Re: QUIC-LB update: Eliminate block ciphers?

Phillip Hallam-Baker <phill@hallambaker.com> Wed, 06 October 2021 23:20 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC02B3A09EF for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 16:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.648
X-Spam-Level:
X-Spam-Status: No, score=-1.648 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K3APOqLT09Sj for <quic@ietfa.amsl.com>; Wed, 6 Oct 2021 16:20:48 -0700 (PDT)
Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com [209.85.219.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47AD13A09EC for <quic@ietf.org>; Wed, 6 Oct 2021 16:20:48 -0700 (PDT)
Received: by mail-yb1-f179.google.com with SMTP id i84so9041497ybc.12 for <quic@ietf.org>; Wed, 06 Oct 2021 16:20:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aSuoziJcwCiW0bWyAVW4fJlOjr8q8k7Nlm0oJulCAc0=; b=IK7s0dIczWlCxECMr3kCJSUJNYlUXVw7DuzeTsGrU58CicNb6y5V3IXKrhHf70VsCH c3p3IYaHSBzUZV7jFpmkPITNaHZK87Z9Qwe4Z4g+gpRjrMxbFy6PRBLvd9ncyHHh124U YaIX1IZH40AkUK4CV81NZLcgdJGgiKUI1LPS8bI0iiva0HwjFUfg1daxWS3YJR6ULVPN 1kP8F8Rh+2q14gSUdu7lQ1kNlh7Kd0d7yGzmChOU2ZUt+eR3BFmyzio0htB3pos6QyYg 0jdXuXjuiiYUgighqBq/Zk3OmKmENaqnue/0I57bDRZOsL8qpR5ATFt2gvQIRmM50JnQ l/Bg==
X-Gm-Message-State: AOAM531rYyg2S0ecfcE1vttUZZQoffEET3OdSR+Cj3p6jZdxwZWD9rx7 wxCqXjYw2mbJVPTb8mF2fkHQ0i4rImJIrRK1SwlAvMOw
X-Google-Smtp-Source: ABdhPJy03ftQYzMrTWbaR9nHWLIOcVn3/A2JoRZ/3vDHZ+DsfJUKCL6J9uH4v1yNWll96ZhUgMllAlOE30RdlXLcae8=
X-Received: by 2002:a25:4cc3:: with SMTP id z186mr1087875yba.212.1633562447410; Wed, 06 Oct 2021 16:20:47 -0700 (PDT)
MIME-Version: 1.0
References: <CAM4esxT=QrJBaPsmK-6dXV+WUYn+tiHUEk_PpJu9L_agdU4EtQ@mail.gmail.com> <6f4f125359b247f588c8a74eb7ebfa1a@huawei.com> <CAKcm_gNRmKEDninEbHd6L_Jf7qJRBOvh5q2VyQT4FFabnDKL6g@mail.gmail.com> <CAM4esxQ7oUb2k3HKs21gUy15FxDr3wMDPH4EyR8FkX8q+a9A3Q@mail.gmail.com> <CAMm+Lwg2Ds=MdKXcry-ukRjc3nSjXy4XHXFdBU8eJP9S9xOchg@mail.gmail.com> <4c53f268-3d1b-562c-da5b-9973737464dc@huitema.net> <3ca56d7b-072e-4206-be10-c7732d796d36@www.fastmail.com>
In-Reply-To: <3ca56d7b-072e-4206-be10-c7732d796d36@www.fastmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Wed, 6 Oct 2021 19:20:36 -0400
Message-ID: <CAMm+LwjazawphkGCAEeWKonfJrWdmc2mNBUPgeCrytzA1GA0Cg@mail.gmail.com>
Subject: Re: QUIC-LB update: Eliminate block ciphers?
To: Martin Thomson <mt@lowentropy.net>
Cc: IETF QUIC WG <quic@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000657b3c05cdb76549"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/bAgCanKZEAds88-oufnONCwUlR0>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 23:20:53 -0000

I think this is a different cryptographic construct and we should create a
name for the generic. Something like Keyed Permutation.

Rather than bikeshed the name here, I propose taking it to either CFRG or
the Cryptography list (or both) to socialize the concept. It is quite
possible that there is a prior nomenclature we should follow.


It is not clear to me what the precise security properties required here
are. For my particular application, they are fairly weak because I am only
providing some traffic analysis resistance. I am not interested in
plaintext recovery attack, but I do care about the attacker being able to
discover that E(n), E(N+1) are a sequence.

None of my systems are going to collapse if this primitive is broken but it
might afford a foothold.


On Wed, Oct 6, 2021 at 6:13 PM Martin Thomson <mt@lowentropy.net> wrote:

> On Thu, Oct 7, 2021, at 07:02, Christian Huitema wrote:
> > Phil,
> >
> > What we have in the current LB spec is called a "stream cipher", but
> > that's a misnomer. What we have in the spec is actually a variable size
> > block cipher, derived from AES-ECB using a construct similar to FFX.
> > Your review of that algorithm would be appreciated.
>
> Christian,
>
> I would call this a Feistel network, but avoid talking about FFX.  FFX has
> a bunch of guidance about the number of iterations of the network that this
> ignores; to call this FFX or even imply that it is FFX isn't really fair.
> When you get right down to it, the real contribution in FFX is the analysis
> that produces guidance on the number of iterations and the inclusion of
> tweaks; if you use neither, then it's not really FFX.  As additional
> iterations are necessary to maintain a security level, we need to be
> careful about the claims we make in relation to security.
>
>