IETF
cfrg
cfrg@jabber.ietf.org
Monday, November 14, 2016< ^ >
rsalz has set the subject to: CFRG at IETF-96
Room Configuration
Room Occupants

GMT+0
[03:31:23] bergtau joins the room
[03:49:33] bergtau leaves the room
[03:50:05] bergtau joins the room
[03:51:54] bergtau joins the room
[03:52:21] bergtau leaves the room
[03:57:58] spromano@jabber.org joins the room
[04:06:21] Yoav Nir joins the room
[04:11:09] Yoav Nir has set the subject to: CFRG at IETF-97, Monday 13:30 at the Park Ballroom 1. https://datatracker.ietf.org/meeting/97/agenda/cfrg/
[04:13:18] Yoav Nir leaves the room
[04:16:20] Kaoru Maeda joins the room
[04:19:28] Meetecho joins the room
[04:20:29] bergtau joins the room
[04:22:12] Yoav Nir joins the room
[04:24:48] Frederico A C Neves joins the room
[04:25:13] Lorenzo Miniero joins the room
[04:25:13] Vasily Nikolaev joins the room
[04:25:13] Scott Fluhrer joins the room
[04:26:46] bergtau leaves the room: Disconnected: No route to host
[04:26:51] Alexander Truskovsky joins the room
[04:27:19] Mike Brown joins the room
[04:28:09] Scott Fluhrer leaves the room
[04:28:20] whatdafuq joins the room
[04:28:36] Adam Langley joins the room
[04:29:35] Dan Harkins joins the room
[04:30:17] Phill Hallam-Baker joins the room
[04:31:14] Adam Langley leaves the room
[04:31:16] Yoshiro Yoneya joins the room
[04:31:18] jimsch1 joins the room
[04:31:22] wseltzer@jabber.org joins the room
[04:31:26] Adam Montville joins the room
[04:32:06] Adam Langley joins the room
[04:32:07] <Yoav Nir> Document Status (slide #7)
[04:32:53] A A joins the room
[04:32:55] Scott Fluhrer joins the room
[04:33:23] Kyle Rose joins the room
[04:33:31] Panos Kampanakis joins the room
[04:33:49] A A leaves the room
[04:34:47] kivinen joins the room
[04:35:03] <Yoav Nir> Crypto Review Panel (slide #8)
[04:36:52] DanYork joins the room
[04:37:11] Hajime Watanabe joins the room
[04:38:34] Randy Bush joins the room
[04:38:36] <Adam Langley> I think so
[04:38:40] <Yoav Nir> Update from Adam about AES-GCM-SIV
[04:38:54] kadukoafs@gmail.com/barnowl88AAA133 joins the room
[04:38:55] <Yoav Nir> https://datatracker.ietf.org/meeting/97/agenda/cfrg/
[04:39:02] <Yoav Nir> sorry.
[04:39:04] <Yoav Nir> https://www.ietf.org/proceedings/97/slides/slides-97-cfrg-aes-gcm-siv-status-update-00.pdf
[04:39:53] svan joins the room
[04:39:56] Olafur joins the room
[04:40:36] <Yoav Nir> Looking at slide #2 (Dramatis Personae)
[04:40:46] <Yoav Nir> Slide #3
[04:41:16] <Yoav Nir> slide #4 (nonce-misuse resistance)
[04:41:40] Randy Bush leaves the room
[04:41:44] Simon Pietro Romano joins the room
[04:41:49] Randy Bush joins the room
[04:42:28] <Yoav Nir> slide #5
[04:42:51] <whatdafuq> RFC 5297 has all of the cryptographic properties you describe. How is this different than RFC 5297?
[04:43:08] <Yoav Nir> slide #6
[04:43:17] <Yoav Nir> Do you want this relayed to the mic?
[04:43:33] m h joins the room
[04:43:59] <Yoav Nir> whatdafuq: mic?
[04:44:13] <whatdafuq> sorry, yes. mic: <my comment>
[04:44:40] Randy Bush_9026 joins the room
[04:45:24] Hajime Watanabe leaves the room
[04:45:35] Hajime Watanabe joins the room
[04:45:59] Randy Bush leaves the room
[04:46:12] <whatdafuq> mic: can this be also be used as a deterministic AEAD scheme (i.e. w/o nonce) or is a nonce required?
[04:46:25] Satoru Kanno joins the room
[04:47:04] <Yoav Nir> (I'm in line...)
