IETF Logo Mail Archive

Re: [CFRG] Call for adoption for draft-denis-aegis-aead

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 28 July 2022 20:19 UTC

Return-Path: <prvs=620804b8d5=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21E69C15C52B; Thu, 28 Jul 2022 13:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1MZFAYyyesE; Thu, 28 Jul 2022 13:19:09 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB1B6C15C527; Thu, 28 Jul 2022 13:19:08 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 26SKJ0Mf216355 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 28 Jul 2022 16:19:00 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ioWz1gf+pLBn1IzSA2ykwOaZE9NqDaahVanRb49oD1W6tC2boUVCA7DzY4vAsNmm8/oZN3Az7qWMUzYq5HCT4XNElIsoQSmvwrAfyVJJ1cj0LZkwLSzb5kkDEoBDTfMJhdrxShX7O9qje2UnKcbIOYPrmChQS7zbNWq2ayw4/3MYRt8aPMbKehdVi2ByewjgxK1MrpyIaDu7AwcY5JvalvmHVzZl462MheR4ipJo0jwaVbP/wuwpzCPfnQdmnvj8dsJpwETXagmtXANZpwp6DA1yK3Jwt3+tOhq3ceKWUQvT3QndtfYt8TJKd3ip2Vtq6KNbmtu0oPmDvA7pYn4wJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WrOJPB6qlhq9wTsQZ3riqTQCwCK8ZLJiVaewgwOCIHw=; b=JYSuEh8ZyhYTnPhOMOzGhhhMzKAgPBjttTdaAVtnJAIQoEJMkK8ZXppPceV7tyac3FByqBO22k67UvlfXHOB6oNk1iYlX+XF+d8kBM4Kj5GleIpFM0WyQA9UrMwcLhBnRC60DKs+RKHMTJ836qHECToajxxE62b3N4jD4zyKoN1ABliDgjKZ3iTDZMxoQwW1gBMMll0Lmh4nLFphY/HJAgkxJdCnZDeAun4NifPggkZEydZKxTfW/DYQunydZabQa1DMZMGQbCM1F905pIvmFpILvz5clEjIzN7fK6JwA3qUViMmwDB95lj5ORKYwM55xR8zzGN7kyjLhwRyb5HFEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
CC: "Crockett, Eric" <ericcro=40amazon.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Call for adoption for draft-denis-aegis-aead
Thread-Index: AQHYorr9ua5rk1PByEOsTFvlGpOY0q2T9gqA
Date: Thu, 28 Jul 2022 20:19:04 +0000
Message-ID: <9316AC33-B46E-4AF1-A46A-B7FB1617CB80@ll.mit.edu>
References: <5755C7A7-3073-41E2-89D2-44E0439743B8@ll.mit.edu> <20220728194703.7495260842@jupiter.mumble.net>
In-Reply-To: <20220728194703.7495260842@jupiter.mumble.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ba6efaee-7720-4032-c9c9-08da70d66af0
x-ms-traffictypediagnostic: BN0P110MB0997:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y6ujaD6CjP5dsvTee0ywAL8iY61HFDpvlPxgeZdywa1dbNMWLarthB6pNHmyhDpg7L8bD9TskKejqQwDmVKjNVGJZqPyoPQLqNxzfMAxROm0zjmXQ/1aV9PMR7iRZPSKUFpQ44n0i1H8Z7rhLeeQ+uSFlFPfeGG3zjpafbLLDqs9KS3HCCMb+16I05rTbzUVFZWOWD+pPgKTbPH8LIBAJIM0XKhd8q79EnHKq0rLTPrsndpKydRusRIXAOBKlILc0L1CBhxzTlkS4G9dJU2xYNl7Md4iWE/3qTh6/in0icsuHVNLsakD27aCwCHp2a5+Imf+KddCD9Hek7ROjHRIgFvo2VP2h35KmwCK5qeI6utUhga1VDfDSE+m9qAEQfb6pSzPpNa3tMGmQdCeAwoe6t5mZWptGbb/TH5APkjwbkUxrLHuBUwIb5QacpHmFREPAI8MimCZe4w68rVGf+sW+lqCky81K0jtv2lmFGac47uRHCmmtwSN6CT+lPhrwOp8+gHhxloSWW3580T0i3F9MMl2pQYCkTiWF1i30gWbun6mC7fDv2D74FUXKWwMMQbNUUU4UTRqLBQghq0DZTBUtm9eFRANPhf6FUNExGXj29khBUQqeQ2nm5R+iOZRcqtouxeWn71KoPextC1CkrCid6vgbne4ZRasHhyCguY+NLyubtQOXd7JCJivLzx4sQnNvf/MeRvFQ8Sq/ASPEFqBpGh3uFfgtwZStGy1FuD8ABjrvrJR+0Zn/IW1OzaEBK8HO/vfA+r6gN3C5DGdWHYbrA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(66446008)(75432002)(122000001)(5660300002)(76116006)(38070700005)(66476007)(8676002)(2906002)(64756008)(33656002)(86362001)(4326008)(66556008)(54906003)(8936002)(38100700002)(66946007)(2616005)(6512007)(186003)(498600001)(966005)(6486002)(26005)(71200400001)(99936003)(83380400001)(6506007)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: myg9gl7yFJ9R9pAC1kp1yDoSqFBOJ8CsqELUFSqzFuXNuH3+vDB+9e2bjm3My9zEsXovO11HxaQT2epnqNiDwHTYlqw8pOna3E8iaM3mrwEGvwhdCD8hMjSGBZKKTmrta0LiuNPEwIw3iQnJboi0HOw9ngSveM8WZvWBHd3u+gEpr5ggIKcCUYOEk9Sbf/eA9aPi6wfM35dosu+KoqMvsT3HUNU2/VjzYQEcEL7Y8ZxoC8rICXiinOCaMBLvXosDsDrEQ68Rzq+uNv97EAKpwdKY+0LazoTIcU5G5+pMvSvrRpoaIOILTGIVtQBtfo+qS0rihaBLCBVh/TamlDUedDWVAlB53Y/DdDJz/7j5oneS+iPsI6KxDh41hcmZQ7b8rrIoFTe8sYpqPxXimr2TAWqYEkkAQlRWTDh21DzP0eI=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3741869943_2879198873"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ba6efaee-7720-4032-c9c9-08da70d66af0
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2022 20:19:04.5355 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB0997
X-Proofpoint-GUID: KUCI_i_nb8e-cYIHoankplOMe6l-DGgR
X-Proofpoint-ORIG-GUID: KUCI_i_nb8e-cYIHoankplOMe6l-DGgR
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-28_06,2022-07-28_02,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxlogscore=999 mlxscore=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207280091
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ye2ArD9_C36pRFgs8BYIA_OlzFg>
Subject: Re: [CFRG] Call for adoption for draft-denis-aegis-aead
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 20:19:13 -0000

