Internet Engineering Task Force 113, 24 Mar 2022

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF113-CFRG-20220324-1330

Description

CFRG meeting session at IETF113
2022/03/24 1330

https://datatracker.ietf.org/meeting/113/proceedings/

A

B

Good afternoon.

B

I'm I'm very happy to open this first hybrid cfrg meeting in vienna.

B

So we do actually have quite a back agenda, so uh I'll try to keep on top of it.

B

So I'm alexi melnikov, my co-chairs, nick sullivan and stanislav, are remote. This time.

B

um Let's get started.

B

So, as you probably know, the session is being recorded, we have minutes in code dmd. I need a note taker.

B

Can somebody please volunteer to be a note taker.

B

Don't be shy, don't stare at your laptops.

C

I'll help I'll help chris, since I see he volunteered in the chat, this is rich.

B

That would be perfect. Thank you.

B

If somebody else can just sort of be a backup and help out with uh notes taking.

B

um Luckily, we don't need to do blue sheets in the former paper form you logi logging into metacore, whether it's metacore regular light will automatically add you to the blue sheets.

B

uh Rich, if you can mute yourself actually, your keyboard is very loud.

D

Yeah! Sorry about that.

B

um So uh irtf operates on the note. Well, uh you should be familiar with this already. If not, this is the slides with relevant rfcs, um but one of the main points is always be professional, be nice to each other be respectful.

B

uh Even if you disagree with the technical point.

B

And we are governed by good privacy and code of conduct.

B

As a quick reminder, this is irtf research group, so we do research here, not standardization. As such.

B

Cool so, uh and I will do a quick update on the document status. We have quite a few documents in flight. Actually, no um any agenda bashing. First.

E

Yeah um this is chris wood um notice. The the software topic on the pseudocode and sort of specification uh discussion is first um I'd like to recommend, given the highly technical nature of the agenda that that be moved to the end. So we reserve time for those more important things um I I'm happy to just you know if we need to in the interest of time, I can send an update to the mailing list to kick off discussion, but I don't want to take away time from the more technical topics that could use airtime.

B

Okay, uh that's fine, so you will want to start with key blinding then yeah, great, okay, fine. That sounds good.

B

Right so my apologies for a small font. We're trying to get trying to fit in all the documents in uh with the life expired, but the the gist of it is. We have one rfc published, which is hp, key rfc, 9180.

B

We have one document in rfc: rescue in misraff depend which is aspect 2, which depends on hash to curve. We and hashtag is already an rsg review, so hopefully it shouldn't be a long um till it's approved as well.

B

We have quite a few active documents. Pretty much everything was updated. Draw vrf is waiting for the document. Shepard um kangaroo 12 is also waiting for chairs to review result of second research group last call. I will get very few responses to this. So if you haven't reviewed the document or confirmed whether you still think it's a good idea, please send us a message or reply to the mailing list.

B

Other not worthy thing is.

B

Actually, uh the cfrg um appearing friendly curves is while it's expired. um There is another coeditor for the document and it's being worked on, so hopefully it will be refreshed soon.

F

E

um What's the status of the uh restretto draft, the the last time the state I do know it was updated to take into account the feedback from the crypto review panel review. um So I'm wondering uh like what the next steps are. um There are a number of documents that are building up dependencies on this and it'd be good to move that forward. So I'm just curious what the next steps are.

B

uh Yeah, I suppose we we should review it with micro chairs, but uh it sounds like you're you're, suggesting that it should move to a research group last call soon.

E

Yeah, that's my understanding.

B

Okay sounds good.

B

uh So the other thing is uh this is a our regular slide about crypto review panel that serves three purposes. It helps cfrg itself, security area, independence stream, edit stream to review.

B

Crypto related documents.

B

We just we announced new round of membership in this uh lost atf, um with discussion.

B

About um our past performances, as well as availability of different people, uh we basically capped everybody and added a couple of names: veranda, kumar and ludwig pereira.

B

I think that's it. The other thing I actually.

B

Just realized- and I forgot to have a slide zone in case you haven't noticed. We now have secretary. Thank you, chris wood for being a secretary in helping organize us and help us uh with a website and github and background, and now, let's get started.

B

G

Good afternoon I have a question on the crypto review panel. um I noticed that sometimes a request is being made and then it takes an extremely long time to get the review done, even though people really promised to do it in about a month, and these are all people in the crypto panel who volunteered for this position.

G

So it's not just a random person of the audience right so so a particular case was last year of a document that I had reviewed already three times and it took more than four months to uh essentially get any feedback.

B

So, are you still waiting for a view or are you just.

G

I'm not very still waiting for review, but I think uh it's it's really yeah. It's it's really hard to accept uh a four months delay of people who promise to do something in one month right.

B

Right, that's fair enough. uh Yeah! I think uh lesson here is uh chairs really should be on top of this and make sure that if you cannot fulfill that, we should should be able to find another reviewer.

B

A

B

B

Are you uh on crypto review panel or.

H

No, I I I um I just wanted to like. I had a follow-up question, but there's someone in the queue before me and I don't want to jump.

H

um I'm curious how how many requests for reviews that um uh sorry about that, I I I misattributed I looked at the name in the queue um I'll fix that in the notes. um I, uh I wonder how many requests for review the the the crypto review panel has at any given time. I'm just curious.

B

uh It really varies. Sometimes there are a couple of months or three months in a row. Then there are none and then sometimes you get two or three in one month or even like twice as many, I would say about two or three requests per month. On average.

B

I

G

Yes, renee, um so sorry, just one more question, I I looked at some of the. uh As we all know, uh the crypto uh uh mailing list is only sporadically being used for technical discussion, and I noticed that uh some documents apparently were ready to be uh to to proceed based on one crypto review panel review and it was absolutely a kind of a dead silence on the mainly mailing list, and I I always thought that crypto review panel was not a substitute for the normal operation of the sea of rg.

G

So I'm just wondering whether cfg is kind of dead and the crypto review panel is doing something in background right.

B

No, it's absolutely not substitute, that's they should they are basically working the same with the director. uh We should take offline any specific cases when you have concerns.

B

Right with this, uh chris wood keep landing on signature schemes, I'm going to.

E

E

Can you uh accept the request? Oh, are you driving.

B

uh No hold on, I can pass it to you. That'd probably be easier uh hold on. Let me cancel the request and then I'll.

B

I should be able to just pass slide control.

E

Okay, oh oh awesome. I know you could do that all right, uh yeah thanks everyone. um This is a presentation of a new draft um on this subject. We call key blinding for signature schemes, um joint work with uh frank, denis and eating it, and myself so for some context.

E

um Consider this the setting where you have what we call a single proverb: verifier, where the prover wants to convince um the verifier of you know, uh basically a signature over a message where the message is input on the left-hand side to the approver and the approver has a given key pair as input.

E

The approver runs some signing algorithm, producing a signature and sends message public, key and signature to the verifier, the verifier checks, this particular signature and outputs, basically a bit as to whether or not it's valid in this particular setting. uh We basically want that this.

E

uh This proof, the signature is unforgivable, meaning that, if you're given a a a tuple of message, public key and signature, um it's the verifier will only conclude um uh that the signature is correct if it was produced by someone who actually has access to the corresponding secret key um with overwhelming probability.

E

um This is, I mean this is just a basic digital signature scheme, um but but there are scenarios, wherein um you know the the you might not want the verifier um uh to learn information about sort of the the prover that produced the signature um or, more specifically, you might not want the verifier to learn. um You know information about the the signers, the proofer's long-term public key through either the the public he used to verify the message or the signature itself.

E

This particular property has a number of applications in practice. Right now, for example, tor's hidden service identity, binding protocol uses this sort of construction um for like signing things in such a way that you can't link them back to the the original like service provider. um That's also used in like cryptocurrencies for private airdrop.

E

um It's used in like bitcoin hierarchical, um uh wallets too, to minimize state, and um recently, uh we've found an application in privacy pass for a different type of issuance protocol that we called rate limiting.

E

So it does seem to be a sort of common uh common functionality, and the purpose of this draft is to try to uh basically you know, uh standardize it um uh and specify it so that we can have interoperable implementations of it um and to to to sort of explain what I mean by this. I guess not revealing anything about the prover.

E

Let's move on to a sort of alternate setting where you have multiple approvers now, so you have on the left-hand side, two provers brewer, zero prover one each have their own uh unique key pair um and each are given the same input message to sign.

E

You have some party in between proven verifier, which I'm gonna call mediator, just for lack of a better technical term, and you have the verifier as before, in the setting.

E

Both groupers are going to sign the message with their respective secret keys, send their their triples over to the the mediator, who is going to choose a random bit and then decide to forward on the triple from uh either proof or zero approver. One based on that particular bit to the verifier and the verifier will run the verification, algorithm and try to guess the bit. um uh So we asked two questions um you know.

E

Is this unforgivable uh in the in the traditional sense like uh that I described earlier if you're, given you know this triple message, public key signature: can you verify uh or can you try to cheat the the verifier, um and the answer is yes uh in particular, because this is just a basic digital signature.

E

um But then, when you look at the unlinkability um uh sort of property, uh that does no, that does not hold in this particular case um in particular, because the verify you'll notice on the right hand, side has as input the public keys of both river zero and proofer one. So it's pretty trivial to check whether or not prover zero proofer one generated this particular signature by just looking at the public key or trying to verify the message signature under either one of the keys.

E

So what we want is for this, the verifier to not be able to determine uh the bit b um with probability negligibly larger than half no better than a random guess, and so this is where the sort of functional requirements come to play.

E

We want an unforgeable signature scheme with these sort of additional properties, in particular that the the per message public keys, that are used to sort of verify a message at the verifier are independently distributed from the long-term uh approver keys.

E

Moreover, that we want the signatures themselves that are produced to not leak any information about the long-term signing, keys and sort of jointly this. This captures this intuition notion, uh or this intuitive notion of unlinkability that I was describing earlier, and our proposed solution is a signature scheme with key blinding.

E

um Functionally what this does is: it extends an existing digital signature scheme with two additional functionalities, one of which is a function for blinding and unblinding a public key.

E

So given a public key and a blinding key which, in in the in the syntax of the object, is just another private key, um you can produce a blinded representation of that public key and then you can of course, unblind it using the unblinded, the original unblinded public key, and we have this separate functionality, which is called blank key sign.

E

We're open to name changes if it's helpful for clarity, but the gist is that if you run blind key sign with a long term uh signing key and a blind key, the output signature will be valid under the correspondingly blinded public key using the same blind. So in this in this relation at the bottom, we have that verifying trying to run the verification algorithm with the blinded public key over the message. um Using a signature, output from blankie sign succeeds or is equal to one.

E

And that's the sort of requirement or functionality. I guess.

E

So if you were then to plug this particular scheme back into the multiple prover scenario before um you notice that the the provers on the left are slightly different now they have the same inputs as before. They have the same long term signing key pairs in the same input message, but in actually producing a signature.

E

They both generate a random, blinding key referred to as bk0 bk1 in this particular case, and they run blind key sign with that particular binder key producing a signature and their triple that they send now to the mediator consists of the message, signature and the blinding key.

E

The mediator will choose a bit just as it would before, um and it will uh use that bit to determine which of the blinded public keys uh to gen sent to the verifier.

E

um So if the bit zero, it blinds prover zero's public key with proof of zeros blind producing bk and sends that over to the verifier, along with the signature produced by proof of zero and likewise for approver one.

E

um So if you look at the the two properties that we were uh targeting before, unforgeability um uh has a sort of a signature scheme. uh It still has this property that the the the signature itself um must have been produced by someone with the long-term private key um with overwhelming probability uh um and uh by virtue of satisfying the sort of functional requirements.

E

um It also now has this uh this unlinkability property that we want, um in particular uh the the blinding key or the blinded public key bk is independent from both of the long-term public keys, pk0 and pk1 are the provers and like similarly, the the signature itself is independent from the long-term signing keys, so that the triple itself reveals nothing um about either proof of zero or approver one. So it intuitively the the verifier cannot guess the bit with.

E

uh It cannot do better than a random guess at bit uh b, um which is the property that we want.

E

That's effectively it for the functionality. It's very simple. The eddsa variant is in the draft building off of rc 032. um uh It only covers the pure edsa, none of the context or prehashing variants or whatever um that's very straightforward. It's often uh used as an offhand demonstration of the the concept in academic literature and whatnot. um There also is an ecdsa variant in there as well. um This is a bit um uh different um different in the sense that it's not doing the obvious thing.

E

I guess uh that that you would do for a key blinding um uh I can. I can elaborate if people would like, but um it's different enough, that uh you know we're doing security analysis to determine whether or not it is indeed safe, um but the the intuitive intuition is that it is it is. um It is correct.

E

uh There are also a couple of implementations thanks to frank and myself, um and other people are working on them as well.

E

It's fairly simple, straightforward draft to implement and there are test factors available for those who would like to implement it and, as I said, the security analysis is underway. We hope to make those results public as soon as they are done um to gain confidence in the the constructions. um But, uh um as I said, the the eds eddsa one is um uh fairly straightforward, intuitive um it's the ecdsa one.

E

That is the the more interesting variant, um and with that um I guess uh I have two questions for the group, um the first of which uh do folks find this to be a compelling use case um and problem worth uh working on uh and trying to solve with this particular this construction. You know signature schemes, we keep winding um and secondly, are folks interested in adopting this as a an initial draft to to do exactly that- and I will I will pause here for questions and I'll read the.

B

Chat, we have three minutes for quick questions. If there are any, um I think the question of adoption will probably discuss between chairs and might take it to the mailing list.

E

uh Worked for me um if, if folks um are interested in, um you know more clarity on uh um anything, um you know the the draft link. The draft has a link to the repository where it's being developed um and, uh of course we welcome any and all of your feedback um and contributions.

B

Christopher, are you on this topic.

H

uh My question: I would like to understand a little bit um more about uh what changes you made to ecdsa or hashtag.

E

Right so um the ecdsa variant, uh the the the intuitive thing that you might do is uh given a like a private, ecd, ecdsa key um and a blinding key, which is also a private key. um You might uh like just multiply the two together and similarly, you might multiply the like the public key by the corresponding, blinding key um uh and ergo have a a blinded representation of both the private key, as well as the public key.

E

Unfortunately, there's this um there's a body of work on related key attacks and how they can be used to produce forgeries for schnorr-like signatures as well as ecdsa, and, in particular, this sort of naive uh way of blinding uh an ecdsa public and private key uh does lend itself to forgeries. um I can point people to the relevant references if they're interested, so the tweak we made was to basically rather than um uh maintain sort of the algebraic relationship between the the blinding key and its impact on the the I'm using the word blind.

J

E

Okay, um the the trick was to, uh rather than maintain the algebraic relationship between the the input blinding key and the output blinded public key uh to hash the input blinding key to a scalar to sort of blow away.

E

This this algebraic relationship and make it so that, basically, you need to produce a collision in this hash in order to produce a forgery. um So the the construction does kind of depend on um uh security in the random oracle model uh intuitively, um but that's effectively the gist. I I I wish I had it written down in slides, um but perhaps that that vocal description was not overly clear, but chris I can. I can send you pointers um uh to the the diff where it was included. If that would be helpful.

B

Okay, so the unfortunately, the queue is closed and we are a bit out of time on this topic, so, let's uh winning list. Okay right! Thank you uh steven! You are next.

B

um Do you want me to drive slides fine I'll, do that.

K

Somebody was very tall.

B

Just hold on one second.

K

Okay, uh next slide hold.

I

On just one second,.

K

Okay, great so um I see there was like a hundred people in the in the in the in the session, so I hope to get some some feedback on this, even if it's just kind of a sense of what people think. So the lake working group is defining a protocol called ad hoc uh for authentication, key establishment for small devices. It's you know you can think of it kind of a bit like dls.

K

It does the same kind of thing, but uh it's you know really tailored towards kind of small packet size, few octets to be emitted. And if you care about the requirements, you can see them there so again, like tls, there's kind of a concept of cypher suites and in those kind of cypher suites. There's a signature algorithm represented for authenticating one of the parties.

K

There are suites to find that above ecdsa and eddsa, and that lake working group is trying to figure out how to do. You know which, which signature algorithms should be part of a mandatory to implement set of cypher suites and, as always, there's lots of argument in itf working groups about that. But that's not what we want to talk about here. So next slide.

K

So in this particular context, um there's kind of an additional argument to the usual mti cypher switch selection argument issues um essentially where an adversary controls a provision device and can mount.

K

You know fault injection attacks and extract a signing key and for the kind of applications the ad hoc protocol is designed, for that seems much more likely than for you know, tls, as used in in data centers or whatever, and uh thanks to renee for bringing this up and there's a link there to the thread from the lake working group and the context is, you know, small relative, relatively inexpensive commercial devices that are provisioned private key is probably not that well protected. So if you open the device, it won't be zeroed.

K

But hopefully you know you can't just connect to a uart and read the private key from the file system and private key extraction could be significant because then, perhaps you could pretend to be a controller to some actuator and cause damage. So next slide.

K

uh So I I know I know almost nothing about fault injection, but I did find a few papers that were interesting. um So the first one I thought was was actually pretty good for me because it actually explains how you can do fault injection via kind of a low voltage attack, it's a little bit old. But uh it's it's a really nice explanation of how these attacks can be kind of mounted in a realistic environment, and it includes an example of it's, not a novel attack on rsa signing, but it's in that paper there.

K

It shows how such a such a fault injection attack on on on reading from memory can leak in rsa private key there's also another one uh about ecdsa from the similar time frame. Same kind of attack where you're you've got a fault injection on on kind of memory reads, um although the second one is a simulation as opposed to a you know, an actual demonstration, but that's on ecdsa and then there's another one on eddsa, which is in that case.

K

It's a power analysis attack rather than fault ejection, so those are kind of useful papers, and I think what they seem to show is that, at some level, all of the possible sensible options we have to choose from might be vulnerable to these kind of attacks in this kind of context. For these kind of devices next slide.

K

So one of the points being raised that was raised in some of the discussion here is that you know eddisa is deterministic that might help the attacker as opposed to the randomness in ecdsa.

K

But of course you can have a bad random number generator. As it's been seen, and there have been some suggestions.

K

John matson has a suggestion for adding some noise or some more randomness into eddsa and again I I don't have a personal opinion on these, just to to note that the these issues have come up so next slide.

K

So the ask is, I think it boils down to two questions I mean we seem to have three kinds of signature: algorithms. We you know we may assuming a working group wants to pick a mandatory to implement cypher suite with a signature algorithm. Is there really much difference here between them in this specific kind of attack context?

K

So you know we could do it some help, if that's the case or assertions that from from knowledgeable people that it's it's more or less the same or it's different for different ones um or could cfrg develop something. That's uh usefully better in this attack context. uh So for context, I don't. The lake working group has kind of currently you know picking their mti choices has kind of oscillated over the last number of months. I think the current they currently they've landed on just saying just three two five six.

K

um They probably won't want to wait for an answer. So it's not a it's, not a question where uh we need the answer right now and are kind of waiting on it and assisting cfrt doof. But I think it's a generic problem for particularly for this class device and again there was. There was a thread on cfrg list that didn't really reach any any anything. I thought was a clear kind of answer.

K

um Hence this presentation so that slides so again, just to summarize the attacker here controls the provision device is able to mount the fault, ejection attacks. Let's say an extract, designing key.

K

I described the kind of device and the two questions there are which of those are, if any of them are kind of good, to recommend as a manager to implement cypher suite and in that context, and is there anything better that you could recommend and I hope to get some input.

K

Does anybody know about this topic.

B

K

G

Quick remark, so indeed I raised this topic at the lake working group, um I think, is usually the deep determinism in the generation, so as as long as one can fix that this edd is a eddjj may be fine. If one cannot fix it. Ec dsa already doesn't have uh this determinism.

G

As long as on this just rfc6979.

G

So I I think it's it can be easily solved, but it has to be addressed if this is to use edd and otherwise the ecb davis p256 would be a viable option. In my opinion,.

K

So that that the audio chopped a bit there- but I I think you were basically saying ecdsa- is better, um which then leaves me wondering about those other two papers that I referenced so.

G

Actually, um steve- I I didn't say ecd is a better ecd is only ecdsa is only better because the noise generation is non-deterministic if edd is a would be specified in a non-deterministic way. Then the problem goes away, as I identified.

G

K

G

Makes it clear.

K

So that leaves me wondering about the paper that I referenced, that has a fault injection attack on ecdsa.

G

Well, the the whole side channel attack uh arena is quite large. I have more than a thousand papers on this topic, so uh obviously there are attacks on uh on all different variants, but uh uh there are attacks that can easily be prevented that take advantage of deterministic, behavior sure yeah.

L

G

To know what you're doing you cannot that's in that right.

K

Right but again just you know from the point of view of trying to pick something.

K

If there are lots of you know, if, if we're talking about a manager to implement cypher suite we're asking everybody to implement it, and if there are known attacks against all relevant signature schemes, they happen to be different attacks. But they're known in this context, then it's not clear to me that one is better than the other.

G

I I I I think the problem of the problem is that lots of attacks are also recycled, for example, open, ssl versions that are known to be broken, and um you still need to be slightly competent in in terms of implementing signature schemes.

B

M

Thank you thanks steven for raising this uh discussion. I think it's very helpful uh regarding two. I think hillary summarized nicely on the list why we need three different alternatives: purely random, purely deterministic and a mixture of the two they all make sense in different settings.

M

uh I think we can do better and I think what maybe more a question to the chairs that should be discussed either here or on the list later. But uh how do we progress with draft mats and was quite large uh support for adopting them during the adoption call? There was a discussion about the potential alleged ipr on it. Do we have should we have a second uh call for adoption?

M

Now, when that is known, stephen also said said on the mail that he might, he could declare an ipr statement on the draft uh that would, of course be used in court. As stephen perel has analyzed this ipr and he he definitely thinks it applies.

M

So there's negative things, but that also, but it would raise to any implementers and users that they're there somebody has claimed or not ipr,.

B

Yeah, sorry, I I'm actually the responsible chair who dropped the ball on this. I think. Yes, we need to rerun the adoption call with ipr disclosure.

K

And just to just to clarify, if I made a third party, ipr disclosure, it just says you're on notice that something exists, it doesn't say. I claim it is relevant.

M

I think uh the lawyer in court would say that anyway, I agree with you in principle yeah. That sounds great for the second adoption call.

B

Okay yeah: let's, let's record this as an action item, uh philip.

N

Yeah, I was just going to point out that, since we're going to be doing thresh, we've got the threshold signature work, we're going to have things that look like non-deterministic signatures as far as the verifier is concerned. Anyway.

N

uh In that I I never have never considered the idea of relying on a signature value to be a non-deterministic uh function of the input uh in a protocol to be a sound move. um So I I think that we should definitely allow for some form of signature with a deterministic component.

N

I think it still makes sense to require people to blind the input blind, the random number uh in some deterministic way and then apply the non-deterministic input, so we get as much robustness as possible, um but I think I think that we need that anyway, uh what I'm a little bit um nonplussed about it.

N

I've never understood why people want to put signatures into key exchange protocols if you're doing a key exchange. Protocol diffie-hellman does a key exchange and you can build uh robust systems on top of diffie-hellman, as the signal folk approved and they've got a proof. um Proof of correctness. Of that.

N

I would just steer clear of anything to do with signature, because if you sign something, you create a non-repudiable proof that somebody was involved in that communication and that's dropping a piece of information that I simply don't want to drop. Unless there is a good reason to drop it.

N

Just a thought.

B

All right, thank you. Phillip part.

K

uh Bart you need to hit the unmute button as well. I guess or request audio permission there you go.

C

Okay, does it work okay,.

O

C

I heard steve asked some questions, and maybe I can help by by simple clarification to this.

C

So in a differential power analysis attack, you need some secret information and some variable data and by actually making so this, if you can avoid that by the having using you can avoid a dpa attack, but there is other attacks like simple power, analysis or fault attacks that are kind of orthogonal to this, and that are not helped or not help or helped by having variable data, and so this may answer your question that I don't think there is any signature scheme that is by itself robust against any of these attacks.

C

You always have to look at your implementation, but particularly having deterministic involvement, the generation of the nulls in a way that is not randomized, you will make dp attacks harder. I hope that helps.

K

Thanks yeah that.

C

B

Right, thank you. Thumb.

O

O

These kinds of attacks- fault attacks- they don't, they aren't just limited to the crypto right. They allow you to sort of in my understanding anyway, skip arbitrary instructions that your target is is doing so in the case of signature verification they might also just skip over the entire verify call altogether.

O

They could also skip over a random number generator.

O

So this is, I think, a type of question that you should consider wider than just what kind of crypto do we use and how vulnerable is that, but also how do we structure our implementation in the first place, because if the crypto is not getting called, it will not really have mattered in the end.

K

Sure I I think, that's entirely true, it's a little bit. You know, so I think the the concern here is an adversary, gets control of a device and manages to extract a private key.

O

K

And then can you do what he likes of it. So so it's a little bit different from that. I think, but I I I absolutely agree what you say.

B

All right, uh my apologies, I probably I not not going to pronounce it correctly willing.

J

uh So actually I just have a simple question. So what does mean you call it mti signature? What is it mti.

K

Oh sure, apologies for not explaining it so the when ietf pro working groups are developing protocols. Typically, they would like to specify a mandatory to implement that's what mti stands for uh set of options so that you we increase interoperability, because we hope most all implementations will include them. So the question here is which one do we which of these signature schemes? Would we like everybody to implement.

J

Okay yeah. Thank you very much.

B

All right, thank you. uh We have one action item and you got some useful feedback. I think.

K

Sure so I guess the action item is on john's draft. I guess um you know, I think this. I suspect the same question might arise with ctls, for if it was deployed in similar environments that lake isn't envisaging.

K

um So if the answer is as bart says that there's different attacks, but so there's no real difference because you can mount one attack or the other that it would be great to kind of have a sense of that, so that we could feed that into itf working groups.

