IETF Logo Mail Archive

[CFRG] Review of draft-irtf-cfrg-aead-limits-01

John Mattsson <john.mattsson@ericsson.com> Tue, 17 November 2020 23:32 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B90C3A0FEB for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 15:32:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmGIFAiP-Ea7 for <cfrg@ietfa.amsl.com>; Tue, 17 Nov 2020 15:32:47 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40043.outbound.protection.outlook.com [40.107.4.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F823A0FD7 for <cfrg@irtf.org>; Tue, 17 Nov 2020 15:32:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U6hLNrj/ZdFYOUXGt0ANT6sRfL1BgoAy/pCSTb2+KfL9/tpg/EqVZKGPodPYIANPGm26Hg1n94vqlWuqUWp0U8v0z/KfsGQJH+ASSx0c6HztUVKoEObjenUC1+QtZ25b6LsoYixP1f4a7asfSJTCFiSCLwP5UjOa9ufwXVxX3+/WDjquKwfGv6eZEIfiK8uH/2s0I4pzBnIB9dcCdj50NfKiQ7mMEvpReGFMk6SXBkYe2Tg7hNstYYUWVhbCq5JTwPfDG70xxKhGRJY9kln07O0Ix29LgP1IUhfUo6QQwfIukIa8ZS+Nr2VLRVSoaCAKa0ELTp/WQyMUMuj+MGDRow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y+WyqtHWBmS9Uja5ya3Gxn6oTrw0N4xKRURO684IjXA=; b=ZLa/5hD904wnDM3a1XVOMfPhf7jJDpJftNXwtZmfixJBsjxuVXVPGg45LhhIVWl2XELM8u05vqqRK8FytDx5qPSGk4C6aQsghfXE1aO99cmfPkZAyYG5FT1oEhQ1AMtVriE/DNFsBazyWp26FJATPumlcSuuFWy2DpHEzuXrV7j0BnAawlMBFeob3x4cxYa8FcmpnD74hgES2jmpucUKks7JvIc9ZxxzAs1wADNO4ClQ/TUluQz8rssFZYUi37+XubWZFvWj6Sfb2w84Z3ntRnIyckp1MmzkBdCo8z0t/JyRXtjDLltqW6czM7/qIf4s2vCVB5AFh6yYpd00SPCyew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y+WyqtHWBmS9Uja5ya3Gxn6oTrw0N4xKRURO684IjXA=; b=N50wmyKSJIFFv9+5UYLw9LnfnLe1ci73ZIc9OlSkRuEGmktsFWh7ZAHo/aEIg5+zNpRp42XMAA8O/6x8QajOmNU/ACMmUldIQ5txv/EQtrlwvsby4BdfLkKwbi6+Awt2rDkOoCrMfpSphG2l7O0GDweaMM6l2SYrcI2rryPCcvs=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM6PR07MB4898.eurprd07.prod.outlook.com (2603:10a6:20b:32::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.16; Tue, 17 Nov 2020 23:32:44 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3589.017; Tue, 17 Nov 2020 23:32:44 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: CFRG <cfrg@irtf.org>
Thread-Topic: Review of draft-irtf-cfrg-aead-limits-01
Thread-Index: AQHWvTnzG5eDcgGL2kuaVeRiz5GG2w==
Date: Tue, 17 Nov 2020 23:32:44 +0000
Message-ID: <24F660E5-C158-4FE6-A151-74BF78BE8CD9@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d22003dd-3554-4ee7-08d5-08d88b5115de
x-ms-traffictypediagnostic: AM6PR07MB4898:
x-microsoft-antispam-prvs: <AM6PR07MB489891B3D98B283573283EB689E20@AM6PR07MB4898.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WRVyjXnskolbl/SPJcVK4smzcMy42IK54b7fULaimep3N4D09dJM6H9JAOl0MdDtGVYAY0f3odfH+CNo3FWqoN68P+qcJzaYgL6emsbj93QM2ScMICDG+udStQqHhbBE3yseas8Ye5oivBaajXelX5OQGGMFIIcioHQK/UVYwHuAGpy4PrBJRisRMrCMHTKhjSsGTshUXJKpielF98LdUcaTTpNnyPdW6JPpcdGEd7jG5M0JMk/gY74Qg7QVFZPKslOogsiC6qk5jlYeXBSzbsLdxhWeHtexMCL8sDGCPkSZy56LweUQ8OAtPz0ATGu9CQtHcWDnQ/iCIfCo0ZapQZaNE8xoGijnYXQ4HcD5VTqN1BNXZNRE353X4uQvTZLIZ9Ap/l4+eirdwl+z7TX6AHTlIz/PW4zy83TQy5gB4RyCz6tzpnaHPgzjHWgfVFZ0ka+QwUWiJt9NaNziU3z54A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(376002)(136003)(346002)(396003)(64756008)(66476007)(2616005)(2906002)(44832011)(91956017)(66446008)(33656002)(6916009)(36756003)(186003)(26005)(66556008)(6506007)(5660300002)(66946007)(316002)(83380400001)(76116006)(8936002)(83080400002)(8676002)(86362001)(478600001)(966005)(6512007)(71200400001)(6486002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: p449/PJWyJJg334dCKLyHt/Pa5jMwOMcWsfohLLR7Ef95YqZWp0ycPPb/V0OCPhyc2CZzuR6RDXS3gvIKSmSmFPajZt73wNE5SLF84GrWzeOCwmEFlAvQcUY2oyY2GHtbuwT0jeee2RFq9ic9VC/FJSTqeltWn9dBuRH+Mp4V3eEmRTPNbORDrt8xfC879G1eMRvIdvUB7vApCwNncXeU07AOCmsEaa+O4wAKUZUmKYV9F19P2xx/uXXHJ1oLoMKyM6O0XpQTgV8BMiIQbMYRdGY3dbqtgemIoA6nylBQoAMsCtYJPBykHWtOl4g7k9ymkDhTY/4eAvQZZBZaVwTpXRfQA/o4mF0g965dZ2NW6al1vxBDe6t/UG2v+j9U4bq8rcRHYDMNUt9b9/c/osJenWE/fDRveYosNidm1fvcBkirE9Aj+kjHyaMUFi2DKu63PYpG6szo+Y8jE4Z9rHq1j0lxOtdN4rZHSf0UwahmQzmur04HjNljLZOt8haxQH8w1Y0j/Cui118vDOA+Gadwj8GeWpAjOZO9WDmsn1UgL0uJXN83DuE5Ag40XAPKHb4t/5mLAXBWyaIJ1ggxSAhCfwoQNXngy1GQ/zcepi+dMhRKFJ9DozNsxLDqLrM6JZ2pMfArdY5mE5yDYsH2CPDgQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <F0859BAA21A5EB4B882B2446B3FA1D6A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d22003dd-3554-4ee7-08d5-08d88b5115de
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2020 23:32:44.7260 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: k+AvCRiMkIB/LE98qUJSkokiiou8W0vsY9jArMjtvtvZCgc3u+ECQKRRS4UFwJ1NHvO2hjmOk6WhgRK8m8eluEhEQnigHn/PNpf0VQcBdfA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4898
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/x_M_WDJGqcJNvoqILDf4-75Mxqg>
Subject: [CFRG] Review of draft-irtf-cfrg-aead-limits-01
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 23:32:49 -0000

