IETF Logo Mail Archive

Re: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?

"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Fri, 18 March 2016 11:16 UTC

Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F7E12D7A4 for <cfrg@ietfa.amsl.com>; Fri, 18 Mar 2016 04:16:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xzsBxqMgTc6F for <cfrg@ietfa.amsl.com>; Fri, 18 Mar 2016 04:16:51 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0048.outbound.protection.outlook.com [104.47.2.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A61012D78C for <cfrg@irtf.org>; Fri, 18 Mar 2016 04:16:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EGXs9zvDBamiFGnaDJ3VY/I0kJNOJdZxymMx7VwMeME=; b=GeRrrM21g9nf0KS05rdPh6y1kO7jeSuITntBRYkoYXjtdLF/ZFo9cEtt9JCunyJZvkEp+dSRYZCBfZ9kffq+y7BNwp1r8njW8Dfz3OsJOErlLFKQWQ3qoLTC4KoJ9VYh7yRRV10DzwD93uzU4A+88yqsNS25F7ELYhiG9twD8Vw=
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1821.eurprd03.prod.outlook.com (10.166.42.147) with Microsoft SMTP Server (TLS) id 15.1.443.12; Fri, 18 Mar 2016 11:16:48 +0000
Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0443.014; Fri, 18 Mar 2016 11:16:47 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Bryan Ford <brynosaurus@gmail.com>, Alex Elsayed <eternaleye@gmail.com>
Thread-Topic: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?
Thread-Index: AQHRgQepihOvqlnWT06P2Bcd9XDrfg==
Date: Fri, 18 Mar 2016 11:16:47 +0000
Message-ID: <D311901F.67219%kenny.paterson@rhul.ac.uk>
References: <8F1E4FEC-1FED-491B-BC6A-B00C27864414@gmail.com> <alpine.BSO.2.20.1512031055120.12629@natsu.mindrot.org> <21946846-1BFB-4170-8E8E-EC6A00BF3AED@gmail.com> <na6foq$s6m$1@ger.gmane.org> <B3F3C60C-8294-48D8-A572-59164DC5DD71@gmail.com>
In-Reply-To: <B3F3C60C-8294-48D8-A572-59164DC5DD71@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.1.160122
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [134.219.214.142]
x-ms-office365-filtering-correlation-id: b9ae8ffd-a65f-42e8-ffca-08d34f1ecc05
x-microsoft-exchange-diagnostics: 1; VI1PR03MB1821; 5:kDyE4vNauqAXAeCM8iJF/uC9PvFlKYZcxCZFns/SUBDE1DqaMPo3j/4w4opFH5j3JBruFhbUIbM61Yjb7j/izsu1PS/bsmKFisBKZ1X6uXaULLxFs17RSrehafYk4fP4itaNae7jDYl3G8kLhs5ptQ==; 24:aSVaSTr/Rxh3Ydpgcq/6bBpLps3L7ENtcPeELj2dr3UnDNcK28ULHHL3HyNmW1srsME/0MZYjWCIjX9JVcEqveNiQGcwvuiEq3IfpNc3a2o=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1821;
x-microsoft-antispam-prvs: <VI1PR03MB18210E5DA86BC3740AEC2FCDBC8C0@VI1PR03MB1821.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:VI1PR03MB1821; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1821;
x-forefront-prvs: 088552DE73
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(24454002)(479174004)(3660700001)(36756003)(76176999)(86362001)(54356999)(87936001)(66066001)(74482002)(10400500002)(19580395003)(19580405001)(93886004)(2906002)(50986999)(83506001)(5002640100001)(4001350100001)(189998001)(5001770100001)(92566002)(4326007)(5008740100001)(3280700002)(81166005)(2900100001)(77096005)(2950100001)(1220700001)(1096002)(586003)(102836003)(106116001)(6116002)(3846002)(5004730100002)(122556002)(15975445007); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1821; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-ID: <DDC383F1A248C54486B45EB306676F08@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2016 11:16:47.9461 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1821
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/wv_xZk2jkkJckycyrVwZ-73KPnM>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Discuss/standardize Preview extension to AEAD abstraction?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 11:16:54 -0000

Bryan, all,

Removing my chair's hat, I wanted to point you to this work:

https://eprint.iacr.org/2015/059


(this is the full version of a paper that we published at Eurocrypt'12).