B

Okay, I suggest uh interested party are welcome to continue on cfrg mailing list. I can certainly try again, okay. Well, uh I think now that you kind of raise the awareness of this. Maybe there might be more uptake yeah. Hopefully your presentation may have helped so uh I'll.

K

I'll start a thread and and if you deal with john's draft, I guess that's that's the two actions, I suppose. Okay great. Thank you.

B

Sounds good uh next is chris patton hold on just uh yeah. Let me.

H

H

Only my second cfrg talk, so I don't remember how to run the sides slides.

B

So you should have now control for driving, slides. Okay, let me test it out.

H

H

uh It's fun to be on the big screen once again: okay, um all right! So this is. I wanted to give a quick update on an individual draft that I've been working on with uh richard barnes and philip schiltmann. This is called verifiable, distributed aggregation functions and I'm going to give a quick overview of this. So if you missed ietf112, don't worry about it. You should have get all the contacts that you need speaking of context, um so what this is really about.

H

uh We've recently formed a new ietf working group called ppm, which stands for privacy, preserving measurement. That group is meeting um tomorrow by the way for anyone who's interested, uh please attend, um and the goal of this uh working group is to standardize uh uh cryptographic techniques for uh what we call privacy, preserving measurement um and uh and and we're thinking right now, we're mostly thinking in terms of like uh multi-party computation.

H

So uh uh what this? What private? What ppm kind of means? Is you have a bunch of users, and you want to you're interested in um aggregate uh uh aggregate statistics about these users, um but you don't want to see their individual measurements in the clear um and so you're going to run some sort.

H

You want to run some sort of multi-party computation to uh to make sure that you don't um so uh yeah so right now we're uh we're working on um a what we're calling our first protocol and we're hoping that it'll be adopted by uh by the group as the first uh document, um and what this does is um specify the end to end verification and aggregation of measurements over https.

H

In this document, the vdf document is kind of the core cryptographic component of the ppm protocol. So my objective for this talk is to explain to you uh what this draft is about, and I also want to ask the cfrg if this is a ready for adoption by the working group.

H

Okay, uh a quick overview of uh vdf, so um the the main cryptographic technique, we're going to use is just simple secret sharing. um So the the way our architecture works. Is you have a bunch of clients and they're going to be sending um their their uh secret shares of their measurements to two different aggregation servers or more aggregate one or more uh two or more aggregation servers? I should say, um and then uh aggregates are collected by another server. Another party called the collector and who, who assembles the final result.

H

So in this first step uh the the starting step, each client is going to split its measurement into uh input shares as we call them and sends one in one input share to each aggregator and then, uh in the next step. The aggregate for each set of input shares uh where the uh the aggregators are gonna uh engage in in uh a multi-party computation to basically uh which has basically two goals.

H

This one is uh to um one is to verify that the input shares that they're getting correspond to a valid measurement um and the other is to what uh basically prepare the input uh for aggregation um and I'll explain uh I'll uh yeah so I'll get into that into a little in a little bit and then the last step. So the preparation step is kind of the core uh meat of the protocol and then um the the all they have to do after they've done. This step is, um is combine.

H

Their output shares into um aggregate shares locally and then um send aggregate shares to the collector and uh the collector uh combines these aggregate shares to get the final result. So I'm going to give a couple example protocols. So hopefully this this will be clear in a moment. um The the spec currently has uh uh the goal of the spec right now is is to actually specify two instantiations of this of this uh of a vdf um and the first one is prio, which many people might be familiar with.

H

uh uh It's it's kind of been in the ether for a while now um and in this protocol.

H

It's very simple: a client is going to encode its uh its measurement as a um as a as a as a vector over some finite field, and um uh it's going to it's going to split that vector into secret shares and send one uh one vector to each of the aggregators um and then in the to prepare these uh to prepare these uh uh input shares for aggregation um they're, going to just make sure that uh the the vectors that they have uh sum up to a valid input without actually learning what the input is um and uh uh and then um all they have to do in the aggregation step, is sum up their vectors um and then all the collector has to do is sum up.

H

The aggregate shares uh now there's another. uh The other protocol that the other uh protocol that we want to specify is called it's called poplar. So this is a. This is a another paper from the from the same group of folks. Now. The problem that this solves is uh is the heavy hitters problem, and this is where you have each of the clients measurement is an nbit string and you want to know uh which of these strings occur at least some number of times so t time.

H

So in our example, here we have three bit strings and uh only two of those strings occur in that set more than uh more than at least two times, and the solution for this problem I won't go too much into the detail, um is, is called an incremental distributed point function and um uh uh what this?

H

uh What this allows you to do is kind of query uh your, so so clients are going to compute what are called idpf shares from their input, and what this idpf share allows you to do is to uh kind of query your uh the the input on like a on a candidate prefix. So you can ask um is so if your input, for example, is zero one one.

H

You can ask is zero prefix of the string which it is or is one a prefix of the string which is not etc, um and so what, uh after um kind of what the query? The result of the query on your idpf share is a share of the of the this answer like yes, this is, this is a prefix. No, this is not a prefix um and what you can do with that is aggregate them into shares of hit counts.

H

So basically, your aggregate share uh is, uh is uh the is a secret share of the number of times a candidate prefix occurred in the set um yeah, so this this turns out to kind of nicely fit the shape with a few minor tweaks. So in the sharding step, the client generates its idpf shares from its input string and now in the preparation phase, we're going to do something a little bit more complicated.

H

We're going to we're going to evaluate our idps shares on a set of candidate prefixes, but then we need to verify that the output is well formed. Basically, we should only have the the each aggregation. Aggregator should only have a share of a vector where that is. uh That is where you can only have one candidate prefix um uh for about like a given input, so um yeah so uh yeah.

H

I I I I think I'm running out of running a little bit low on time, so I I won't get too much into the to the weeds here. um Okay, so uh there's this uh idpf share evaluation and then verification that the output share that you get is is well formed and then, um in the aggregate, aggregation phase, all you have to do is uh sum. Your output shares into a share of the hit counts and then you hand those to the collector, um and so the way this is gonna help you solve like find.

H

The heavy hitters is you're. Gonna run this. The collector is going to run this protocol basically prepare aggregate unshard uh several times uh with several different sets of candidate prefixes until it finds uh the set of heavy hitters.

H

Okay, um so very quickly, uh we've made a lot of progress since iutf 112.. uh What we have uh today is basically a complete special specification of prio um and a with including a reference implementation that generates test vectors and um we have there's at least one implementation of this. That's that's uh pretty fast, um um so the next things I think to do are is the next. The next chunk of work is to complete the spec for poplar.

H

There are a couple of uh implementations of pieces of this. um It's it's a little bit more complicated, um none of them like interoperate, yet so uh this is why we want to uh to to have a spec in the cfrg, um especially because people want to implement this. um uh The other things we need. We were working on security analysis um and uh we want and we'll need to flesh out the security considerations um and, of course, we're.

H

The hope is that this you know, drives uh uh cryptograph cryptography researchers towards direct direct cryptography research towards um the design of vdfs that solve different private data, aggregation problems, um yep and so there's some a few other open issues, but um I think uh I in my view this is I I've based on what I've seen I'm kind of new to this um this. I think this document is mature enough to to start working on it in the working group. I'm curious to know if people are interested and what would be the next step.

B

Comments, questions.

B

Chris go ahead.

E

uh Yeah thanks chris for the presentation, um I'm I'm obviously supportive of this. uh The group adopting this as a research group item well we're in the purview of cfrg to work on um bringing something like this to the rest of the industry. By standardizing it I mean, as chris said, we have a a number of implementations. Already. uh It's prio especially has a lot of experience in like running code, so um this this seems like kind of a an obvious candidate for adoption, and I would like to I would like to see that up.

B

K

I see yeah I similarly like to see something that can support ppm adopted and produced by cfrg. I think that's, it's the right place to kind of work on these functions.

B

Okay, cheers we'll talk to you uh christopher, and uh I think tentatively, we're happy to do adoption call but we'll just double check between ourselves. Thank you.

P

B

Okay, a asgcm exploit next.

Q

Hey, can you hear me.

B

Shall I share I'll share and pass to you uh controls again great. Thank you all right.

B

It's a new and exciting feature. Oh hold on what's happening.

B

Oh um christopher, you need to stop sharing.

B

Okay right, thank you.

R

Q

Oh great, I have the slight contrast great. So um yes thank you. um This is about a rather applied topic. It's about an exploit of aes, gcm authentication, deck for hidden communications.

Q

It's a work that has been co-authored with alexandre hartle who's on site and some other colleagues from academia and from industry.

Q

So next slide yeah first about hidden communication, just uh very very briefly, so so malware, it's about malware communication, hidden malware communication and critical infrastructures.

Q

Initially so malware needs network communication to unleash its destructive power and initially malware used, explicit communications, meaning communications that use dedicated messages on tcp, udp, etc, and nowadays, malware becomes increasingly stealthy, meaning it tries to hide within existing legitimate, benign communications.

