Hi,
At the Third NIST Workshop on Block Cipher Modes of Operation 2023, NIST presented Ascon and asked for comments.
https://csrc.nist.gov/csrc/media/Presentations/2023/update-on-standardization-of-ascon-family/images-media/sess-6-turan-bcm-workshop-2023.pdf
- I think the current tentative decisions on page 20 sounds great.
- I think publishing as Special Publication (SP) instead of FIPS makes a lot of sense. I think most people want standards as soon as possible.
- I think 64- and 96-bit tags sounds ok. I don’t see a strong need for other sizes in the NIST specification. It would be good if NIST describes the forgery probability as a function of the tag length t in the specification. People might want to use Ascon with
32 bit tags in future radio link layers. But I don’t see a strong need for NIST to add that as an approved mode. If NIST explains that Ascon with t bit tags give t bit security, people and other SDOs can figure out when it is ok to use for their use cases.
- I support changing to little-endian for more efficient implementations.
- “Support for additional functionalities (PRF, MAC, KDF, DRBG etc.)” sounds great. What about Ascon in Ed25519 and ECDSA? I think Robert Moskowitz expressed a very strong interest in that.
- I assume that encryption without message expansion might come later. The Block Cipher Techniques project is looking at that right now but the outcome might not use block ciphers and instead rely on permutation based crypto using SHAKE or TurboSHAKE. A solution
for SHAKE/TurboSHAKE would likely be easy to adopt for Ascon.
Cheers,
John
--
To unsubscribe from this group, send email to lwc-forum+...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/lwc-forum
---
To unsubscribe from this group and stop receiving emails from it, send an email to lwc-forum+...@list.nist.gov.
Thanks Mustafa,
I will look at the links you sent.
I notice that I wrote “If NIST explains that Ascon with t bit tags give t bit security”, I don’t know if that is true. It would be good if NIST describes the security achieved with tags shorter than 128 bits. Some algorithms are more suitable to short tags
than others. I don’t know how Ascon behaves.
>the standard should keep at least a variant with 128-bit tag
I think NIST plans to add 64 and 96 in addition to 128. I agree that 128 bit tags should be kept.
Cheers,
John
On 6 Oct 2023, at 8:34 PM, Mustafa Khairallah <khair...@ieee.org> wrote:
No worries!
>> “If NIST explains that Ascon with t bit tags give t bit security”I think this is true if the scheme has no other issues (the security is not actually less than t). What i meant by my email is that this security drop would refer to both privacy and forgery probability, and addressing forgery probability only may not be sufficient.>> Some algorithms are more suitable to short tags than others. I don’t know how Ascon behaves.
Actually, based on the generic attacks presented in these papers (e.g. [1,Section 3]), any online AE scheme is vulnerable to this partial decryption attack.In FSE 2023 rump session, I presented a similar attack on two-pass schemes (eg SIV) and on any scheme that allows both short messages and short tags simultaneously, concluding that a scheme that allows short tags without substantial privacy/decryption issues would almost (but not quite) an enciphering scheme (e.g. AEZ). The paper is still work-in-progress but you can find the rump session slides here:
On 6 Oct 2023, at 10:40 PM, Robert Moskowitz <r...@labs.htt-consult.com> wrote:
Mustafa,