IETF Logo Mail Archive

Re: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?

Alex Elsayed <eternaleye@gmail.com> Fri, 19 February 2016 07:21 UTC

Return-Path: <giic-cfrg@m.gmane.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3701A8748 for <cfrg@ietfa.amsl.com>; Thu, 18 Feb 2016 23:21:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.995
X-Spam-Level:
X-Spam-Status: No, score=0.995 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.006, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1U8xNonMt8E for <cfrg@ietfa.amsl.com>; Thu, 18 Feb 2016 23:21:09 -0800 (PST)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D7221A1B13 for <cfrg@irtf.org>; Thu, 18 Feb 2016 23:21:08 -0800 (PST)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <giic-cfrg@m.gmane.org>) id 1aWfNB-0000Ij-Ca for cfrg@irtf.org; Fri, 19 Feb 2016 08:21:05 +0100
Received: from 66-87-138-210.pools.spcsdns.net ([66-87-138-210.pools.spcsdns.net]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Fri, 19 Feb 2016 08:21:05 +0100
Received: from eternaleye by 66-87-138-210.pools.spcsdns.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <cfrg@irtf.org>; Fri, 19 Feb 2016 08:21:05 +0100
X-Injected-Via-Gmane: http://gmane.org/
To: cfrg@irtf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Fri, 19 Feb 2016 07:20:59 +0000
Lines: 26
Message-ID: <na6foq$s6m$1@ger.gmane.org>
References: <8F1E4FEC-1FED-491B-BC6A-B00C27864414@gmail.com> <alpine.BSO.2.20.1512031055120.12629@natsu.mindrot.org> <21946846-1BFB-4170-8E8E-EC6A00BF3AED@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 66-87-138-210.pools.spcsdns.net
User-Agent: Pan/0.139 (Sexual Chocolate; GIT bf56508 git://git.gnome.org/pan2)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/vk4UVtz4DsuQQDEpS4wACVaPUxU>
Subject: Re: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 07:21:10 -0000

On Fri, 04 Dec 2015 11:53:02 +0100, Bryan Ford wrote:

<major snip>

Apologies for the (very!) late reply, but was off-list for quite a while.

> Is there anything seriously
> problematic or unsound from a crypto perspective about such an APEAD
> interface extension or feature, aside from the well-known risks
> associated with any use of (“previewed”) data before it’s been
> integrity-checked?

One particular problem is that APEAD is hard-incompatible with MRAE - in 
order for an AEAD to satisfy MRAE, every bit of the ciphertext must 
depend on every input bit from (nonce, ad, pt). As a result, "previewing" 
some prefix is infeasible for the exact same reason as MRAE and "online" 
AEAD being disjoint (Hoang, Reyhanitabar, Rogaway, and Vizar have a 
fascinating paper on this - https://eprint.iacr.org/2015/189).

However, this does leave some options regarding length-hiding on the 
table.

For one, given an AEAD based on the encode-then-encipher paradigm with 
variable \tau, one can increase the length of the verifier arbitrarily. 
This permits essentially padding each message to any extended length and 
gaining that length as additional integrity protection.

v2.23.0 | Report a Bug | By Email