Q

In the example below you have alice at the left bob at the right, they just exchanged some benign ip, datagrams and and mallory somehow got access to an asen on the path and is communicating with eve just by exploiting some of the unused fields or or less used fields like ttl et cetera. That are not that apparent and, and so they misuse existing communications um can happen uh rather as a covert channel, so ipptl flags options.

Q

Inter-Arrival times modulations or you could use also some nonsense, random numbers, etc.

Q

Now, if we have this critical infrastructure- and we want to harden this uh infrastructure- um we we need to assume that any system is vulnerable. That is, the question is not who discovers the the question is not when or if a zero day is discovered, but who discovers this vulnerability and when what is typically done in industries now to protect the key materials ck using so-called ckmds crypto key management devices, so trusted platform, medius modules or smart cards that are uncompromisable in so they protect the key material physically and offers some well known api.

Q

So, in the case of compromise shown as a red, so even if an a iit device, for instance, a smart meter is compromised.

Q

This key material is cannot be leaked because it is physically shielded, meaning there are just some well-known apis to encrypt or decrypt using these keys, and this can be either a hardware module or it can be networked as you see at the right, and the question that we ask ourselves is: can malware exploit cryptography for hidden communication and disheartened systems, and the answer is obviously yes, so aesgcm, I'm not going into details. I just want to outline so so we have some some input parameters to the algorithms we have an initialization vector.

Q

We have some plain text: uh plain text uh message blocks uh the key material that is protected, so we don't believe we can change this or we can find any exploit related to it, and we have output parameters shown in red, so ciphertext blocks and the authentication tag now concerning the initialization vector there have been already some discussions on the lists during the definition of aes gcm and deployment.

Q

So it was a discussion whether initialization vectors should be chosen randomly, and the answer was no, so a clear recommendation not to do so because, in particular of this, this ability for hidden communication, so it is recommended to use deterministic counting initialization vectors when using such a ckmd, the state keeping is difficult. This segment. These are typically stateless devices, meaning they just map a specific, a specific id and a specific message to a specific key, so deterministic, initialization vectors should be likely managed by this requesting device.

Q

If we now consider a legitimate device communication in this context that we have analyzed, we have uh at the left, a sender application that uses a kind of security proxy. That is a center application. A benign one just wants to send some plain text p to a secure to a receiver application at the right, and on this behalf, it uses a security process consisting of a sender and a sender ckmd.

Q

So if the sender is compromised, nevertheless, in center, ckmd protects the key material, what it does. So, if the legitimate message arrives at the sender, it computes a new initialization vector sensor, encrypt request is a plain message: initialization vectors to the ckmd, which encrypts a message and gives back a cipher text and a authentication tag which is then transmitted to the receiver security proxy that decrypts all of this information so passes, cipher, initialization, vector and authentication tag to the receiver ckmd.

Q

However, please note that this receiver, ckmd typically will refuse the decryption if one of these three parameters is faulty meaning, if we have a for the authentication that we will not decrypt and as a response, we get a p plain text again and the receiver proxy then forwards. This message to the receiver application.

Q

What can we now do or two observations? Firstly, so gcm works similar to stream ciphers, that is, we can decrypt by encrypting with the same initialization vector and we can decrypt by circumventing the authenticate authenticity verification, that's a problem common to other counter encryption modes mapping, this generic sequence, diagram to an iot infrastructure. Think of a smart metering infrastructure. For instance, you have iot devices that are potentially compromisable, so you have physical access to these devices.

Q

They protect the keying material, but nevertheless firmware exploits zero days etc. Can lead to these devices to become compromised and we have not just one device, but we have tens of thousands of such devices that work together.

Q

These devices are concentrated, so the traffic from this device is concentrated and forwarded to an edge server that is reachable from the internet and therefore might also be compromisable. An idea is just supervised or supervises the communication to this edge server, and it is worth noting that yeah passing any keys to this ids is not advisable. We know about solar winds, sunburst orion exploits so giving keys to to end and and administrative power to ids. This is not that good design decision.

Q

Finally, this edge server then uses a network ckmd server to pass the encrypted data to it and then forwards the information to an application server.

Q

What we want to do is to implement some subliminal communication between a smart meter and an edge server without this information being without this information exchange being visible to the outside. So we want to exploit and in particular the authentication tag has shown to be uh available for this and want to circumvent the ckmd, authentic authenticity, verification in the receiver.

Q

But please note that this communication is bidirectional, so we can use exactly the same approach in both directions and the solution is quite straightforward, so subliminal sender is compromised, subliminal receiver. So these security proxies have been compromised. They cannot leak the key material, but nevertheless they can act uh whenever a sender, application or central, legitimate, benign message that is to be encrypted.

Q

The subliminal sender chooses an initialization vector encrypts this information and what it does is simply replace part of the authentication tag with the subliminal message to be sent to the receiver and sends this message together with the modified. So the subliminal authentication tag to the subliminal receiver. The subliminal receiver uses this stream cipher property.

Q

It simply takes a random string of length corresponding to the cipher text. Encrypts. These data using the initialization vector and gets a cr, so a cipher text of the random text and a tag that it doesn't use now, unfortunately, by xoring, the random text and the ciphertext we obtain the cipher and by exploring the cipher with the ciphertext, we get the plain text so subliminal. Receiver. Now using this encrypt operation has access to the plain text it has from the authentication text it obtains.

Q

The subliminal message can take an action, a destructive action and for what's the message, the plain text to receive replication so from an outer world perspective, that's absolutely legitimate.

Q

The only issue is that this subliminal information here needs to be somehow hidden by the subliminal sender. Can we do better? Yes, of course, we can change the entire process just by doing the entire, exactly the same process and this hidden information, as is exod into the into the authentication tag that is instead of replacing we xor. It is the authentication tag and get and get encryption of our hidden information for free proceed process at the receiver is absolutely the same one. We get the plain text, but wait.

Q

We do not have the authentication tag, we need the authentication tag to extract the subliminal information. What do we do we encrypt once more, so we encrypt the plain text with the initialization vector, get back the authentication tag and then by uh decoding and.

L

Q

Also by by exploring the authentication tag and the subliminal tag, we get the subliminal message, that's it so from an outer perspective, without having the key material, it's almost impossible to identify that something has happened here.

Q

This exploit is agnostic to protocol semantics can be used in any context and cannot be destroyed by intermediate nodes, because otherwise the legitimate authentication tag is destroyed without leaking the secret key to some some observers, it's impossible to identify that the authentication tag is faulty and the capacity is usually high because message, authentication codes are typically transmitted, frequently some such reports or messages.

Q

Moreover, the location of the sender of this hidden information can be anywhere on the path where it can access the authentication text, so it needs not necessarily be collocated with the device I'm getting short of time. So yes, mitigations. Thank you. You have already standardized gcm siv, so synthetic initialization vector which solves exactly the problem, so it is. uh The issue is that we have initialization vectors that can be repeatedly used. It's clear that this is this should not happen, but it happens in this setup.

Q

We can generate ivs on the ckmd, but this can lead to ckmd originated subliminal channels and we have a deployed mass of of systems that need to be maintained. That is, we could use distant keys for each direction for what reverse or we could use the initialization vector a segment, a segmented set of initialization vectors for each direction, and I'm almost done so just uh combining the ckmds with the gcm encryption can show security, shortcomings and, yes, obviously, gcm siv is recommended or some some remedies.

Q

But it's it's a general architectural problem and uh yes, one should consider this opportunity. uh You have a link over here that leads to the paper. If you don't have access. Please drop me a note and I'm happy to send you a pre-published version on the last slide. You have some some information on the project that we're doing, and this was a result of this project, so yeah happy to take questions and thank you for the opportunity to present.

B

Okay, we are slightly behind on uh I'm sorry. Now it's all right, uh I I locked the queue so uh two questions, jonathan first jonathan hoyland's.

L

Cloud player, uh one way you could potentially detect this is in use, is surely by having some middleman munge the uh authentication tag right, they just mess it up and the the receiver should then reject the message, but it won't yes.

Q

Sure there are many, so, for instance, you could also intercept here the network communication. Yes uh by seeing that you have two encrypt requests. Instead of one, you could identify that something's happening or by logging, this receiver ckmd to see that you have a mass of encrypt request instead of decrypt, so you should have a symmetry ordinary uh by by default, but uh so so we have several counter measures they are. They are mentioned in the um in the paper, but thank you yes. Obviously, this is there.

Q

There are some mechanisms, but by default, so so today's system are rather bad at this.

L

It's very cool. Thank you.

Q

R

Scott okay! Yes, uh if I understand that you are assuming the ascender and receiver uh crypto engines are both compromised. If you assume that can't they replace the the gcm algorithms with anything, they find convenient and use that as an exploit. Why is it specific to gcm.

