonce-based AEAD scheme?
]At Eurocrypt 2014, we'll present a paper that explores this question in
]detail.
](You can expect the full version to appear on the IACR eprint server in
]the next week or so.)
]
]Sorry if that seemed like a shameless plug, but it did seem appropriate
]to mention the upcoming paper as part of this response.
]
]Cheers,
]-Tom Shrimpton

v2.23.0 | Report a Bug | By Email