Re: [secdir] [Cfrg] ISE seeks help with some crypto drafts
Tony Arcieri <bascule@gmail.com> Sun, 10 March 2019 22:31 UTC
Return-Path: <bascule@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2578130DF6 for <secdir@ietfa.amsl.com>; Sun, 10 Mar 2019 15:31:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kd60A9Oqn37i for <secdir@ietfa.amsl.com>; Sun, 10 Mar 2019 15:31:25 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E7DC12AF7D for <secdir@ietf.org>; Sun, 10 Mar 2019 15:31:25 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id t206so2179115oib.3 for <secdir@ietf.org>; Sun, 10 Mar 2019 15:31:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XMICp+NbPh2S4La/ri43Q8T3NLbQXZHSdF7ISVBTgQ0=; b=PMP+C+RSLd1zMyzbbxmVM5NaCx4QRfJxllQ2smHqXSSgeCGPTUvcci4O7muCE+KumG e6lxrn8udE+ZKwfx4pCgGQj/SjRyYyno0Wm9a14HA3YMKQ2HGL0KADEE84nc6pRe8f41 d/KuoCZZjFI+sgC5SM8BkjcAkoocQjrPThIXpa16onOW4FaRSuBWl5tmoRUHHUmZ+QUm 3qFUXw40jy+DCOLkMYwcXmsq+GKIXa5kubuZVpZHO/KwGbMS3eP3xhT6rG8W39NT5sS9 +xuxMIox+GDLD7/b9a4oG93PegU9IYwZTBTpfdXWZPm5TxX8vT1rk/NioJ/YPg6E8hrk cWRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XMICp+NbPh2S4La/ri43Q8T3NLbQXZHSdF7ISVBTgQ0=; b=MJEj/iSOzUgbvyT8Sbzmlf4Pv1TxqqCKhkgQaRpT17BHgp5zX9JShdqq5OGzxEl8s0 OpjQj2skflgu0D1K33MNWEe4Wzj6Y+h3aT1yyRyhvkIHlZa4r4WnQRb+9f2KDt+XsDav wRj6fMgZ9dRwCMUCMOa8ed9JLOTLBhQN6MTM95DmpP+fzaicjiI8YG16FBnmxYIL9w+f qs51LaFoOqEaFdnrPZY6nWLbniCXaiwoamKmXJuAvPui61aT8K+b7kFmiMUT6QYIQahP /pgvtEQGnZp38EOoSwuBn1CmI3ikEh3ZlCyIioYIJ0J9HAm6Ec289wy6QhWUy+ltQEmv 2DpA==
X-Gm-Message-State: APjAAAXL3oVACwoeEB30DlEa7Dv7DjFZMrB10ikPub7haXxDRr/88o7Z jGjP6W3n8hSxPfQe038yOLkIT9aq1KS38+O07ZmjCQ==
X-Google-Smtp-Source: APXvYqyIAk/mVXiM7WBxckV690df8cP3d8o9aoA/hPhe/FZzF1ZaMzFCMk3TItA4P0ObANrToHjHjtzRhFWtpxRqpeo=
X-Received: by 2002:aca:f546:: with SMTP id t67mr14464643oih.152.1552257084378; Sun, 10 Mar 2019 15:31:24 -0700 (PDT)
MIME-Version: 1.0
References: <1d8de489fc976b63a911573300a431d4.squirrel@www.amsl.com> <alpine.LRH.2.21.1903081227200.30421@bofh.nohats.ca> <CAHOTMVLtjVxZNy3bFRn09xH+cOw+tPi2CL3BkaQuJEqxAzGOJg@mail.gmail.com> <edca701b-21f3-c80c-d754-fc333f1e2e04@cs.tcd.ie> <20190310182935.GE8182@kduck.mit.edu> <B876B124-7EDE-4E20-A878-3AAD3FA074BC@krovetz.net> <20190310191026.GF8182@kduck.mit.edu> <CAHOTMVJcosEgYV9caWapgyzQfh-g4k5DQry5n42bEfrkJvmdWQ@mail.gmail.com> <042b3f13-7d5a-12d7-e604-9f8cad197608@cs.tcd.ie>
In-Reply-To: <042b3f13-7d5a-12d7-e604-9f8cad197608@cs.tcd.ie>
From: Tony Arcieri <bascule@gmail.com>
Date: Sun, 10 Mar 2019 15:31:12 -0700
Message-ID: <CAHOTMV+XDdFWWwWzyAXELvRj-C_BCZ6UBn4XHdj2mLEvih2rKg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Benjamin Kaduk <kaduk@mit.edu>, CFRG <cfrg@irtf.org>, "RFC ISE (Adrian Farrel)" <rfc-ise@rfc-editor.org>, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d55a60583c50402"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-XCvL9mX0DR2cFKmTYR8bjgtJ0Y>
Subject: Re: [secdir] [Cfrg] ISE seeks help with some crypto drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2019 22:31:34 -0000
On Sun, Mar 10, 2019 at 2:47 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > One interesting question might be: is OCB so much better > that it could we displace uses of some existing mode with > OCB. That seems unlikely to me for the widely used modes. > > Another interesting question might be: is OCB so much > better that we want to deploy it alongside current modes. > I don't see the overall benefit of that myself. > > So even though I'm happy to accept that OCB has better > properties than e.g. GCM, I don't think it's so much > better that RFCs for it are that useful. Let me provide some context here with a survey of existing modes and explain why OCB is interesting: - AES-GCM: exceedingly common on desktop/laptop/server-class computers and high-end mobile phones. Provides performance roughly equivalent to the underlying AES function on these devices, provided they have a superscalar architecture and have (P)CLMUL(QDQ) units which can be used in parallel with the units that perform AES - AES-CCM: exceedingly common in the embedded space. This is due in part to two things: FIPS regulations and the number of embedded devices they apply to (smartcards and other security tokens, as well as things like HSMs), but also because embedded CPUs/uCs generally will perform quite poorly at AES-GCM - ChaCha20+Poly1305: extremely simple authenticated encryption based in a tiny core ARX primitive for encryption and universal hashing for authentication. Extremely fast in software, but slower than hardware accelerated primitives These modes have a sort of triangle of tradeoffs: - AES-GCM is fast if and only if you have a superscalar CPU with both hardware AES and CLMUL - AES-CCM is fast (faster than ChaCha20Poly1305) if you have hardware accelerated AES, but runs the AES encryption twice as many times as AES-GCM, and has a non-parallelizable encryption function - ChaCha20Poly1305 is faster than AES-GCM on devices that do not have CLMUL support, but slower than AES-CCM on devices which have hardware AES support Hardware AES support has been steadfastly improving over many years and is available in all but the cheapest microcontrollers (i.e. even where there are cheap uCs without it, there is often a "crypto accelerator" model of the same uC which does). When hardware AES is available, OCB "squares the triangle" so to speak, and provides a sort of force multiplier where the other modes have tradeoffs. For new protocols which are shooting for "ubiquitous deployment", i.e. targeting servers/laptops/desktops, mobile phones, *and* the embedded space, and want one mode that "works well everywhere", this makes OCB an ideal candidate. It'd be good to handle the cases that hardware AES isn't available, and also have a "fallback cipher" on the outside chance some horrible cryptanalysis disaster befalls OCB, so you'd still want to pair it with ChaCha20+Poly1305 as a backup cipher. That said, for those protocols who would rather simplify cipher selection rather than having a backup card in their pocket, OCB is a particularly attractive mode for "One True Ciphersuite" (a.k.a. 1TCS) protocols.
