Hi Ralph,
> I assume you are referring to symmetric crypto (we already have
> alternatives for pubkey crypto).
I am referring to symmetric key encryption, signature, mode of
operations for constructing AEAD, and MAC.
(as you pointed out, we already have alternatives for public key encryption)
Do you agree with the necessity of alternative algorithms?
> Which ones do you have in mind that would fulfill these criteria?
I want to make these viewpoints concrete and "satisfying 128 bit
security" which your draft says and "patent free" into these criteria.
I strongly believe that BCP needs to include alternative algorithms
- with different design policy from algorithm which your I-D recommends
- which are widely implemented in OSSs and are easily used
- with public document in standardizing organization and estimation
by trusted organization
- with 128 bit security
- which is patent free
I believe that the following primitives fulfill above criteria.
symmetric key encryption: Camellia, Seed
signature: ECDSA
mode of operations: -
MAC: -
Do you agree with the above criteria and candidates of alternative
algorithms?
[Rationale]
symmetric key encryption:
* Camellia
- have different design policy (Feistel Structure) from AES
(SPN Structure)
- is implemented in OpenSSL 1.0.2, GnuTLS 3.3.5, NSS 3.15.1 and so on.
- is standardized in RFC5932, RFC6367, ISO/IEC18033, and ITU-T
and is recommended in NESSIE and CRYPTREC)
- with 128 bit security
- which is patent free
* Seed
- have different design policy (Feistel Structure) from AES
(SPN Structure)
- is implemented in OpenSSL 1.0.2 and NSS 3.15.1 and so on.
- is standardized in RFC4162 and ISO/IEC18033
and is recommended in NESSIE and KICS)
- with 128 bit security
- which is patent free
singnature:
* ECDSA
- is based on ECDLP (the security of RSA is based on
integer factring.)
- is implemented in OpenSSL 1.0.2, GnuTLS 3.3.5, NSS 3.15.1 and so on.
- is standardized in RFC6460 and NIST.
and is recommended in NESSIE and CRYPTREC
- with 128 bit security
- which is patent free
mode of operations: -
* I think that CCM is candidate of alternative modes of operation and
is widely implemented in embedded device.
Howeve I think that CCM is not widely implemented in general use.
For example, CCM is implemented in PolarSSL 1.3.8 and CyaSSL 3.1.0.
On the other hand, CCM is not implemented in OpenSSL 1.0.2,
GnuTLS 3.3.5, and NSS 3.15.1 at least.
(CCM is implemented in crypto layer of OpenSSL 1.0.2 )
So I think that there is currently no suitable primitive for
alternative modes of operation. (I assume that the scope of TLS-BCP
does not include embbeded device.)
MAC: -
* There is only HMAC as alternative algorithm and
And there is HMAC-SHA-3 as candidate of alternative hash function.
However, FIPS202 (SHA-3) call for public comments before August 26,
2014. Hence, there is currently no suitable primitive for
alternative MAC.
Best,
Kohei KASAMATSU
(2014/07/26 18:53), Ralph Holz wrote:
> Hi,
>
>> I strongly believe that BCP needs to include alternative algorithms
>> - with different design policy from algorithm which your I-D recommends
>> - which are widely implemented
>> - which are internationally standardized
>
> I assume you are referring to symmetric crypto (we already have
> alternatives for pubkey crypto).
>
> Which ones do you have in mind that would fulfill these criteria?
>
> Ralph
>
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
