On Tue, Dec 14, 2021 at 10:54:22AM -0800, Martin Duke wrote: > Adding the QUIC WG and removing the Sec ADs. > > Ilari, I would like your input on the questions below. > > On Wed, Nov 24, 2021 at 3:50 PM Martin Duke <[email protected]> wrote: > > > Hi All, > > > > Thanks for the review. I've made an attempt to capture this conversation > > in a PR: > > https://github.com/quicwg/load-balancers/pull/146 > > Please take a look.
That construction can be pretty unbalenced, and I do not know if 4 rounds is sufficient in that case. > > Some questions from earlier in the thread: > > (1) Is it alright if the server ID and nonce are of very different > > lengths, so that the "split" is nowhere near even? Or should we just take > > exactly half the octets even though they represent different information? I tried to look at security of unbalanced Feistel ciphers. One paper I found stated that the general case is open problem. There might be later paper that solved the case, but I did not see one. The result that four rounds is sufficient (given good enough PRF) only hold for balanced case. Unbalanced casese can require more rounds. And they definitely do once things get highly unbalanced. And every octet should avalanche to every octet right (that would certainly happen with block cipher)? So informations being different does not matter. One of the issues with always balancing it is that if number of octets is odd, one of the octets gets split, with 4 bits ending up on one side and 4 to the other. > > (2) Does this have similar security properties to a normal block cipher > > with 16 bytes of entropy? Four round balanced Feistel with good enough PRF is normal block cipher. AES is not a PRF, but I would expect it to behave very close to one if number of samples available is not huge. E.g., trivial collision- checking requires on order of 2^64 samples. -Ilari
