Re: QUIC-LB update: Eliminate block ciphers?

Martin Thomson <mt@lowentropy.net> Wed, 06 October 2021 22:13 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA113A097A for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 15:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=MCQIDsX8; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ljUGwfoH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U92fARZrp3NV for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 15:13:10 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30BFB3A08ED for <quic@ietf.org>; Wed, 6 Oct 2021 15:13:09 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 77A663201C81 for <quic@ietf.org>; Wed, 6 Oct 2021 18:13:06 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute5.internal (MEProxy); Wed, 06 Oct 2021 18:13:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=1mx3X4nTjKh8lWRmAThUwXUZ7pf50Nl huXa+x0bvZ+A=; b=MCQIDsX8EYM/oN/41woUnNSJmjB/SRMRysi3Ht/jrfkHFnn dAUNaH7AMLFGKxg43T9qnMd1DS/sAPHTCI8LCprrZzkyEk1fs9TGVwz7ncmNvKGF rvAZFdnEvD/BwgIc4cW/ggIYlaXuSkmSKigJtBzIDBgrlyul5q5oR6lq/6VrhkUW drg/9IeOTg9ZiL4/65LWNfCmedmzZr44BbpsxFN3UR80xaLNNxnK01bA0uh78CQO QSxbWox4ZU2kB/uABTzbTtSC+jAbwy+GWWDC0Vwy9abVBwn3T74fLOCDKuvgNUbr qg8+jZcTwCuwSukwl5m/nJQvE9OU+nq2pnOCPvg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=1mx3X4 nTjKh8lWRmAThUwXUZ7pf50NlhuXa+x0bvZ+A=; b=ljUGwfoHI7t9lC+MofEQnZ +xS9OrgbZgJ/gxIb9osSXjoRuohMjQ3vv33DdlnMiiGbvqAvRRmhPQ+pgYnqb/2b JSt68pFfJpTPiCQHSZly8/kKjFE8m3FtQg6yOGbmVD3DAhIxb+/7+RxbUJQeEt6X CFJnw9jdkbtYrs1o8xsp+jwkHEd7IHsNhpK3vwolk2/dVWievWL6+nab6QALwwtO rHOdc0C7H7K6gZJPAb06j9Z6HVERt1RK/JlrIoViOhZR3thN7RlSUiLYcnTalBch uy8+ysaHPVMeKhkm2qNfptkzsxlIsj1yV1wCrRG7EBZ9GzUaJu48XwFlG/n+j8HA ==
X-ME-Sender: <xms:cR9eYfndIw_c0FmQ0nUgHyG1b7qCJS7xDWFqV8bq6bUeJqppRBlUbQ> <xme:cR9eYS1VNYOuSrnZ_3L4vbybaOy8jEM97uCpKiB-b8eIG0A2Zv6yXwJafj5GHQ76n BSfjs1ti3-o9R9iKPY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudeljedgtdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhho figvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekteeuieektdekleefke evhfekffevvdevgfekgfeluefgvdejjeegffeigedtjeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvg ht
X-ME-Proxy: <xmx:cR9eYVoKGEuGWKQXRMcv4iLyUGyC1lV6GNCBI3NHdMGCAlz7n6TNWw> <xmx:cR9eYXmwZG7eAB-PLvEn6x3tlAS93CozhoLd90LmPi2GJi4AaVE6EA> <xmx:cR9eYd2dO1Gr5tIoKhoLSzsn6v7EfyI5pLPYFU2b9e0fC3MYCFiV8w> <xmx:ch9eYeCuyoJnHSJr4zpHqdLI12PmnXjD9cDiPlnmOaMRvjB0CQCrJw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E63913C0246; Wed, 6 Oct 2021 18:13:05 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1331-g5ae342296a-fm-20211005.001-g5ae34229
Mime-Version: 1.0
Message-Id: <3ca56d7b-072e-4206-be10-c7732d796d36@www.fastmail.com>
In-Reply-To: <4c53f268-3d1b-562c-da5b-9973737464dc@huitema.net>
References: <CAM4esxT=QrJBaPsmK-6dXV+WUYn+tiHUEk_PpJu9L_agdU4EtQ@mail.gmail.com> <6f4f125359b247f588c8a74eb7ebfa1a@huawei.com> <CAKcm_gNRmKEDninEbHd6L_Jf7qJRBOvh5q2VyQT4FFabnDKL6g@mail.gmail.com> <CAM4esxQ7oUb2k3HKs21gUy15FxDr3wMDPH4EyR8FkX8q+a9A3Q@mail.gmail.com> <CAMm+Lwg2Ds=MdKXcry-ukRjc3nSjXy4XHXFdBU8eJP9S9xOchg@mail.gmail.com> <4c53f268-3d1b-562c-da5b-9973737464dc@huitema.net>
Date: Thu, 07 Oct 2021 09:12:46 +1100
From: "Martin Thomson" <mt@lowentropy.net>
To: quic@ietf.org
Subject: Re: QUIC-LB update: Eliminate block ciphers?
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/9cxHN03V3C5r-r3J2zOArvRmuls>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 22:13:15 -0000

On Thu, Oct 7, 2021, at 07:02, Christian Huitema wrote:
> Phil,
>
> What we have in the current LB spec is called a "stream cipher", but 
> that's a misnomer. What we have in the spec is actually a variable size 
> block cipher, derived from AES-ECB using a construct similar to FFX. 
> Your review of that algorithm would be appreciated.

Christian,

I would call this a Feistel network, but avoid talking about FFX.  FFX has a bunch of guidance about the number of iterations of the network that this ignores; to call this FFX or even imply that it is FFX isn't really fair.  When you get right down to it, the real contribution in FFX is the analysis that produces guidance on the number of iterations and the inclusion of tweaks; if you use neither, then it's not really FFX.  As additional iterations are necessary to maintain a security level, we need to be careful about the claims we make in relation to security.