[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cfrg] Authenticated encryption primitive -- SOBER-128

Doug,

you're right that the keystream-generator based MAC approach needs to have more analysis. At this point, all we have is preprints. I do think that there's plenty of motivation for replacing RC4 with a cipher that has a nonce (and can thus protect unreliable packet flows) and that isn't easily distinguishable from random. So to my mind we need to keep both of these goals separate; SOBER-128 and/or helix may turn out to be great PRFs but junky MACs.

Also, is the helix paper on the web yet?

thanks,

David

At 03:50 AM 5/12/2003 -0700, Doug Whiting wrote:
I just want to express my concern about trying to make an RFC out of
anything like
this without considerable more time for analysis.  I agree that various
flavors
of SOBER have seen some good amounts of cryptanalysis, though I'm not sure
that
it has had enough yet (I'm simply not sure how many really good folks have
spent
significant time on it).  One concern is that there have simply been too
many SOBER
versions already, which urges some caution from my perspective, although
there may
be very good reasons for the different versions. More importantly, adding a
very significant new cryptographic "feature" such as a MAC does not in any
way
constitute a "tweak" that should be assumed to inherit the security
properties of
the original algorithm(s).

I say this as a co-author of Helix, and as someone who belives, like you,
that such
combo algorithms are quite interesting. However, I believe that this entire
concept
needs time for being carefully analyzed by the crypto community before being
put into
serious use.  We simply are not there yet. The Helix folks would consider it
quite
inappropriate to start standardizing at this time on any such algorithm,
including Helix,
without quite a bit of time passing, perhaps a few years.  That's roughly
how much time
AES had, and it had (and continues to have) basically all the best
crpytanalysts looking
at it very seriously.  Of course, even just the passage of time doesn't
guarantee that a
new algorithm (class of algorithms) has been propertly vetted; the algorithm
must also
receive serious scrutiny from several well qualified folks. That is, the
passage of such
time is a necessary but not sufficient condition.

Don't take this as a criticism of SOBER-128 per se. I believe that this
caution should
be applied to all algorithms of this class.

Doug Whiting

> -----Original Message-----
> From: Greg Rose [mailto:ggr@qualcomm.com]
> Sent: Sunday, May 11, 2003 3:07 PM
> To: Alex Alten
> Cc: Greg Rose; cfrg@ietf.org
> Subject: Re: [Cfrg] Authenticated encryption primitive -- SOBER-128
>
>
> At 11:00 PM 5/10/2003 -0700, Alex Alten wrote:
> >Have you had any serious independent cryptanalysis done on SOBER-128
> >that proves that it is well designed?  It's no good throwing
> it to the wolves
> >until you can defend it properly.
>
> Yes. If you read the details, SOBER-t32 has been analysed up
> the wazoo, and
> was secure at the 128-bit level; just not at the 256-bit
> level that we
> thought, which ruled it out of NESSIE. Most of this analysis
> was done on
> the "unstuttered" -t32, and applies directly to SOBER-128.
>
> regards,
> Greg.
>
> Greg Rose                                       INTERNET:
> ggr@qualcomm.com
> Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX:
> +61-2-9817 5199
> Level 3, 230 Victoria Road,
> http://people.qualcomm.com/ggr/
> Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF
> CD2F 1081 A37C
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
>
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg