NIST’s Proposal of Requirements for an Accordion Mode has been posted on the NIST website in the form of a “Discussion Draft for the NIST Accordion Mode Workshop 2024” at
https://csrc.nist.gov/pubs/other/2024/04/10/proposal-of-requirements-for-an-accordion-mode-dis/iprd .
Morris Dworkin
On behalf of the NIST Cipher Modes Team.
Hi,
Thanks to the NIST Cipher Modes Team for preparing the
discussion draft. The draft was very helpful in getting me to start thinking
about desired properties and applications of the accordion mode.
I agree with Arne that stronger properties than the security
goal in Section 2.2 would be welcome. I kind of assumed that the derived AEAD
would provide commitment but as Arne points out that does not follow from the
definitions. It would be very nice if the derived modes provide commitment when
used for encode-then-encipher authenticated encryption. Preferable fully
commiting with security strength of half the tag length. People will not start
using 256-bit tags in their propriatary non-standardized protocols, but having
64-bit commitment security would practically be a lot better than 0-bits of
commitment security.
Otherwise I have a bit mixed feelings about commitment. On one hand, people building systems that assume that AEADs provides commitment seems quite common. One example I recently thought of is COSE (RFC 9052) [1] that states that “Applications MUST NOT assume that "kid" values are unique. There may be more than one key with the same "kid" value, so all of the keys associated with this "kid" may need to be checked.” I.e., COSE assumes that a ciphertext can only be decrypted under a single key. On the other hand, it is however unclear to me wheater commiting AEADs is the solution. Many of the commitment attacks are on systems using passwords for encryption. Passwords are inheritly insecure and should only be used as part of MFA. In many other cases, a commiting AEAD with 256-bit tags does not seem like the best solution. Taking age [2] as an example. They mitigate that two recipients decrypt to different plaintexts by adding a MAC in the header. Relying on the AEAD for commitment would have caused quite quite expansion as age breaks up the file in chunks and encrypts them separatly. I think the main thing that is needed is more standardized protocols and more formal verification of protocols. I think that there should also be derived modes without tags (for file system encryptiion in existing file systems) as well as short tags. I do not think all parameters should provide strong commitment as that requires very large tags (512-bit tags for 256-bit commitment security
[1] https://www.rfc-editor.org/rfc/rfc9052.html
[2] https://github.com/FiloSottile/age
I agree with Arne that usability is very important. In addition to security properties, I think it is very important to also consider APIs and documentation. One could e.g., argue that users/applications should never even have to care about the details of nonces and replay protection. In addition to documenting the properties an algorithm have, I think it is equally important to clearly describe all the properies an algorithm does not have, preferably with examples. Security properties that you get for free is always welcome, security properties that comes with a performance or additional bytes are more problematic. If people don’t use the new algorithm, any nice security properties are in vain.
Regarding the standardization process, my understanding of “collaborative
process” is that there will not be a competition like AES, LWC, SHA-3, and PQC.
I think NIST could still have a call for proposals, and then “collaboratively”
work on building the best accordion based on that. At the end of the collaborative
effort I expect NIST to have a longer review period that for FIPS 203-205. NIST
publishing a draft for an accordion mode in inviting cryptanalysis would likely
attrack a lot of reasearchers. NIST could even have competition with prizes (money
or honour) for the best attacks.
Cheers,
John Preuß Mattsson
Expert Cryptographic Algorithms and Security Protocols,
Ericsson Research