[04:49:23] <whatdafuq> mic: so some nonce is required, random or not. Right? The API cannot be invoked without a nonce?
[04:49:26] dkg joins the room
[04:50:34] Darshak Thakore joins the room
[04:50:54] <whatdafuq> continued, mic: deterministic AEAD is AEAD invoked without a nonce at all.
[04:51:38] <kadukoafs@gmail.com/barnowl88AAA133> The "nonce" is derived from the plaintext, as I understand it.
[04:52:02] Karen O'Donoghue joins the room
[04:54:03] <whatdafuq> AES-SIV was presented to TLS back in '07 and the reaction was, "we all know how to increment nonces, this isn't necessary"
[04:54:11] <whatdafuq> sorry, mic: ^^^
[04:55:27] <Dan Harkins> the IV is derived (in part) by the plaintext. But with this scheme a nonce is required.
[04:57:01] <Yoav Nir> https://www.ietf.org/proceedings/97/slides/slides-97-cfrg-on-re-keying-mechanisms-for-extending-the-lifetime-of-symmetric-keys-01.pdf
[04:57:23] <Yoav Nir> slide #3
[04:57:41] <Adam Langley> If I unclear: this AEAD takes a nonce. I believe that a deterministic scheme could me made simply by fixing the nonce to zero.
[04:58:03] Lorenzo Miniero leaves the room
[04:58:25] Simon Pietro Romano leaves the room
[04:58:26] mcr/dooku joins the room
[04:58:42] <Yoav Nir> slide #4
[04:58:46] <mcr/dooku> I really liked that Adam was sitting in the highback chair. If only he'd had a pipe as well.
[04:59:09] kadukoafs@gmail.com/barnowl88AAA133 leaves the room
[04:59:25] <Adam Langley> The current draft (https://tools.ietf.org/html/draft-irtf-cfrg-gcmsiv-02) specifies a limit of 2^32 messages in such a situation
[04:59:50] <whatdafuq> RFC 5297 can be invoked without a nonce at all.
[05:00:04] <Adam Langley> I have a bottle of whiskey next to the chair, at least, but it wasn't visible I'm afraid.
[05:00:15] <whatdafuq> it's a kind of key-wrapping alternative that can use AAD.
[05:00:35] <Yoav Nir> slide #7
[05:01:11] <Adam Langley> I believe that RFC 5297 will have a limit on the number of messages encrypted without a nonce too.
[05:01:25] <Yoav Nir> slide #9
[05:01:57] <Yoav Nir> slide #10
[05:02:39] svan leaves the room: Replaced by new connection
[05:02:42] svan joins the room
[05:02:43] <Yoav Nir> slide #11
[05:02:56] js joins the room
[05:04:16] <Yoav Nir> slide #12
[05:04:26] <whatdafuq> the "P_MAX" parameter (defined in RFC5116's registry) is 2^132 octets.
[05:04:48] <whatdafuq> that is, RFC 5297's P_MAX is 2^132
[05:04:55] <Yoav Nir> slide #13
[05:05:31] <Yoav Nir> slide #15
[05:05:45] kadukoafs@gmail.com/barnowl88AAA133 joins the room
[05:06:03] <Yoav Nir> slide #16
[05:06:04] <Adam Langley> P_MAX is the limit on the size of a specific message.
[05:06:51] <Adam Langley> Section 2.6 gives the encryption and the AES initial counter is a pseudo-random value. Thus there is a collision risk that increases as the number of messages increases.
[05:07:23] <Yoav Nir> slide #18
[05:07:39] <Adam Langley> But the draft doesn't obviously give bounds on the number of messages per key. It might well do better than SIV-GCM, but there will be *a* bound.
[05:08:09] <Yoav Nir> slide #19
[05:08:11] <whatdafuq> RFC 5297 says that no more than 2^48 invocations be made with the same key.
[05:08:49] <Adam Langley> ah, that'll be it then. GCM-SIV is saying 2^32.
