Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?
Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Sat, 24 February 2018 16:15 UTC
Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9730D127058 for <cfrg@ietfa.amsl.com>; Sat, 24 Feb 2018 08:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPByV47maXli for <cfrg@ietfa.amsl.com>; Sat, 24 Feb 2018 08:15:26 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DA1E126D05 for <cfrg@irtf.org>; Sat, 24 Feb 2018 08:15:26 -0800 (PST)
Received: by mail-qk0-x22c.google.com with SMTP id z197so14409521qkb.6 for <cfrg@irtf.org>; Sat, 24 Feb 2018 08:15:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vHe1Dnq8OYoYIYzHcTBb6/yJkSy9Hc8jQxRXo8vQqGU=; b=ADXwPbV6qUdc2whj+y7O5PhsGRpHieSvS41RUrvLWAh8N+yuVuf4GWPL/paDEr2iwG nYQD2Oa61L1jz892woRIudzT1BRdY7HaSlhOOixLmEMS2T65bA8hvDUUwF3SRE+yBMCw 2Km6ZELf9iYL7wkSomKmgTMRfovGzwIo44RlvkFPdtGJwOVffHicga8y0PxGtOkRsBUw vf3wKvzYcJKND8y93SWZNN1KU6/JssJRzs8psv2TQmOtq4VisPUmjpnd7CUcFB83rvmu fSvsGG36KH2MWgZ1iv9ZVNondO9ah3cDgdjeVqa/g6ypvdP3Ed1u/uj26rvYEe+uCg+K GRtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vHe1Dnq8OYoYIYzHcTBb6/yJkSy9Hc8jQxRXo8vQqGU=; b=R1teErQHuM00D98pzHE+POb+eQ5Yt7WpEv75H6PiVU2izrYFFJgi297serVRWEf8AV gs6qhj6tdDjhFco8hmRH93mJ4trH6WiIxAcHCBoVwQmngAZ6JwcDHW1VLCR4xkagjBG3 nzvTlp7UfRtb23u2k1xCa2c5A5RhRp0E3t1uUdIjcRHHOUCyQuA3lpc0gSeWlbDyK6KV 4ijZglySrAleQfacpqmS0dBWfr63Kw6YUQkKXnzRuVE/MQvfeiCSIkOyIc4LYONHlN4O ggIml+OwB9C5n6SQVlhXh4SCmzlFaOGZgr6anZFuHYm/ONW7JnJyVbHpUts30b4xGyCq iUlg==
X-Gm-Message-State: APf1xPDaQmQF0gMukaG651ahnfW8WRDdkuniQ+MMMQMfbaJ0ECa9VjOg HBPABWKHQTdPC2EjBRXW6wVw9XXAbEVyVDue5pg=
X-Google-Smtp-Source: AG47ELtNXLvMMbsEXolJIdmDuQJwludax3b0K9rkV2rh119eARKHOOIoU1aYQYB0WDm4qT8n0wyLmtKXqjJFYZKtqSk=
X-Received: by 10.55.42.229 with SMTP id q98mr8075951qkq.150.1519488925184; Sat, 24 Feb 2018 08:15:25 -0800 (PST)
MIME-Version: 1.0
References: <18C83761-E442-45D9-BDBF-71DC7F751007@icann.org> <CAHmME9r3awwZxjEU-HWnOCyARhBx54VOcUOFJB4opmneKdZsyA@mail.gmail.com> <72BE956C-7D0F-41BE-88DE-C7C2063A7FED@seer-grog.net> <877er4h8n5.fsf@fifthhorseman.net> <149857F4-859F-45C8-AA6E-E1F72342B988@seer-grog.net> <A17CCC93-1AEE-47E3-B1A3-CA2791AA3AE0@icann.org> <6063D40B-F8A8-4C63-92EB-53EF4DB64975@cisco.com> <CAGiyFdddeUkqhMxQLH079syiHuV3KgY3_Ko2pVxYhjd+jEUMLA@mail.gmail.com> <E04CDD47-DCB3-456E-A8A6-EE93B63442B0@seer-grog.net> <752714BA-FC71-4B37-8685-7E44A68989B5@icann.org> <CAGiyFdfA9fU0APiZznfEMKrsRiRwQDDDpBpxQ3+mk638rRka3g@mail.gmail.com> <04292D54-752E-47BF-B82A-AE9F60551AD0@icann.org>
In-Reply-To: <04292D54-752E-47BF-B82A-AE9F60551AD0@icann.org>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Sat, 24 Feb 2018 16:15:13 +0000
Message-ID: <CAGiyFdcGgKOpc6ACnLDt3UURkbcd34VpD44VAk8+3-gpXocZ_w@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a11479f64a039880565f7954f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zMIh9abtj4qZOdR0INB5POq0qgQ>
Subject: Re: [Cfrg] [Ext] Re: Analysis of ipcrypt?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Feb 2018 16:15:27 -0000
Sorry wasn't clear :) I meant that, given the relatively small search space, collecting input–output pairs and storing them in the table will allow an attack to invert the mapping without knowing the key, if they can collect many such pairs. For example, in an enterprise network the number of distinct IPs observed is typically much less than 2^32. On Sat, Feb 24, 2018 at 5:00 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > On Feb 24, 2018, at 7:42 AM, Jean-Philippe Aumasson < > jeanphilippe.aumasson@gmail.com> wrote: > > > > A “non-invertible” construction based on truncated AES will yield many > collisions if format-preserving (hashing to a 32-bit space), and it’ll > likely become partially invertible with sufficiently many known in-out > pairs. > > OK, then apologize for my ignorance. In > truncate32(AES128(padded_32_bit_address, 128_bit_random_key)), are you > saying that an attacker with lots of pairs can determine the key faster > than if it was just AES128(padded_32_bit_address, 128_bit_random_key)? > > --Paul Hoffman
- [Cfrg] Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] Analysis of ipcrypt? Jason A. Donenfeld
- Re: [Cfrg] Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] Analysis of ipcrypt? Russ Housley
- Re: [Cfrg] Analysis of ipcrypt? Daniel Kahn Gillmor
- Re: [Cfrg] Analysis of ipcrypt? Daniel Kahn Gillmor
- Re: [Cfrg] Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] Analysis of ipcrypt? Martin Thomson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? David McGrew (mcgrew)
- Re: [Cfrg] Analysis of ipcrypt? Russ Housley
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Greg Rose
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Paul Hoffman
- Re: [Cfrg] [Ext] Re: Analysis of ipcrypt? Jean-Philippe Aumasson
- Re: [Cfrg] Analysis of ipcrypt? Tim Hollebeek