[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AES-based PRF for IKEv2

To: ipsec@lists.tislabs.com
Subject: Re: AES-based PRF for IKEv2
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 24 Mar 2003 21:17:36 GMT
Distribution: isaac
Newsgroups: isaac.lists.ipsec
Organization: University of California, Berkeley
References: <Pine.GSO.4.21.0303220054030.26588-100000@ee.technion.ac.il> <3E7D69FB.1080907@bell-labs.com>
Sender: owner-ipsec@lists.tislabs.com

Uri Blumenthal  wrote:
>Let me clarify this statement. An [unbroken] block cipher
>is a FAMILY of pseudo random permutations INDEXED by the
>key. So for any GIVEN key this block cipher is a pseudo
>random permutation. It is assumed to be true for AES.

I think you're a little confused about the terminology.
The second sentence above is meaningless.  The term "pseudo
random permutation" -- according to its standard usage in
cryptography -- attaches to a family of permutations, not to a
single permutation on its own.  It makes no sense to say
that a particular permutation (e.g., AES when used with a
particular fixed key) is pseudorandom.

>I would like to see it shown for AES.

I'm not sure you understood the point Hugo and I are making.
Maybe I should try to clarify at more length.  I'm not saying
that your construction is definitely insecure when used with
AES.  I'm not saying it is definitely secure, either.

Rather, I'm suggesting it would be premature to accept your
construction for IPSec.  I'm saying that its security analysis
is not well enough developed.  The assumptions about AES needed
(to ensure the security of your construction) are unclear and
non-standard.  In particular, the PRP assumption does not
guarantee that your construction is secure.  This is all about
understanding what security assumptions we have to make, which
I claim ought to be an important part of any act of modern
cryptographic design.

Your construction might be secure when used with AES, or it might
not.  I don't have any idea whether it is or it isn't.  But we can
say this: It's not enough merely to assume that AES is a secure PRP.
If your construction does happen to be secure, it must be because
AES has some additional security properties that not all PRP's
are guaranteed to have.

The natural question then is whether it is reasonable to assume
that these necessary additional properties hold for AES.  Since
those required properties have never been clearly stated, that
question is hard to answer with confidence without knowing precisely
what those additional assumptions might be.  However, I can say
this much: these additional assumptions are going to be at least
a little bit non-standard.  The standard assumption about AES is
that it is a secure PRP.  "PRP-ness" is the standard goal agreed
upon both by block cipher practitioners and by theoreticians
(though sometimes people try for additional goals).  As a result,
we usually have more confidence in "the PRP assumption" than
we would have in any other assumption.

In short, I believe it would be premature to accept your
proposal.  Here's what I would propose: I suggest working out
a formal security analysis for your construction, running the result
by ietf-cfrg, and if it meets approval there, then let's consider
it for inclusion in IPSec at that point.

References:
- Re: AES-based PRF for IKEv2
  - From: Hugo Krawczyk <hugo@ee.technion.ac.il>
- Re: AES-based PRF for IKEv2
  - From: Uri Blumenthal <uri@bell-labs.com>

Prev by Date: Re: AES-based PRF for IKEv2
Next by Date: Re: Do ipsec vendors care about privacy?
Prev by thread: Re: AES-based PRF for IKEv2
Next by thread: Re: AES-based PRF for IKEv2
Index(es):
- Date
- Thread