The relevance to your discussion below is that the paper presents formal
security models and constructions for symmetric encryption schemes which
are, amongst other things, "boundary hiding". Essentially, this means that
different sequences of ciphertexts are indistinguishable from one another,
in a strong and precisely defined sense.

The paper also deals with the fragmented decryption setting which may be
inherent in such a setting (depending on the characteristics of the
underlying network transport): ciphertext bits/bytes arrive, and the
decryption algorithm cannot tell ab initio when it has received a complete
ciphertext (since there can be no metadata to provide length information,
and an atomic ciphertext may have been fragmented over multiple network
packets during transmission).

The paper was inspired by SSHv2's attempts to hide length information,
make sequences of ciphertexts look like random bits, allow for fragmented
delivery, and provide cryptographic security. That didn't work out too
well for SSH in CBC mode, but the paper shows that a combination of
properties like this (and more) *can* be achieved efficiently.

I think it is relevant to the problem of metadata protection that you are
concerned with here.

The paper is not particularly easy to read, and so I'd be happy to offer
my services as an interpreter.

Regards

Kenny 


On 26/02/2016 16:39, "Cfrg on behalf of Bryan Ford" <cfrg-bounces@irtf.org
on behalf of brynosaurus@gmail.com> wrote:

>Hi Alex,
>
>On Feb 19, 2016, at 2:20 AM, Alex Elsayed <eternaleye@gmail.com> wrote:
>> On Fri, 04 Dec 2015 11:53:02 +0100, Bryan Ford wrote:
>> 
>> <major snip>
>> 
>> Apologies for the (very!) late reply, but was off-list for quite a
>>while.
>> 
>>> Is there anything seriously
>>> problematic or unsound from a crypto perspective about such an APEAD
>>> interface extension or feature, aside from the well-known risks
>>> associated with any use of (“previewed”) data before it’s been
>>> integrity-checked?
>> 
>> One particular problem is that APEAD is hard-incompatible with MRAE -
>>in 
>> order for an AEAD to satisfy MRAE, every bit of the ciphertext must
>> depend on every input bit from (nonce, ad, pt). As a result,
>>"previewing" 
>> some prefix is infeasible for the exact same reason as MRAE and
>>"online" 
>> AEAD being disjoint (Hoang, Reyhanitabar, Rogaway, and Vizar have a
>> fascinating paper on this - https://eprint.iacr.org/2015/189).
>
>That concern occurred to me as well.  But in subsequent discussion with
>Philipp (co-author of one of the recent misuse-resistant schemes -
>https://eprint.iacr.org/2015/999), we realized that it *is* possible to
>create an APEAD scheme that’s also misuse-resistant.
>
>But we also realized that for some of the purposes motivating the APEAD
>property - particularly hiding sequence numbers in out-of-order
>transports such as DTLS or IPSEC - just using a misuse-resistant scheme
>and transmitting the sequence number inside the encrypted payload
>presents a reasonable and perhaps conceptually simpler and cleaner
>alternative to the APEAD approach.
>
>> However, this does leave some options regarding length-hiding on the
>> table.
>> 
>> For one, given an AEAD based on the encode-then-encipher paradigm with
>> variable \tau, one can increase the length of the verifier arbitrarily.
>> This permits essentially padding each message to any extended length
>>and 
>> gaining that length as additional integrity protection.
>
>I’m not sure I follow the details of this suggestion - but definitely
>agree that in general that there are several reasonable approaches to
>length-hiding, with or without the APEAD property.
>
>Cheers
>Bryan
>
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email