Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?

Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Sat, 24 February 2018 16:15 UTC

Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9730D127058 for <cfrg@ietfa.amsl.com>; Sat, 24 Feb 2018 08:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPByV47maXli for <cfrg@ietfa.amsl.com>; Sat, 24 Feb 2018 08:15:26 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DA1E126D05 for <cfrg@irtf.org>; Sat, 24 Feb 2018 08:15:26 -0800 (PST)
Received: by mail-qk0-x22c.google.com with SMTP id z197so14409521qkb.6 for <cfrg@irtf.org>; Sat, 24 Feb 2018 08:15:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vHe1Dnq8OYoYIYzHcTBb6/yJkSy9Hc8jQxRXo8vQqGU=; b=ADXwPbV6qUdc2whj+y7O5PhsGRpHieSvS41RUrvLWAh8N+yuVuf4GWPL/paDEr2iwG nYQD2Oa61L1jz892woRIudzT1BRdY7HaSlhOOixLmEMS2T65bA8hvDUUwF3SRE+yBMCw 2Km6ZELf9iYL7wkSomKmgTMRfovGzwIo44RlvkFPdtGJwOVffHicga8y0PxGtOkRsBUw vf3wKvzYcJKND8y93SWZNN1KU6/JssJRzs8psv2TQmOtq4VisPUmjpnd7CUcFB83rvmu fSvsGG36KH2MWgZ1iv9ZVNondO9ah3cDgdjeVqa/g6ypvdP3Ed1u/uj26rvYEe+uCg+K GRtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vHe1Dnq8OYoYIYzHcTBb6/yJkSy9Hc8jQxRXo8vQqGU=; b=R1teErQHuM00D98pzHE+POb+eQ5Yt7WpEv75H6PiVU2izrYFFJgi297serVRWEf8AV gs6qhj6tdDjhFco8hmRH93mJ4trH6WiIxAcHCBoVwQmngAZ6JwcDHW1VLCR4xkagjBG3 nzvTlp7UfRtb23u2k1xCa2c5A5RhRp0E3t1uUdIjcRHHOUCyQuA3lpc0gSeWlbDyK6KV 4ijZglySrAleQfacpqmS0dBWfr63Kw6YUQkKXnzRuVE/MQvfeiCSIkOyIc4LYONHlN4O ggIml+OwB9C5n6SQVlhXh4SCmzlFaOGZgr6anZFuHYm/ONW7JnJyVbHpUts30b4xGyCq iUlg==
X-Gm-Message-State: APf1xPDaQmQF0gMukaG651ahnfW8WRDdkuniQ+MMMQMfbaJ0ECa9VjOg HBPABWKHQTdPC2EjBRXW6wVw9XXAbEVyVDue5pg=
X-Google-Smtp-Source: AG47ELtNXLvMMbsEXolJIdmDuQJwludax3b0K9rkV2rh119eARKHOOIoU1aYQYB0WDm4qT8n0wyLmtKXqjJFYZKtqSk=
X-Received: by 10.55.42.229 with SMTP id q98mr8075951qkq.150.1519488925184; Sat, 24 Feb 2018 08:15:25 -0800 (PST)
MIME-Version: 1.0
References: <18C83761-E442-45D9-BDBF-71DC7F751007@icann.org> <CAHmME9r3awwZxjEU-HWnOCyARhBx54VOcUOFJB4opmneKdZsyA@mail.gmail.com> <72BE956C-7D0F-41BE-88DE-C7C2063A7FED@seer-grog.net> <877er4h8n5.fsf@fifthhorseman.net> <149857F4-859F-45C8-AA6E-E1F72342B988@seer-grog.net> <A17CCC93-1AEE-47E3-B1A3-CA2791AA3AE0@icann.org> <6063D40B-F8A8-4C63-92EB-53EF4DB64975@cisco.com> <CAGiyFdddeUkqhMxQLH079syiHuV3KgY3_Ko2pVxYhjd+jEUMLA@mail.gmail.com> <E04CDD47-DCB3-456E-A8A6-EE93B63442B0@seer-grog.net> <752714BA-FC71-4B37-8685-7E44A68989B5@icann.org> <CAGiyFdfA9fU0APiZznfEMKrsRiRwQDDDpBpxQ3+mk638rRka3g@mail.gmail.com> <04292D54-752E-47BF-B82A-AE9F60551AD0@icann.org>
In-Reply-To: <04292D54-752E-47BF-B82A-AE9F60551AD0@icann.org>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Sat, 24 Feb 2018 16:15:13 +0000
Message-ID: <CAGiyFdcGgKOpc6ACnLDt3UURkbcd34VpD44VAk8+3-gpXocZ_w@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a11479f64a039880565f7954f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zMIh9abtj4qZOdR0INB5POq0qgQ>
Subject: Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Feb 2018 16:15:27 -0000

Sorry wasn't clear :)

I meant that, given the relatively small search space, collecting
input–output pairs and storing them in the table will allow an attack to
invert the mapping without knowing the key, if they can collect many such
pairs. For example, in an enterprise network the number of distinct IPs
observed is typically much less than 2^32.

On Sat, Feb 24, 2018 at 5:00 PM Paul Hoffman <paul.hoffman@icann.org>; wrote:

> On Feb 24, 2018, at 7:42 AM, Jean-Philippe Aumasson <
> jeanphilippe.aumasson@gmail.com>; wrote:
> >
> > A “non-invertible” construction based on truncated AES will yield many
> collisions if format-preserving (hashing to a 32-bit space), and it’ll
> likely become partially invertible with sufficiently many known in-out
> pairs.
>
> OK, then apologize for my ignorance. In
> truncate32(AES128(padded_32_bit_address, 128_bit_random_key)), are you
> saying that an attacker with lots of pairs can determine the key faster
> than if it was just AES128(padded_32_bit_address, 128_bit_random_key)?
>
> --Paul Hoffman