> -----Original Message----- > From: Valery Smyslov <smyslov.i...@gmail.com> > Sent: Thursday, July 30, 2020 4:07 AM > To: Scott Fluhrer (sfluhrer) <sfluh...@cisco.com>; 'Michael Rossberg' > <michael.rossb...@tu-ilmenau.de> > Cc: 'ipsecme mailing list' <ipsec@ietf.org> > Subject: RE: [IPsec] Teaser for pitch talk at IETF 108 > > Hi Scott, > > > > > Actually, it does add value from a crypto point of view, at least > > > > from a > > > specific attack. In a multitarget attack, that is, an attack where > > > we assume that the attacker has encrypted packets from a large > > > number of SAs, and his goal is to recover the keys for any one of > > > the encrypted packets, here is what the attacker can do (assuming > > > GCM or ChaCha20-Poly1305); if he has packet encrypted with each SA > > > with the same nonce, he can guess a key, and generate the internal > > > GCM/ChaCha20 keystream based on that key/nonce combination. He > can > > > then scan through all the packets to see if the encryption makes > > > sense (or the ICV tag works out); this can be done far faster than > > > checking each packet individually. Assuming the packets are > > > encrypted with AES-128, and the attacker has packets from 2**L SAs, > then against this attack, we have only 128-L bits of security. > > > > > > > > By including 32 bits of unpredictable values, we make this attack > > > > 4 billion > > > times harder, and for AES-128, that would give us 160-L bits of > > > security. This doesn't actually add any security against attacks > > > against a single SA, and the salt doesn't actually need to be secret. > > Thank you for the good explanation. > > > > Thanks for clarification. I guess I have been thinking too SA centric. > > > In fact we always discussed AES-256 only. > > > > > > Do you agree that starting the window/sender IDs with random offsets > > > would fix this weakness? > > > > Yes, it would address this weakness. On the other hand, with AES-256, you > don't really need this anyways... > > What's your opinion - if we consider quantum computers (so that the real > strength of AES-256 is 128 bit), then does addition of unpredicted salt to > AES- > 256 make sense?
That is a surprisingly deep question; however since you specified "my opinion", I would say "it doesn't appear to be needed" (but wouldn't hurt anything) Here are some of the complexities (and unknown factors): - We have Grover's algorithm (which is an algorithm that runs on a Quantum Computer that supposedly does "key halving" of symmetric ciphers; that is, it searches for an n bit key in 2*(n/2) time) - However, if we insert the assumption of bounded quantum circuit depth; that is, we insist that we get the result of the search quickly, say, within 1000 years, then the attacker using Grover's algorithm needs to significantly more computation resources to search for a large key, that is, the level of security is significantly higher then what "halve the key" would indicate. With a conventional computer, we can perform parallel searches without increasing the cost (total amount of computation performed); with Grover's, performing the search in parallel cuts into the advantage that Grover's brings to the table. - How expensive is a multitarget comparison for a Quantum Computer (as opposed to a conventional one, where it is cheap)? After all, the entire point of this effort is to use a multitarget comparison to search against a large number of targets at once. This is relevant because if it is of significant cost, it would require more computational resources, which against, would effectively raise the security level achieved. I did glance at a similar scenario a while back; I came to the conclusion that a multitarget version of Grover's would cut circa 10-12 bits from the security level (by searching against circa a million targets - increasing the targets beyond that started to increase the cost most than just adding additional parallel searchers); however this was a fairly informal study, and I never published it. - How costly (in terms of performance and expense) is a Quantum Gate (of various different flavors) compared to conventional gates? This is a constant factor; however if it is large constant (e.g. a Quantum Gate is as expensive as one billion conventional gates), well, a factor of 2**30 really can't be ignored in practice. However, when I plug in plausible numbers to the above unknowns (especially the last; for the previous, we do have some reasonable guesses), I still get that a quantum multicollision attack against AES-256 is still not feasible... _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