Q

They they could, in theory, uh replace anything so so it was a. uh The topic was derived from a rather applied project where we have an existing system and there we have aes gcm and yes in in theory, you could replace also some some messages. You could introduce some additional information, but we we try to stay with the minimum of uh of exploit. That is needed to transfer information, and in this case just the authentication tag is sufficient and you have of.

Q

Obviously you have external observers too, that that could intercept some some changes in communications.

Q

B

All right, thank you. um Can you please stop sharing slides.

Q

Yes, uh okay, thank you right. Thank you very much.

B

Next is dual prf construction, nimrod.

S

Can everyone hear me and see the slides.

B

Oh okay, fine hold on. uh Did you okay,.

I

S

Okay, all right, uh can everyone hear me and see the slides?

S

Yes, yeah, all right so hi? My name is nimrod aviram and I would like to present a dual prf construction. This is joint work with uh benjamin dowling, ilan, komargotsky, kenny, patterson, ayal, hernandez.

S

So in modern protocols we usually have the client and server agree on a shared cryptographic secret, along with other protocol parameters, and then we feed the shared secret and the protocol transcript into a kdf. A key derivation function to arrive at the pell session shared secret and from that shared secret, we derive symmetric keys.

S

That key derivation function should be uh total random, that is, the output should be indistinguishable from random when the key is uniformly distributed, even for an attacker that fully controls the transcript, so we can use hmac, which is uh probably a prf under very mild assumptions, and it would appear everything is well and good.

S

However, in some cases we have more than one key and now we're asking uh what should we do here, for example in uh tls 1.3, where we use both diffie-hellman key exchange and appreciate key, and this happens a lot, for example in resumption, which is very widely used in hybrid key exchange? uh Well, we have both a classical key exchange algorithm and a post quantum one and in the signal double ratchet protocol, where we combine an existing shared secret state with new uh keying material that is, output of difficult.

S

In all of these situations, we use two keys at least two keys.

S

And the general approach for doing this is uh to combine the two keys into a single single, unified key using a key combiner function and then compute hmac with that key of a say the protocol transcript and have that be the output of the entire kdf.

S

uh This is largely done both in existing constructions and in our proposal, and when we say that key combiner function takes two keys, uh we mean it should be a dual prf, that is, the output should be in this indistinguishable form random uh when one key, when it one key, is uniformly distributed and the other key might be controlled by the attacker. And this scenario is actually realistic because say in protocols.

S

An attacker can replay a key share from a previous session and attempt to learn that r key, while injecting new keying material from the uh to the other key. And, of course, we don't know which key the attacker controls and which key the attacker attempts to learn.

S

uh So it's then natural to ask: uh can we use hmac as that key combiner function, and the answer seems to be no, because hmac is generally not a dual prf to be fair, it was never claimed or designed to be a dual prf under any assumption, and it's definitely not one. If the underlying hash function is not collision resistant.

S

That's where our proposed construction comes in, uh so we have a construction for a dual prf. uh The construction uses an underlying hash function as a basic building block uh the hash function can be say, shadow 56 or any other standard hash function. It doesn't even have to be collision resistant for the um for the construction to be secure.

S

The whole construction is fully practical. It only uses symmetric cryptography and is overall cheap to compute and we'll get to that in a minute. uh It's especially cheap uh when we compare it to asymmetric cryptography.

S

So if we want to use it in protocols which we mostly do, the relative cost for including the construction is minimal, and we have a security proof in our paper on e-print.

S

How do we compute our construction?

S

We take the first key prepend, some common reference string to it, run that through the hash function and use the output as the key for hmac, then we take the second key run it to a new fi through a new function which I will describe in the next slide and expanding injective one-way function.

S

We take the output uh prepend, some common reference link to it and use that as the data input for hmac, then we do the same thing again with the key roles swapped.

S

We then take the two hmac outputs x of them run that through the hash function one last time- and this is the output of the whole construction note- how everything here is uh symmetric and uh standardized cryptography, except for the f function, which I will now describe.

S

um How do we compute uh the expanding injective? One-Way function? F, we have a message m and we split it into blocks with the same size as the hash function block size, then, for each message block we are running through the hash function several times each time, while uh first uh processing um an input block uh of an appropriate index.

S

So we we first prepared a full input block of zeros right and then the message- and we run that through the hash function and we get the start of the output, then we uh do the same thing again, but with the whole block of ones at the start, run that to the hash function and get the second, uh we get the continuation of the outputs we concatenate, the hash function results uh of all of these computations- and this is the expanding function- f- note that it is also symmetric and cheap to compute uh this in this diagram.

S

We we process each block twice, but this is only for simplicity. In practice, we propose our pros processing each block three times uh the amount of times we process. Each block is called the expansion factor, and this is the parameter of the construction uh and what why do we choose an expansion factor of think so what this uh expansion factor does is it helps the function be injective the more we expand the input, the longer the output and the higher the chance that the function is injected.

S

If we want to standardize and deploy a new kdf, this has high potential forcification. That is once we deploy something into the field.

S

It will be very hard to upgrade and we're still dealing with uh with these situations now, so we want to be conservative here, uh so we assumed that whatever hash function, we use uh will eventually be as broken as md5 is broken today, so even with nd5 and coolant cryptanalysis, uh taking an expansion factor of two is unbreakable to our knowledge and taking an expansion factor of 3 seems like a good security margin.

S

We are also open to taking other values for the expansion factor.

S

uh We said the construction is fast, um it's much cheaper than asymmetric cryptography again it takes roughly seven microseconds to combine two keys, uh comparing that with say, hkdf using concatenation uh hkdf takes roughly one microsecond, so the overhead is roughly six microseconds and this is very cheap compared to asymmetric cryptography.

S

So even just doing diffie-hellman over x255 19 with two exponentiation still connection, each exponentiation takes roughly 45 microseconds, so just the fieldman is about 19 microseconds uh during ecdsa takes either 80 or 25 uh microseconds, and if we want to also use entro, that would add some more so. The largest overhead we came across uh is uh when doing only two different expansion, exponentiations and a signature, and even then the overhead is only five percent.

S

uh This is the largest overhead uh we know of, and the overhead is lower for, probably most other uh use cases.

S

uh If uh some people find the overhead unacceptable, we can consider an expansion factor of two which would make the construction speedier.

S

uh What do people use in practice instead of dual prfs? uh So we've spoken of tls 1.3 in dp, hermann, plus pre-shield key mode and of signal which combine keys using hkdf, which is equivalent to hvac.

S

This would implied we think of hmac as a dual prf, even though it is generally not one in hybrid key exchange, where we combine our classical and post quantum uh key exchanges, uh both in the itf work and in similar proposals from etsy and east.

S

We actually uh concatenate two keys and then feed them to the kdf as usual, uh and even with only a single key uh in tls 1.3, where we only use diffie-hellman uh that dpman output is actually passed through the message input of hmac, which would again imply we treat hmac as a dual prf.

S

So we think uh standardizing a dual prf would help make protocols more robust, both when with multiple keys and also with a single key and we're asking uh we, we would like to write an internet draft and we are asking all are people interested. Thank you. I'm happy to take questions.

S

Yeah uh chris wood, please go ahead.

E

Yeah thanks. I have a two well one question um and then more of a comment, um uh the first of which is on the the the claim that hmac or hpdf extract is not a dual prf, um uh I'm not a cryptographer, so I defer to you experts to determine whether or not that is or is not true. um But my concern is that um many of the proofs that I've seen for tls 1.3 do assume that hkdf extract is indeed a dual prf.

E

So I'm wondering if you can comment on what the impact of this particular claim is on existing security analyses for protocols like tls 1.3 and, in particular the key schedule of tls 1.3.

E

um A second comment is on the the the idea as to whether or not to write a draft. um I think having something that uh has like rigorously proven. Dual prereq properties would be nice, however, for applications like mls, um which require more than one key as input, it might be nice if an nprf was the construction output. On the other end, um I know chris um forgetting his last name um proposed for mls, specifically an nnprf construction.

E

I don't know I don't recall what came of that, whether or not it turned into an internet draft or there was a paper published or not, but I would like to see it perhaps generalized beyond just two key or two inputs um about the first question.

S

Thanks, uh so I will start with the second comment. Actually uh we can accommodate. uh However, many keys uh uh is needed uh and we can do so efficiently, so we think we can help there as well and uh as for existing analysis of the 7.3, I guess it's complicated.

S

A lot of analysis doesn't reduce to to any specific assumption on the hash function or on hmac, but rather to something which is kind of a toy protocol. Like the prfodh assumption.

E

Well, I I just uh I pulled up a paper from um who is it sorry scrolling about that.

S

E

S

I'm sorry sorry yeah, I think we're just running out of time, so uh I would say that we have a good, an extensive discussion of this on our paper on eprint and uh and we can take it to the list. If that's okay.

