Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis

Ronald Tse <tse@ribose.com> Thu, 26 October 2017 01:47 UTC

Return-Path: <tse@ribose.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B04AD13B144 for <openpgp@ietfa.amsl.com>; Wed, 25 Oct 2017 18:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ribose.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGkiy6Zfdu85 for <openpgp@ietfa.amsl.com>; Wed, 25 Oct 2017 18:46:57 -0700 (PDT)
Received: from APC01-PU1-obe.outbound.protection.outlook.com (mail-pu1apc01on0078.outbound.protection.outlook.com [104.47.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF475139689 for <openpgp@ietf.org>; Wed, 25 Oct 2017 18:46:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ribose.onmicrosoft.com; s=selector1-ribose-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Cn+rR6fyLSodE4Xj40G6MMOoTX89jRFANwkw4hDFs1Q=; b=l63RrMDx+xe3IZppj7R7ACexYlK1VlhP34rvmAflNEzQQRgp2L9EtJpYZG9psbbMZxZ7ltswT1s8Chzush8IRsSNhu6Ksto9V4mHt4d4CCiAO2875I0W03ZgSq/D0zLCky/knbxTcGaSPscuqc8phaWTNJOl79b2SqHnyiwMVGU=
Received: from PS1PR01MB1050.apcprd01.prod.exchangelabs.com (10.165.210.30) by PS1PR01MB1052.apcprd01.prod.exchangelabs.com (10.165.211.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Thu, 26 Oct 2017 01:46:52 +0000
Received: from PS1PR01MB1050.apcprd01.prod.exchangelabs.com ([fe80::f0e3:51e5:3abd:6c17]) by PS1PR01MB1050.apcprd01.prod.exchangelabs.com ([fe80::f0e3:51e5:3abd:6c17%14]) with mapi id 15.20.0156.007; Thu, 26 Oct 2017 01:46:52 +0000
From: Ronald Tse <tse@ribose.com>
To: "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] Proposal to include AEAD OCB mode to 4880bis
Thread-Index: AQHTTXH5xYQNIsRUz0C1s+LLoU2hJaL0wWoAgAAFh4CAAJbBgA==
Date: Thu, 26 Oct 2017 01:46:52 +0000
Message-ID: <4DDC897E-C632-4C2C-A741-F02EA51DD385@ribose.com>
References: <D0505748-E376-4CF9-8906-9AD77838FB23@ribose.com> <alpine.LRH.2.21.1710251219190.18006@bofh.nohats.ca> <59F0C015.2050303@openfortress.nl>
In-Reply-To: <59F0C015.2050303@openfortress.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tse@ribose.com;
x-originating-ip: [118.140.121.70]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; PS1PR01MB1052; 6:MWgP6R9PuU3/UKp+S8KpWEp1BySOU092R5JN5oVit7hoHXPmbvwFKEKDOdJuWaxCjHY+w96s+ZGlgbPxb7MFoNq6hae6WeYFsXu881l5Ql0KcFY7fYdmGB+6xL9cM4O9rf88KCTNe9UvUd3CDJEU4VfXeMnGbGfcz94XrUzEJh6BKSBrOmUAEKHlL4bfpbRq0EobX1Xi3E9RiLehq11BwcD+9CxzkMUBlm/oULaInGbvBrhN395lOJmrTD6P6l5pFY40mS/sJlyCO8UTVTsensK+fvm4Vj2r+RhjToCsRI+PDQXqv8taasKdR8EHAt0SYPbNfj9l1XAkxidtA2J4QQ==; 5:W4CToHN4S6RXs6cmlFc6XGy3LCehonsXWiYeIsoeStS9gDOpbpKMREs0PXi0m+qzbF+QYYZu6gsPiR1OLTFuaW8rsKrxpbQhULifNLQRHdv0v0Gp2CmAFLvvDji44V75w619Rqf13y4eyaVz9PNRrQ==; 24:W5QRHPuZv4XIlZfO9pEN1dD1HD6bantQEMK5WpC0pCwSb1pVY8DkUdI7dgfyHty40afDly8AvjIf6nuOSvMIR9AsmjgovESfzGvxEc5Gc48=; 7:JkR32xOjIuaqEf1b/9txXHAFguAgoHhikasPibEjSuIdGwnCHo7pyLvF7Qz3YCQTBVP2paEH3wZEaEe7+bsPuQrciBqYDMamc1MlI4C5XhXaTyK2l7OVM9Ir3Uq9YyihR2X4EMuFSar/l57Tfu8iVWDRIKoSf7WByiMvqun0AS2Qb/cv1ichrEYC67kj94ef8eGOjfBsrRO0JUi5T4e6O/IlRhwG0AjYJ+L/IFIhLoc=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: d9941ddb-9185-4c64-2e97-08d51c136e6c
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(4534020)(4602075)(4603075)(4627075)(201702281549075)(2017052603199); SRVR:PS1PR01MB1052;
x-ms-traffictypediagnostic: PS1PR01MB1052:
x-exchange-antispam-report-test: UriScan:(1591387915157)(66011452539121);
x-microsoft-antispam-prvs: <PS1PR01MB105275FEADBB82D87588CC21D7450@PS1PR01MB1052.apcprd01.prod.exchangelabs.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(3231020)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(6041248)(20161123564025)(20161123558100)(2016111802025)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(6072148)(6043046)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:PS1PR01MB1052; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:PS1PR01MB1052;
x-forefront-prvs: 04724A515E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39830400002)(346002)(376002)(24454002)(51914003)(189002)(199003)(81166006)(966005)(2950100002)(8936002)(6486002)(6916009)(66066001)(14454004)(54896002)(189998001)(7736002)(106356001)(33656002)(2351001)(105586002)(53936002)(6246003)(6306002)(81156014)(8676002)(478600001)(1730700003)(6512007)(76176999)(101416001)(2900100001)(25786009)(236005)(345774005)(50986999)(54356999)(97736004)(606006)(316002)(36756003)(3660700001)(6116002)(53546010)(82746002)(6436002)(5640700003)(68736007)(3280700002)(3846002)(102836003)(5250100002)(99286003)(2501003)(2906002)(5660300001)(86362001)(6506006)(83716003)(229853002)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:PS1PR01MB1052; H:PS1PR01MB1050.apcprd01.prod.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: ribose.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_4DDC897EC6324C2CA741F02EA51DD385ribosecom_"
MIME-Version: 1.0
X-OriginatorOrg: ribose.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d9941ddb-9185-4c64-2e97-08d51c136e6c
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2017 01:46:52.3614 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d98a04ff-ef98-489b-b33c-13c23a2e091a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PS1PR01MB1052
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/OoLfkTALAWLxLlhqOk7JfRJ_i7c>
Subject: Re: [openpgp] Proposal to include AEAD OCB mode to 4880bis
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 01:47:06 -0000