[05:09:06] <Yoav Nir> slide #20
[05:09:41] <Yoav Nir> slide #22
[05:10:36] <Yoav Nir> slide #25
[05:10:52] <Yoav Nir> slide #26
[05:10:56] <Yoav Nir> slide #27
[05:11:10] <Yoav Nir> slide #28
[05:11:17] <Yoav Nir> slide #29
[05:11:36] <Yoav Nir> slide #30
[05:11:44] <Yoav Nir> slide #31
[05:11:49] <Yoav Nir> slide #32
[05:12:04] awhalley joins the room
[05:12:53] <Yoav Nir> slide #33
[05:13:59] <Yoav Nir> slide #34
[05:13:59] Adam Montville leaves the room
[05:15:54] <Yoav Nir> slide #35
[05:16:14] <Yoav Nir> Dave McGrew at the mic
[05:16:17] bergtau leaves the room
[05:17:07] bergtau joins the room
[05:19:43] <Yoav Nir> https://www.ietf.org/proceedings/97/slides/slides-97-cfrg-secure-mac-algorithms-for-use-with-ntp-00.pptx
[05:20:44] <Yoav Nir> (I thought we were supposed to upload only PDF and that if we did upload pptx it would be auto-covnerted...)
[05:21:17] <Yoav Nir> slide #2
[05:21:37] <Yoav Nir> slide #3
[05:22:03] <Yoav Nir> (we're using the animations in the room)
[05:22:47] <mcr/dooku> ... but the PDF can't easily be animated if you start with MS-Office.  OO has had (but lost?) an option to export a PDF page per animation step...
[05:23:06] <Yoav Nir> slide #4
[05:23:24] Adam Montville joins the room
[05:23:33] <Yoav Nir> mcr: true, but I thought the meeting materials page should only give PDF.
[05:23:46] <Yoav Nir> And yes, I think the kind of export you describe is gone
[05:23:55] <Yoav Nir> slide #5
[05:24:32] <Yoav Nir> slide #7
[05:25:23] <Yoav Nir> Why is MD5 *faster* without AES-NI?
[05:25:24] Martin Thomson joins the room
[05:25:33] <Martin Thomson> surely she means just Poly1305
[05:25:39] <Yoav Nir> slide #8
[05:26:05] <Martin Thomson> why are we concerned about absolute time as opposed to the variation in time?
[05:26:23] <Yoav Nir> slide #9
[05:26:31] Satoru Kanno leaves the room
[05:26:32] Satoru Kanno joins the room
[05:26:38] <Martin Thomson> work out how long it takes to calculate a MAC and add that time to the numbers you provide
[05:27:03] <kadukoafs@gmail.com/barnowl88AAA133> Do you even need to do that, given that you have to do rtt estimates
anyway?
[05:28:05] <Martin Thomson> you mean that the MAC calculation time is added to the return flight time?  I assumed that this is because the server wants to ensure close to symmetric latency on each flight
[05:28:36] <Yoav Nir> slide #10
[05:28:36] <kadukoafs@gmail.com/barnowl88AAA133> Right, add to the return flight time.
[05:28:51] <kadukoafs@gmail.com/barnowl88AAA133> I thought that NTP didn't assume symmetric path, but am not actually
sure.
[05:28:56] <Martin Thomson> if the client is modelling based on symmetric flight time, a 1us delay adds a 0.5us skew to the time
[05:29:24] <Martin Thomson> oh, yeah, there are corrections for that, might be worth asking
[05:29:30] <Yoav Nir> slide #11
[05:29:58] <mcr/dooku> Yoav, the secretariat doesn't do the PPT->PDF conversion until next week, alas.
[05:30:34] <mcr/dooku> Martin, I thought that she was clear that she cares about jitter (variations) in time.  But, if the calculation is faster, you can process more messages.
[05:31:52] <mcr/dooku> I don't understand the part about servers sharing keys, are we talking about because a single IP address is load balanced to multiple systems? (or anycast).  And isn't this symmetric key per peer?
[05:32:29] <Martin Thomson> not just multiple hosts, but multiple operators (from what I understand)
[05:33:04] <Yoav Nir> ekr @ the mic
[05:35:22] js leaves the room
[05:36:24] Karen O'Donoghue leaves the room
[05:36:49] <Yoav Nir> https://www.ietf.org/proceedings/97/slides/slides-97-cfrg-hash-based-signatures-update-and-batch-message-signing-00.pptx
[05:36:52] <mcr/dooku> better than "post-modern cryptopgraphy"... the andy warhol of AES.