- [secdir] ISE seeks help with some crypto drafts RFC ISE (Adrian Farrel)
- Re: [secdir] ISE seeks help with some crypto draf… Paul Wouters
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Salz, Rich
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… David Wong
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Stephen Farrell
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… John Mattsson
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Aaron Zauner
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Aaron Zauner
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Aaron Zauner
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… mcgrew
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Aaron Zauner
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Ted Krovetz
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Paul Hoffman
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Paul Wouters
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Watson Ladd
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Paul Wouters
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Paul Hoffman
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… S Moonesamy
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Benjamin Kaduk
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Uri Blumenthal
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Ted Krovetz
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Benjamin Kaduk
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Uri Blumenthal
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Stephen Farrell
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Tony Arcieri
- [secdir] Time to recharter CFRG as a working grou… StJohns, Michael
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Tony Arcieri
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Peter Gutmann
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Salz, Rich
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Salz, Rich
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… John Mattsson
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Valery Smyslov
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Mathy Vanhoef
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Michael StJohns
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Richard Barnes
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Salz, Rich
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Stephen Farrell
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Michael StJohns
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… denis bider
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Richard Barnes
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Daniel Kahn Gillmor
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Michael StJohns
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Paterson Kenneth
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Paul Wouters
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Uri Blumenthal
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Tony Arcieri
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Tony Arcieri
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Paterson Kenneth
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… denis bider
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Watson Ladd
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Melinda Shore
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Uri Blumenthal
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… denis bider
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Peter Gutmann
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Melinda Shore
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… mcgrew
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… denis bider
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Watson Ladd
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Paul Wouters
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Donald Eastlake
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Michael StJohns
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Peter Gutmann
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… mcgrew
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Tero Kivinen
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Peter Gutmann
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Tero Kivinen
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Peter Gutmann
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… StJohns, Michael
- Re: [secdir] [Cfrg] Time to recharter CFRG as a w… Stephen Farrell
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] ISE seeks help with some crypto draf… Eric Rescorla
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Eric Rescorla
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… mcgrew
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Blumenthal, Uri - 0553 - MITLL
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… mcgrew
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Ted Krovetz
- Re: [secdir] [Cfrg] ISE seeks help with some cryp… Benjamin Kaduk