Hi Werner, Rick and Paul,

Werner, thanks for the tip. I’ve just sent the proposed patches to the mailing list as you probably already see it.

Rick, Paul,

The benefits of OCB mode are best explained on this page:
http://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm

In comparison with EAX which is already included in 4880bis, OCB is fully parallelizable for encryption/decryption and authentication (EAX authentication is serial). It is a single-pass algorithm (EAX is 2-pass), and is currently the only widely accepted AEAD mode that is endian-independent (EAX is endian-dependent), which makes implementation easier.

Performance of OCB is superior to EAX and is probably the fastest among accepted AEAD competitors, which is compared in this paper:
https://www.fi.muni.cz/~xsvenda/docs/AE_comparison_ipics04.pdf

This paper states that with 16 byte messages, EAX requires 227.09 cycles per byte (6 blockcipher invocations), while OCB only 118.91 (3 blockcipher invocations) cycles are needed.

In addition, Krovetz and Rogaway have also made the effort to standardize OCB in RFC 7254, providing a stable IETF reference, and also included OCB-AES in the IANA registry for AEAD parameter sets (RFC 5116), which EAX is not present:
https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml

Another thought is to actually refer to the IANA registry for OpenPGP supported AEAD algorithms, but that might be a topic for another day.

Kind regards,
Ron

_____________________________________

Ronald Tse
Ribose Inc.

+=========================================================+
This message may contain confidential and/or privileged
information.  If you are not the addressee or authorized to
receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any
information herein.  If you have received this message in
error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.
+=========================================================+

On Oct 26, 2017, at 12:47 AM, Rick van Rein <rick@openfortress.nl<mailto:rick@openfortress.nl>> wrote:

Hi,

Adding algorithms is easy. Removing them is hard. That should raise the
bar for adding new ones.

I second that.  There should be a good reason for adding new algorithms.
(Which is always subjective because it is really helpful to have things
to fall back on when a part fails, security-wise.)

Along the same lines I'm also surprised that no effort has been made to
deprecate 2.x PGP packet formats and public key formats, for instance.
We all know that such old keys don't have a reason to exist anymore,
but we're all still coding the old and new in order to be compliant to
the standards.  Such a waste of time...

-Rick