E

uh Sure I just wanted to just comment briefly that, like the they in various proofs, they do use this assumption to bound um uh to make certain bounds on like adversarial advantage and they're in their their hops amongst various games. um So uh it does seem, it does seem relevant um and I'll I'll. Take a look at the paper. We can try to find.

S

Yeah and and let's discuss this on a list- I'd be happy capitol.

B

Okay quickly, christopher.

H

um My question is um why uh I I was curious about like your benchmarks. This seems comparable like is this: is this comparable to what hkdf does? um Why compare it to what's the value of comparing it to like asymmetric crypto.

S

So we're trying to argue that if we uh add this to a protocol, the overhead is minimum.

H

Okay, okay, um because I okay okay, so I think um I guess I guess the the comparison the the one apples to apples comparison is is hkdf right, so like yeah, but probably fast, hkdf, we're in good shape.

S

Yeah, so it's it's slower than hkdf, but we think it shouldn't matter that much because uh we only do it once say to process it. Yeah.

H

I totally agree, I don't, I don't think it's the overhead's insane, but I'm just saying that's the benchmark right.

H

Okay, just just want to be clear. Thank you very, very, very cool construction by the way, oh, thank you. Thank you.

S

uh Do we have time to from phillip.

B

Yes, uh I closed the queue after philip, so philip quickly, yeah.

N

I I like this a lot. um There are some other things. If we're going to revisit uh hkdf, there were a few landmines that I came across uh when I was trying to use it in the mesh.

N

um Some other thing, some of the assumptions that are reasonable to have as a user um about what certain inputs will do are not actually true, and you know that that that just hit me a few times uh in a way. There was surprise that should be eliminated.

N

The other point anime, is you you're looking at hmac, I think that that's the right thing to use as far as timing is concerned, but if I was going to move to a different key derivation function at this point, I would not want to use hmac. I'd want to use kmac, because you know hmac is a hack trying to make a digest function that wasn't designed to be a mac.

N

Do that kmac is a construction that is designed to be a mac in itself, and I I think it's a lot more principled. So I think, if we go to standards on this, we should definitely have kmac in there as a recommended algorithm, and I would like to see the favored algorithm.

S

All right uh thanks, I'm not familiar enough with the kmac to comment on this and uh also a great hidf.

N

Yeah, it's just using shah 3 in a principled way to do a mac because it's yeah it's.

S

All right so, and that is not always advantageous, but uh I think we should discuss it uh further on the list if you'd like I'd, be happy to.

S

All right, I guess that's it for me, uh thanks.

B

All right, thank you. uh If you can stop sharing slides, that would be great.

S

um How exactly.

I

B

Oh actually, that might help all right. Fine, um okay, uh the next one, is the aegis, aegis family of authenticated encryption, algorithms. Okay, let's do that.

B

B

um Shall I pass controls to you or do you want me to drive? I can do it away. I.

C

Can do it myself, okay, okay, let's okay,.

C

Okay, so I'll uh talk introduce the ages fast authenticated encryption family.

C

There was an internet draft with first version written last september. There is further support from google and also in the team of the two designers of hs, hong kong and myself from university of louisville.

C

So it's a family authenticated encryption. Algorithms is non-spaced, it's twice faster than aes gcm.

C

So on the benchmarks we get to 0.287 cycles per byte family offers a high security level, and there is already multiple implementations available, including one in the linux kernel.

C

A few things about the design I'll be very brief and not go too much in boring details. The design was actually inspired by a pelican mac, which is a mac designed by the aes designers to be faster than aes. Because for a mac you can be faster and we then turn this into a stream cipher, which is actually also a lot faster than the as so.

C

We have a 128-bit key and iv and all the words are here 128 bit, but there is a large state of 8 times, 128 bits, 1024 bits in edges, 128, l. The scheme is very modular and easy to analyze, so you take your key and your iv, you do 10 steps of each operation and then for every next step. You accept two message word: you produce two key stream words which you add to the plain text and you output the cipher text.

C

At the end, you add some linked information and then you do seven more steps and you get the 128 bit mac value out. So it's a stream cipher with built in mac generation. So inside the each is operation. So there is eight blocks and they're updated. They all use one round of aes and they update, as you can see in parallel.

C

You see also the injection of two message: words and then to compute the output we take for each of the outputs four message, words and then two are added and two are end and then added to the rest.

C

So this is more or less how it works, so I think it can be described in a very simple and compact way.

C

Properties. um We propose two variants: the 128 l variant has 128 with security against confidence, healthy attacks and authentication.

C

There is also a 256-bit version that actually have has 268-bit security against key search, and we decided to keep a 128 bit tags. We have 218 against forgery for the smaller version we allow use of 248 messages per key, which I want to point out, is much larger than what you can get for the same security level um with, for example, gcm or ocb for the large version lipsticks.

C

There is no restrictions or number of messages in practice, but we want to point out that if you would do to the 128 attempts, you could do an online forgery attack. So you need a huge number of interactions with the verifier and then you could shorten um key search, but we decided this was not really a problem. A problem for security security properties are that, unlike gcm, it's key committing and these actually stop search and key partitioning attacks. I don't have time to go into detail.

C

Gcm also has some issues when you're very nonsense. You can may get some security problems, so this is not a problem. We recommend here to have maximum size nozzles, but they can be shortened. What we don't achieve is resistant to nones reuse. We don't also achieve resistance to or you could be in trouble if you start releasing plaintext before you check the mac and we also didn't design the scheme. That's compactly committing could be used, for example, for franking, so these last three properties are by design.

C

We believe that, if you want these properties, you have to do at least one full block cipher encryption per 128 bit and you can never be faster than the aes itself and also the same thing. The franking would require a larger attack, which we also didn't think was necessary.

C

So there has been quite some independent security evaluation. Each cipher was designed nine years ago and was submitted to the open cesar competition. There were close to 60 schemes and, in the end, a handful of those were kept for the final portfolio, including ages 128. There has been some independent analysis by other teams. There has been some correlation analysis on his 256..

C

We are not concerned about these attacks, um of course, theoretically it's below 256, but they require between 150 to 160 ciphertex blocks, we're not concerned, um and I spoke to the people who did this attack. They don't see how to improve it. They don't they have done some attempts in the in last year, but they didn't get much further than a small factor of two or four I'm also very impressing very recently this this month actually- and this week at fse, two attacks have been published on aegis.

C

128 is actually not the version in the draft, not in the draft, but because in the draft pf128l in 256, um and they break about five to of the ten rounds with a reasonable complexity.

C

This is interesting because it shows independent analysis. So this is an attack in which you vary the iv with chosen iv attacks, but we also want to point out that if you take four or five rounds out of ten of aes, there is also quite efficient attacks. So we think this is normal that in the as base scheme, if you have only four or five rounds, that there is an efficient attack, this is not a reason at all for concern. It will be very hard to scale up those attacks.

C

As for aes and finally performance, the scheme is highly paralyzable online for encryption and can make optimal use of the aes instructions. I'll just show you some benchmark numbers on the next slide, um so intel skylake, as you see on the bottom, the speed goes up a lot. This is cycles per byte, so the smaller the faster uh once you go below one above 1k messages I zoomed in on the top, and there you see that it's about twice as fast as gcm. It goes down to the number.

C

I promise you point to something to five cycles per byte. We have similar results um for arm, which I will skip, and I conclude here now so saying that each is a very simple design that is a variant for 128 bit increasing bit security. It's also easy to analyze easy to implement and it offers a very high security level. The design is targeted for platform with aes support, but would also be implemented efficiently.

C

If there is no such support, and so there has been quite some scrutiny and so far all the attacks give us confidence is really highly secure. Cipher. Thank you very much.

B

All right have any quick questions comments.

D

H

uh uh No no question really: I just wanted to say I think aegis is a beautiful construction and I would love to see it standardized. So I absolutely.

P

Support the work uh cfrg working on a draft.

P

F

Okay, armando hello, so I I just want to know how does it compare with other lightweight ciphers.

C

Well, each is not exactly lightweight it's a high speed design. There is a nist lightweight competition going on and we didn't submit it there because we didn't think it fitted there. It's really more like a high performance design and nist has announced that they will complete the competition soon, but there is no results there. um So I think in general it's definitely one of the faster designs.

C

There have been some more recent papers trying to do further optimizations, but I think those would definitely need another five to eight years of analysis before they can be adopted, but there is, there is extensive benchmarking available.

C

I only showed you some brief details, but it's clearly it's also faster than ocb and it's faster than any other cypher. That has this kind of scrutiny. Okay, thank you.

E

um uh Thanks for the presentation- and perhaps I missed it, um but I'm wondering if you can comment on the um sort of non-story use properties of this particular variant.