Hi,

Great that you are taking the time to summarize all this information. Very useful.


Comments:

-- "plaintext, and optional associated data"
 
P and A are both optional in RFC 5116.


-- It would be good if the document states that it only focuses on "single forgery attacks"

I think some readers might believe that a second forgery is as hard as the first, which it is not. It it typically much easier. It might also vary drastically between algorithms as calculated in [1].


-- I think the document should briefly explain the assumptions about the adversary. For both CA and IA, one assumption worth explaining is that the adversary has access to an encryption oracle and can freely encrypt chosen-plaintexts.


-- The table defines l as "length of each message" while a paragraph further down writes "maximum message size (l)".


-- ”passive attacker”

For a reader that does now the IND-CPA game by heart it might be good to point out that the “passive” attacker does not just eavesdrop but also choses all the encrypted plaintexts.


-- “Integrity limit (IL): The number ciphertexts an application can decrypt, either successfully or not”

That IL also count successful decryptions seems to contradict other parts of the document that links IL to v which by definition only counts failed attempts.


-- “This implies the following usage limit: q + s <= p^(1/2) * 2^(129/2) – 1”
   “This implies the following limit: v <= (p * 2^127) / (l + 1)”

This does not follow with the current definition of p (p = CA or p = IA). To make the inequalities hold I think you need to define p as:
 
"Upper bound on adversary attack success probability"

just like the parameter epsilon in [AEBounds].


-- I think the document should briefly explain the assumptions about the algorithms. In [GCMProofs] it is e.g. assumed that AES is a PRP. Future cryptanalysis that does not make these ideal assumptions could make the limits worse.


-- The document should make it clear that formulas for CA and IA (at least for GCM) are upper bounds. Future analysis could make the limits better. That they are just bounds also make any direct comparision between algorithms tricky as some bounds might be tigher than others.


- The draft briefly mention that small limits lead to denial-of-service attacks. The DTLS 1.3 draft does that.


-- The draft seems to make the assumption that l is fixed like n, k, r. I don't think this needs to be the case. My understanding is that for the GCM limits, l_max_allowed can be replaced by l_max_seen being the largest length processed. The encryption or decryption function would then terminate when CA or IA can not be verified to be under the chosen bound. This would make a big difference for applications typically processing much smaller messages than for example 2^14. For the CCM integrity bounds, the formula would probably have to involve (2 * l_max_allowed * q + 2 * l_max_seen_* v). The DoS problem would still be tied to l_max_allowed.


Cheers,
John

[1]  https://csrc.nist.gov/CSRC/media/Projects/Block-Cipher-Techniques/documents/BCM/Comments/CWC-GCM/multi-forge-01.pdf

v2.30.2 | Report a Bug | By Email | System Status