Re: [Cfrg] RFCs for wider-block RC6 and OCB
"David McGrew (mcgrew)" <mcgrew@cisco.com> Thu, 18 October 2018 15:33 UTC
Return-Path: <mcgrew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F16B9120072 for <cfrg@ietfa.amsl.com>; Thu, 18 Oct 2018 08:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.565
X-Spam-Level:
X-Spam-Status: No, score=-14.565 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.064, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B87GGB0eqWKx for <cfrg@ietfa.amsl.com>; Thu, 18 Oct 2018 08:33:12 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBDF6128CB7 for <cfrg@ietf.org>; Thu, 18 Oct 2018 08:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5778; q=dns/txt; s=iport; t=1539876791; x=1541086391; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=DDP2jshowoUq7uQRVk1cnMow/IWXX1iPnZlWWPjJ6Kw=; b=TKsqoH5vJnbvWTLWakiWuv8S9CxF1dQ2cbD/qtwmf19UMUBCOpAWFvmU wGXbfeFyRFqT8E6CTHoKUBimszBDt10WhGrFVKxWz7mQS5UgCWoNBoMWU XWehgzvnK04saf9DGbX4a+JOlGlpt8tq/u+JhMddWRs9jCEXvh6UD0fIq o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAADApshb/4cNJK1kGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgVoqZn8oCoNriBeMG4INepYVFIFmCwEBGAuESQIXhGwhNA0NAQMBAQIBAQJtHAyFOQEBAQEDAQEhEToLDAQCAQgRAwECAwImAgICJQsVCAgCBAENBRSCQUsBggEPpj+BLoQ+Pz2EYgWBC4hwH4EVHheCAIERJx+CFwcugxsBAQMBgSEEIBiDAzGCJgKGOYJaixuKCgkChlmGMINcF4prhTyMTIlRAhEUgSYdOIFVcBU7KgGCQYIjGohbhT5viiGBHwEB
X-IronPort-AV: E=Sophos;i="5.54,396,1534809600"; d="scan'208";a="465050322"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Oct 2018 15:33:10 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id w9IFXAXh007270 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 18 Oct 2018 15:33:10 GMT
Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 18 Oct 2018 10:33:09 -0500
Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1395.000; Thu, 18 Oct 2018 10:33:09 -0500
From: "David McGrew (mcgrew)" <mcgrew@cisco.com>
To: Ted Krovetz <ted@krovetz.net>, "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] RFCs for wider-block RC6 and OCB
Thread-Index: AQHUZVj9mIj2A7KqRkqyJIg5fBWb6aUkVNqAgADg9oA=
Date: Thu, 18 Oct 2018 15:33:09 +0000
Message-ID: <855AD21F-85D0-400C-BE07-1ED585C98530@cisco.com>
References: <E617CD1F-AD92-42CA-B054-5CFD20AF4A6E@krovetz.net> <5ADB017E-5D48-48C9-92CB-445B7294D652@rhul.ac.uk>
In-Reply-To: <5ADB017E-5D48-48C9-92CB-445B7294D652@rhul.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.114.52]
Content-Type: text/plain; charset="utf-8"
Content-ID: <633421FA4FA4AC4F9208A152E67E7898@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/uYmkMUDH9BONwT_IqWS3q_alCY0>
Subject: Re: [Cfrg] RFCs for wider-block RC6 and OCB
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Oct 2018 15:33:14 -0000
Hi Ted (and Kenny), This is an interesting research direction, though it is not yet entirely clear how the internet community would benefit from its adoption. I have some questions and comments that are focused on usage. What is the rationale for larger-block OCB? Is it intended to improve security against cryptanalytic attacks in scenarios where other AEADs are currently used? Or to allow each individual key to be used to encrypt a much larger volume of data? The security considerations in ocb-wideblock says "a given key should be used to encrypt at most 2^(BLOCKLEN/2-16) blocks”, so actual guidance is consistent with the latter rationale. What are the scenarios where AEAD needs to encrypt more than 2^52 bytes with a single key, and thus BLOCKLEN > 128 is needed? In communication security, we change keys more often than that because we can and because keys can be compromised through side channels and system security issues. I would guess that file/data encryption scenarios are the intended target, and if that’s right, it would be worth some discussion. The ocb-wideblock draft could call out the security benefits of larger block sizes more strongly, and could change the security considerations in a way that moves users away from the birthday bound. I’m confident in the security analysis behind the ocb-wideblock draft, but the security of an RC5/RC6 instantiation of that mode depends crucially on the ability of those ciphers to look like a PRP as their block size gets larger. The security considerations of the rc5/rc6 draft does touch on this, saying that "Each doubling of w should increase the number of rounds by four”, but it does not cite any cryptanalysis of those ciphers with larger block sizes, other than the work of the cipher design team, unless I’m missing something. While that design team has a sterling reputation, independent analysis is important. The RC6 cryptanalysis literature from the time of the AES competition was focused on a 128-bit block size. The draft ought to cite a more detailed justification for the security of wider-block rc5/rc6. I am totally missing the rationale for using *smaller* block sizes, and I think they should be removed from the draft, unless there is some compelling use case that they are targeting. In that event, the use of smaller block sizes should be restricted by strong guidance. best David On 10/17/18, 6:07 PM, "Cfrg on behalf of Paterson, Kenny" <cfrg-bounces@irtf.org on behalf of Kenny.Paterson@rhul.ac.uk> wrote: >Dear Ted, > >Thanks for bringing this ID to CFRG's attention. > >The chairs would like to encourage people to continue to express their views on whether CFRG should adopt this ID as a CFRG work item or not. People can do that on-list or privately to the chairs if they prefer. > >Thanks, > >Kenny (for the chairs) > > >-----Original Message----- >From: Cfrg <cfrg-bounces@irtf.org> on behalf of Ted Krovetz <ted@krovetz.net> >Date: Tuesday, 16 October 2018 at 15:03 >To: "cfrg@ietf.org" <cfrg@ietf.org> >Subject: [Cfrg] RFCs for wider-block RC6 and OCB > > Hello, > > About six months ago I put together an Internet-Draft that specified how to use the authenticated-encryption algorithm OCB and a block cipher without 128-bit blocks. This was in response to a few researchers and developers who had expressed interest in such a thing. As an exemplar I wrote RC6 (and RC5) code and an Internet-Draft for block lengths other than originally intended. > > https://datatracker.ietf.org/doc/draft-krovetz-ocb-wideblock/ > https://datatracker.ietf.org/doc/draft-krovetz-rc6-rc5-vectors/ > > My question for CFRG is whether I should pursue these RFCs through the Independent submission channel, or whether there is interest within CFRG to review and/or sponsor the drafts. > > Thank you, > Ted Krovetz > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > >_______________________________________________ >Cfrg mailing list >Cfrg@irtf.org >https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] RFCs for wider-block RC6 and OCB Ted Krovetz
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Pierre Karpman
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Paterson, Kenny
- Re: [Cfrg] RFCs for wider-block RC6 and OCB David McGrew (mcgrew)
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RFCs for wider-block RC6 and OCB David McGrew (mcgrew)
- Re: [Cfrg] RFCs for wider-block RC6 and OCB Ted Krovetz