C

So each is is vulnerable against noise release by design um it's better than gcm in gcm with one nonce, you lose your authentication key and you have a big problem uh in aegis. It's clear that there is a paper that was actually in our written design document. The details were not worked out, but the paper has shown. Is it needed 15 users of one month and then you can recover the state now this is a design decision.

C

We believe that if you want to be resistant against this, you need two passes or you need lower performance. We don't think you can achieve this performance for an on-to-use scheme. So we warn inventors implementers, for this is also clearly pointed out in the draft that you have to be careful just as for gcm, that you don't reuse your nuts and luckily the consequences are not as bad as for gcm.

D

Okay, thank you.

B

But do you have any requests from for cfrg? Is it for our information for now or do you want this to be adopted.

C

I guess this is, I guess we wanted to introduce it at least because I'm not sure it had been discussed before and I think it's we seem to get some good feedback. We would like to get feedback and, of course, if there is consideration for adoption, we definitely would support that.

D

All right, okay, thank you.

B

All right, thank you very much. Let's move on to the.

B

B

B

Then okay hold on.

T

I will just drive right yeah, please, okay, thank you, uh we're just okay. There we go rock and roll, uh uh I'm dan harkin, so this is a proposal for uh making some uh changes to hpk or additions to hpke. So next slide, please us. It was recently published as rfc 9180, and I saw I think it's a good time to make this ask again. uh The issue is that hpk is, is a really nice construct and I like it a lot, but it doesn't work for some use.

T

Cases, for instance, for devices are operating in a constrained environment. uh The serialization and deserialization for the uh nist keys is over twice as long as it needs to be, and so I'm proposing that we could uh address that by using the rfc 6090 compact output serialization.

T

Another issue that uh I have with hpk is that it is. It doesn't work on lossy networks. It assumes that there is guaranteed and order delivery of of all the packets that are being used, and uh that's because the sequence counter that's being used with the the aead cipher is completely inside of the context. Then the the user has no ability to to know what the sequence number is or to have any control over it.

T

So if there's any uh packet loss or packer reordering uh the center and receiver get out of sync and everything just falls apart uh and since the internet does not provide guaranteed or delivery of packets. I think that this is a problem we should. We should address so for the first one. It's pretty easy to. We can solve that by just assigning some new chems that do a compact serialization, uh but for the second problem next slide, please I have a couple of proposals.

T

One of them is, uh we can use a deterministic aead and not worry about the nonce. If the the nonce is causing problems, then let's just use something that doesn't care about a nonce like uh siv. uh Now, of course, siv has problems uh uh regarding some of the security of of the deterministic mode, uh but you can achieve semantic security with siv. If the plaintext carries enough probabilism that the nonce normally would have provided in a a normal aed scheme.

T

So for certain situations, where you can have that guarantee, I think a deterministic ead mode of hpke would be acceptable.

T

If not uh what we could do is use a rolling replay window uh analogous to what was done with ipsec and rfc 2401, where you've got a bitmap of received uh received packets, and that allows you to receive them uh out of order and uh some can get dropped. uh Packets that are way too old will get thrown on the floor and the the window advances as you, you, uh you verify receive packets.

T

Of course this requires access to the sequence number. The receiver has to know what the sequence number is to determine whether it's valid in the receive window or not. So that would require us to export the uh four octet sequence number uh into the ciphertext.

T

uh This shouldn't be a problem because uh that information would already be down to any sort of attacker who can count and we're not going to be exporting the uh the secret knots we're just going to be exporting the four octet sequence number that gets xored onto that thing. So next slide please.

T

So what I'm asking for is uh three things I want to add new chems for the nist curves that do compact serialization I'd like to add support for aes siv as a deterministic uh cipher mode in hpke and for the situations where aes siv would not be appropriate on velocity networks. I'd like to uh have a defined way to use uh a rfc, 2401 style replay window to deal with uh packet loss and reordering next slide. Please uh I do have a draft it's in the 01 version.

T

uh Please take a look uh and I also have running code. If you want to take a look at my github uh there's a hpke wrap it's fully compliant with rsc2401.

T

It handles all of their test vectors, but I also added uh additional test vectors to do compact representation with uh new chems and uh authenticated and deterministic authenticated encryption with siv. I just basically stole a couple of values from the the reserved number space, uh but hopefully that won't be a problem. uh So please take a look uh next slide, please. So we have running code and I hope uh we can get rough consensus to adopt this as a work item.

B

K

All right see a couple of comments. uh One is there's with 9180 when I combine all the cams and kdfs and so on. I have 480 different combinations of algorithm, so there's already a lot. However, these seem like reasonable changes.

K

um The other comment I have is maybe hpk should be thought of as moving from cfrg to an ietf context, because the perhaps the part where we needed cfrg expertise is in the past, and these kind of changes seem like more engineering changes than cfrg like changes. I I'm not, I wouldn't be too focused on it, but just for you know things like you know, changing the um the points representations.

K

That's like a yeah that shouldn't require.

T

You know so you're saying dispatch me to sex dispatch. Basically.

K

No, I'm not I'm not recommending that it just occurs to me that that might start to make sense, because maybe the you know maybe the cryptographic bits of this are are mostly done and it's more about kind of engineering. At this stage fair comment, um and then I actually have one question is so: does your code now include the kind of uh x2559?

K

No okay, so it's it's just the nitch curves for now still yeah, okay cool uh well. Otherwise I I'd be supportive of this happening. I I'd probably be a little bit happier if it didn't happen immediately. uh I don't know I don't know I have to think about it.

K

Happening is doing it sometime. Yes, maybe here, maybe elsewhere. Okay, all right! Thank you.

T

E

uh Yeah thanks dan. um uh I also think that these are perfectly fine um additions. um Well, the the the chem uh with the different uh compressed format is a fine addition. I'm a little bit concerned about the deterministic aad and the implications it has on how you use it, um so I prefer uh well, I I'm less less supportive of that, um but I guess, as I met a comment, this is our question.

E

This is not directly to you but more for the chairs, I'm realizing now that we don't really have established any designated reviewers or experts to review these ayanna registry editions.

E

The the registry policy for editing anything any new, chem, aad or kdf is specific specification required which doesn't require this to be published or adopted, or anything. It just requires a document to exist and that approval from um one of the experts. uh So do we need to establish experts to review these requests so that we can get dan's algorithms in the registry.

B

So yeah, typically, what happens is ayanna asks for experts on first request.

B

So I suppose that's kind of constitute the first request. So yeah.

B

Can you email chair as a reminder to just double check and investigate this specific question? Okay,.

D

B

E

T

As well yeah, but this would be the specification that didn't would be required right, I mean the specification required. There has to be some published document. Yes,.

B

Yes, but it doesn't have to be, it can be like independent stream or itf stream, or doesn't even have to be an rfc okay. I think.

E

Right richard, I don't know which.

B

Is slightly more controversial, but you know some people tend to think. That's! Okay, I'm well!

B

Well! If there is enough support to do this, it seems like it's a relatively simple and smallish document, so we should just um already done, like you know, extra lms extensions, for example. I I think without consulting with micro chairs.

B

um I think the bar for uh reasonable extensions is a bit lower.

T

B

If there is enough interest- let's, let's do that um christopher.

E

Yeah, I just wanted to say that was specifically why we went with specification required for the policy so that you don't have to go through the whole process of publishing an rc just to get something in the registry to make it easy um to add new things.

E

So less work overall for everyone, but I will I will email the chairs um and see if we can get the designated experts set up. Okay, thank you.

B

T

B

um I think that's.

T

We had another christopher in there didn't we. uh He just took himself off.

B

All right um great, we have three minutes left and chris uh sacrificed one of his presentations who basically used up all of this time. So I don't think there is a point unless you want to say a few words very quickly.

E

Yeah thanks um uh yeah, there's, definitely not time. um Try to give it just a brief summary of what I was going to talk about.

E

um uh It was mostly going to be a reflection on you know the documents that the cfrg is producing right now um and has produced in the past and their sort of uh importance in the community, um in particular the itf community, and how they use cfrg specifications for specifying protocols, conducting security analysis and whatnot, um trying to point out that there are um there's, probably a number of ways in which we can improve as a group, um the output of the documents in terms of clarity, consistency and uh and correctness, um and it's kind of a plea uh for you- know people to um for volunteers who are interested in like sort of the editorial production of these documents to um uh brainstorm things that can be done to improve document quality.

E

Be it with respect to the pseudo code. That's produced the terminology, that's used in the documents, you name it and up won't, go in the slides or anything but I'll. Try to summarize uh and send a message to the list, um because I think there's there's something we can be done. That can be done here um and um that's.

D

It thank you. Thank you very much.

B

All right, and with this we have one minute left, which I give back to you. Thank you for coming and uh see you online and hopefully again next time.

B

At least hybrid meeting, maybe even fully fledged one.

C

Thank you. Goodbye.

A

A

A