[05:37:22] <Yoav Nir> slide #2
[05:37:32] Avri Doria joins the room
[05:37:38] Frederico A C Neves leaves the room
[05:38:38] <Yoav Nir> slide #3
[05:39:26] <Yoav Nir> slide #4
[05:40:16] <Yoav Nir> slide #5
[05:41:11] <Yoav Nir> slide #6
[05:41:38] <Yoav Nir> slide #7
[05:41:45] <Yoav Nir> slide #8
[05:42:39] <Yoav Nir> slide #9
[05:42:39] wseltzer@jabber.org leaves the room
[05:43:33] <Yoav Nir> slide #10
[05:43:46] Vasily Nikolaev leaves the room
[05:44:29] Adam Montville leaves the room
[05:44:43] <Yoav Nir> slide #12
[05:45:18] Vasily Nikolaev joins the room
[05:45:22] <mcr/dooku> "turtles all the way down" is a quote which is probably unknown to under 30s.
[05:45:25] <Yoav Nir> slide #13
[05:46:05] <Yoav Nir> mcr: can't contradict, but why?
[05:46:10] <Yoav Nir> slide #14
[05:46:56] <Yoav Nir> IOW why would a 40-yo recognize this
[05:47:01] David Black joins the room
[05:47:09] <Yoav Nir> Tero at the mic
[05:48:04] <mcr/dooku> https://en.wikipedia.org/wiki/Surely_You%27re_Joking,_Mr._Feynman! is a 31 year old book.... it went around universities in the late 80s and early 90s, and then faded out.
[05:49:15] <Martin Thomson> if you have k[x] usable from t(x) to t(x+1), then you have to ensure that you weren't alive in another incarnation any time between now and the start of the interval such that you might have already used that entry
[05:49:29] svan leaves the room: Replaced by new connection
[05:49:31] svan joins the room
[05:50:06] David Black_237 joins the room
[05:50:34] <mcr/dooku> If we can assume that cloning always involves a OS sync call, then maybe we can do something.
[05:50:42] <Yoav Nir> slide #15
[05:51:23] <kivinen> Thomason: yes, but if we split the 2^20 top level signatures for 10 year lifetime we have lifetime of 5 minutes for each key.
[05:51:54] David Black_237 leaves the room
[05:51:56] <mcr/dooku> kivinen, so as long as we sleep(300) after a clone, we are good?
[05:52:03] <kivinen> yes...
[05:52:14] <mcr/dooku> if we can know when the VM is cloned...
[05:52:23] Frederico A C Neves joins the room
[05:52:31] <mcr/dooku> (or when a clone starts)
[05:52:38] <Yoav Nir> slide #16
[05:53:15] <kivinen> or you can make it 3 levels in hierarchy, i.e. one key for each day (2^20 days), 12 keys for seconds, i.e. one key for each 80 ms...
[05:53:28] <Martin Thomson> 5 minutes is a long time, though 30 seconds might be ok (1y)
[05:54:03] <Martin Thomson> keys that are valid for 10 years might be needed for software update I guess
[05:54:15] <Yoav Nir> slide #17
[05:54:45] js joins the room
[05:55:22] <Yoav Nir> slide #18
[05:55:49] js leaves the room
[05:56:42] <Yoav Nir> slide #19
[05:56:58] <kadukoafs@gmail.com/barnowl88AAA133> You might need more than 10 years for that.
[05:57:52] js joins the room
[05:58:07] awhalley leaves the room: Disconnected: closed
[05:58:26] Evgeny Alekseev joins the room
[05:58:28] bergtau joins the room
[05:59:04] js leaves the room: Replaced by new connection
[05:59:05] js joins the room
[05:59:10] js leaves the room
[05:59:29] <Yoav Nir> slide #21
[05:59:38] bergtau leaves the room
[05:59:39] <Yoav Nir> slide #22
[06:00:06] <Yoav Nir> slide #23
[06:03:24] <Yoav Nir> slide #25
[06:05:27] <Yoav Nir> slide #26
[06:05:58] wseltzer joins the room
[06:06:23] <Yoav Nir> https://www.ietf.org/proceedings/97/slides/slides-97-cfrg-post-quantum-secure-cryptography-discussion-00.pptx
[06:07:03] <Yoav Nir> slide #2
[06:07:11] <Yoav Nir> slide #3
[06:07:18] Frederico A C Neves leaves the room
[06:10:19] Frederico A C Neves joins the room
[06:10:29] <Scott Fluhrer> We don't know enough to say "no QC will break AES-128"
[06:10:32] awhalley joins the room
[06:12:19] <whatdafuq> mic: if your large symmetric keys are not the result of your larger asymmetric operation then what's the post QC benefit? Shouldn't this question be regarding asymmetric key sizes?
