IETF Logo Mail Archive

RE: [Cfrg] Authenticated encryption primitive -- SOBER-128

Doug Whiting <DWHITING@hifn.com> Wed, 14 May 2003 20:31 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA04371 for <cfrg-archive@odin.ietf.org>; Wed, 14 May 2003 16:31:26 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4EJw6e13983 for cfrg-archive@odin.ietf.org; Wed, 14 May 2003 15:58:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4EJw6B13980 for <cfrg-web-archive@optimus.ietf.org>; Wed, 14 May 2003 15:58:06 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA04337 for <cfrg-web-archive@ietf.org>; Wed, 14 May 2003 16:30:55 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19G2vi-00013M-00 for cfrg-web-archive@ietf.org; Wed, 14 May 2003 16:32:50 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19G2vi-00013J-00 for cfrg-web-archive@ietf.org; Wed, 14 May 2003 16:32:50 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4EJl7B13443; Wed, 14 May 2003 15:47:07 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4EJk8B13397 for <cfrg@optimus.ietf.org>; Wed, 14 May 2003 15:46:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA03932 for <cfrg@ietf.org>; Wed, 14 May 2003 16:18:58 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19G2k9-0000xs-00 for cfrg@ietf.org; Wed, 14 May 2003 16:20:53 -0400
Received: from [208.10.194.50] (helo=sjcxch01.hifn.com) by ietf-mx with esmtp (Exim 4.12) id 19G2k8-0000xp-00 for cfrg@ietf.org; Wed, 14 May 2003 16:20:53 -0400
Received: by SJCXCH01.hifn.com with Internet Mail Service (5.5.2653.19) id <1M1Z5ARF>; Wed, 14 May 2003 13:22:51 -0700
Message-ID: <51C7002B020CD411824E009027C469F7F40099@cldxch01.hifn.com>
From: Doug Whiting <DWHITING@hifn.com>
To: 'David Mcgrew' <mcgrew@cisco.com>
Cc: cfrg@ietf.org
Subject: RE: [Cfrg] Authenticated encryption primitive -- SOBER-128
Date: Wed, 14 May 2003 13:20:46 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>

Yes, I agree on all your points.  The Helix paper is posted on Niels
Ferguson's web site:

http://www.macfergus.com/pub/index.html

It would be great to have a "better" replacement for RC4.  I just want
to make sure that we take our time and do it right, whatever that means.  
The AES process was so good that it's hard to settle for anything less :-)

Clearly, if we can get to a point in time where we're confident in some
"combo"
keystream+MAC algorithm, then that would be an even preferable replacement
for RC4.


> -----Original Message-----
> From: David Mcgrew [mailto:mcgrew@cisco.com]
> Sent: Wednesday, May 14, 2003 1:17 PM
> To: Doug Whiting
> Cc: cfrg@ietf.org
> Subject: RE: [Cfrg] Authenticated encryption primitive -- SOBER-128
> 
> 
> Doug,
> 
> you're right that the keystream-generator based MAC approach 
> needs to have 
> more analysis.  At this point, all we have is preprints.  I 
> do think that 
> there's plenty of motivation for replacing RC4 with a cipher 
> that has a 
> nonce (and can thus protect unreliable packet flows) and that 
> isn't easily 
> distinguishable from random.  So to my mind we need to keep 
> both of these 
> goals separate; SOBER-128 and/or helix may turn out to be 
> great PRFs but 
> junky MACs.
> 
> Also, is the helix paper on the web yet?
> 
> thanks,
> 
> David
> 
> At 03:50 AM 5/12/2003 -0700, Doug Whiting wrote:
> >I just want to express my concern about trying to make an RFC out of
> >anything like
> >this without considerable more time for analysis.  I agree 
> that various
> >flavors
> >of SOBER have seen some good amounts of cryptanalysis, 
> though I'm not sure
> >that
> >it has had enough yet (I'm simply not sure how many really 
> good folks have
> >spent
> >significant time on it).  One concern is that there have 
> simply been too
> >many SOBER
> >versions already, which urges some caution from my 
> perspective, although
> >there may
> >be very good reasons for the different versions. More 
> importantly, adding a
> >very significant new cryptographic "feature" such as a MAC 
> does not in any
> >way
> >constitute a "tweak" that should be assumed to inherit the security
> >properties of
> >the original algorithm(s).
> >
> >I say this as a co-author of Helix, and as someone who 
> belives, like you,
> >that such
> >combo algorithms are quite interesting. However, I believe 
> that this entire
> >concept
> >needs time for being carefully analyzed by the crypto 
> community before being
> >put into
> >serious use.  We simply are not there yet. The Helix folks 
> would consider it
> >quite
> >inappropriate to start standardizing at this time on any 
> such algorithm,
> >including Helix,
> >without quite a bit of time passing, perhaps a few years.  
> That's roughly
> >how much time
> >AES had, and it had (and continues to have) basically all the best
> >crpytanalysts looking
> >at it very seriously.  Of course, even just the passage of 
> time doesn't
> >guarantee that a
> >new algorithm (class of algorithms) has been propertly 
> vetted; the algorithm
> >must also
> >receive serious scrutiny from several well qualified folks. 
> That is, the
> >passage of such
> >time is a necessary but not sufficient condition.
> >
> >Don't take this as a criticism of SOBER-128 per se. I 
> believe that this
> >caution should
> >be applied to all algorithms of this class.
> >
> >Doug Whiting
> >
> > > -----Original Message-----
> > > From: Greg Rose [mailto:ggr@qualcomm.com]
> > > Sent: Sunday, May 11, 2003 3:07 PM
> > > To: Alex Alten
> > > Cc: Greg Rose; cfrg@ietf.org
> > > Subject: Re: [Cfrg] Authenticated encryption primitive -- 
> SOBER-128
> > >
> > >
> > > At 11:00 PM 5/10/2003 -0700, Alex Alten wrote:
> > > >Have you had any serious independent cryptanalysis done 
> on SOBER-128
> > > >that proves that it is well designed?  It's no good throwing
> > > it to the wolves
> > > >until you can defend it properly.
> > >
> > > Yes. If you read the details, SOBER-t32 has been analysed up
> > > the wazoo, and
> > > was secure at the 128-bit level; just not at the 256-bit
> > > level that we
> > > thought, which ruled it out of NESSIE. Most of this analysis
> > > was done on
> > > the "unstuttered" -t32, and applies directly to SOBER-128.
> > >
> > > regards,
> > > Greg.
> > >
> > > Greg Rose                                       INTERNET:
> > > ggr@qualcomm.com
> > > Qualcomm Australia          VOICE:  +61-2-9817 4188   FAX:
> > > +61-2-9817 5199
> > > Level 3, 230 Victoria Road,
> > > http://people.qualcomm.com/ggr/
> > > Gladesville NSW 2111    232B EC8F 44C6 C853 D68F  E107 E6BF
> > > CD2F 1081 A37C
> > >
> > > _______________________________________________
> > > Cfrg mailing list
> > > Cfrg@ietf.org
> > > https://www1.ietf.org/mailman/listinfo/cfrg
> > >
> >_______________________________________________
> >Cfrg mailing list
> >Cfrg@ietf.org
> >https://www1.ietf.org/mailman/listinfo/cfrg
> 
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email