When I said "ideal", I was exaggerating (of course) - as long as it's practical and performant, it's "good enough".

One advantage of AES-based ciphers and modes is that they can benefit from Intel and ARM hardware AES acceleration. How does ChaCha compare against hardware-accelerated AES? This would be my main concern here.

Other than that - Daence sounds like a good candidate. And I don't remember exactly - there was Romulus (or such) that NIST LWC awarded...?

Thanks
--
V/R,
Uri
 
There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare
 

On 7/28/22, 15:48, "Taylor R Campbell" <campbell@mumble.net on behalf of campbell+cfrg@mumble.net> wrote:

    > Date: Thu, 28 Jul 2022 19:15:23 +0000
    > From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
    > 
    > > > From the draft:
    > > >
    > > > With AEGIS-256, random nonces can be used with no practical limits.
    > >
    > > We have use cases where we would like to encrypt >>>2^32 messages
    > > with random nonces. GCM limits us to 2^32 messages with random IVs,
    > > and it's not always possible to use deterministic IVs. Even when
    > > it _is_ possible to use deterministic IVs, we sometimes would like
    > > to encrypt >>2^64 messages with the same key. So having an AEAD scheme
    > > which supports a practically-unbounded number of messages per key would be useful.
    > 
    > As I said before, my main problem with AEGIS is that nonce
    > misuse/reuse breaks it.
    > 
    > With that in mind, I think that AEGIS is better than AES-GCM, but
    > worse than an "ideal" AEAD that I'd like to see standardized and
    > widely deployed.

    Won't claim it's ideal, but ChaCha-Daence:

    (a) supports a practically-unbounded number of messages per key[1];
    (b) falls back to deterministic authenticated encryption security like
        AES-SIV if you don't have unique per-message numbers or if your
        RNG/counter goes wrong;
    (c) can take advantage of public or secret message numbers, whether
        deterministic or random;
    (d) does not require a randomized nonce like AES-GCM-SIV does for
        nonce-misuse-resistance;
    (e) has a simpler interface, DAE (key,ad,message), than nonce-based
        AEAD (key,nonce,ad,message); and
    (f) is built out of the same components as ChaCha/Poly1305 so it only
        takes a few lines of code with those components to implement it,
        so it's cheap to drop into applications that already use libraries
        with ChaCha and Poly1305 today -- no assembly (code) required.

    Details and security theorem: https://eprint.iacr.org/2020/067

    [1] Table of advantage bounds on p. 5 of the manuscript is generated
        by https://github.com/riastradh/daence/blob/master/adv.py, with
        references there to the best advantage bounds in the literature on
        AES-GCM, AES-GCM-SIV, AES-SIV, and ChaCha/Poly1305 security.

v2.23.0 | Report a Bug | By Email