[06:14:43] <awhalley> Scott: I wonder if there was some confusion between AES-256 and 256-bit security level.
[06:15:00] <whatdafuq> ahh, perhaps yes.
[06:15:31] Frederico A C Neves leaves the room
[06:16:16] <Scott Fluhrer> We know that Grover's search can recover a 128 bit AES time with O(2**64) AES operations by a QC.  What we don't know is the size of the constant within the O()
[06:17:38] <awhalley> Indeed - and we should design for the worst case :-)
[06:18:12] <Scott Fluhrer> Not disagreeing; I'm just responded to the guy who stated "no QC will ever brea AES-128"
[06:18:24] <awhalley> totally
[06:19:55] <Yoav Nir> slide #4
[06:20:21] <Kyle Rose> With enough beer, I can probably be convinced that a QC that can perform 2^64 operations in a reasonable amount of time is impossible. But I don't need to be convinced that one can't perform 2^128 operations in the lifetime of the universe.
[06:20:59] svan leaves the room: Replaced by new connection
[06:21:02] svan joins the room
[06:22:41] Olafur leaves the room
[06:22:52] <whatdafuq> aka belt and suspenders
[06:23:47] <Kyle Rose> yep
[06:25:59] awhalley leaves the room
[06:26:59] Johan Liseborn joins the room
[06:28:39] Kyle Rose leaves the room
[06:29:15] DanYork leaves the room
[06:30:01] Yoshiro Yoneya leaves the room
[06:30:20] Martin Thomson leaves the room
[06:30:21] mcr/dooku leaves the room: Disconnected: No route to host
[06:30:49] svan leaves the room: I'm happy Miranda IM user. Get it at http://miranda-im.org/.
[06:30:50] Kaoru Maeda leaves the room
[06:30:55] <whatdafuq> thanks yoav for your help!
[06:30:59] kadukoafs@gmail.com/barnowl88AAA133 leaves the room
[06:31:11] jimsch1 leaves the room
[06:31:28] whatdafuq leaves the room
[06:31:31] kivinen leaves the room
[06:31:43] Hajime Watanabe leaves the room
[06:32:11] wseltzer leaves the room
[06:32:37] Meetecho leaves the room
[06:32:38] Yoav Nir leaves the room
[06:32:56] spromano@jabber.org leaves the room
[06:35:23] Panos Kampanakis leaves the room
[06:35:23] m h leaves the room
[06:43:41] dkg leaves the room
[06:46:44] Kaoru Maeda joins the room
[06:47:56] Kaoru Maeda leaves the room
[06:49:17] Kaoru Maeda joins the room
[06:49:59] bergtau leaves the room: Disconnected: closed
[06:50:09] Frederico A C Neves joins the room
[06:50:32] Frederico A C Neves leaves the room: Replaced by new connection
[06:51:10] Kaoru Maeda leaves the room
[06:51:10] Frederico A C Neves joins the room
[06:51:10] Frederico A C Neves leaves the room
[06:51:39] Frederico A C Neves joins the room
[06:54:33] Frederico A C Neves leaves the room: Replaced by new connection
[06:54:38] Frederico A C Neves joins the room
[06:57:29] mcr joins the room
[07:01:19] Martin Thomson joins the room
[07:02:19] Frederico A C Neves leaves the room
[07:02:34] js joins the room
[07:05:46] Kyle Rose joins the room
[07:12:58] Kyle Rose leaves the room
[07:13:51] mcr leaves the room: Disconnected: Replaced by new connection
[07:13:53] mcr joins the room
[07:25:00] wseltzer joins the room
[07:31:41] wseltzer leaves the room
[07:32:40] DanYork joins the room
[07:34:08] DanYork leaves the room
[07:44:05] js leaves the room
[08:19:41] wseltzer joins the room
[08:19:51] wseltzer leaves the room
[08:46:10] Martin Thomson leaves the room
[09:06:40] Karen O'Donoghue joins the room
[09:14:29] mcr leaves the room: Disconnected: closed
[10:06:23] Karen O'Donoghue leaves the room
[11:31:37] Karen O'Donoghue joins the room
[13:55:41] mcr joins the room
[13:55:52] mcr leaves the room
[13:59:28] Karen O'Donoghue leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!