Thank you Ilari, We'll split the odd octet, if need be. In an hour or two you should see an updated PR that reflects what I think you're recommending.
On Tue, Dec 14, 2021 at 12:31 PM Ilari Liusvaara <[email protected]> wrote: > On Tue, Dec 14, 2021 at 10:54:22AM -0800, Martin Duke wrote: > > Adding the QUIC WG and removing the Sec ADs. > > > > Ilari, I would like your input on the questions below. > > > > On Wed, Nov 24, 2021 at 3:50 PM Martin Duke <[email protected]> > wrote: > > > > > Hi All, > > > > > > Thanks for the review. I've made an attempt to capture this > conversation > > > in a PR: > > > https://github.com/quicwg/load-balancers/pull/146 > > > Please take a look. > > That construction can be pretty unbalenced, and I do not know if 4 > rounds is sufficient in that case. > > > > Some questions from earlier in the thread: > > > (1) Is it alright if the server ID and nonce are of very different > > > lengths, so that the "split" is nowhere near even? Or should we just > take > > > exactly half the octets even though they represent different > information? > > I tried to look at security of unbalanced Feistel ciphers. One paper I > found stated that the general case is open problem. There might be later > paper that solved the case, but I did not see one. > > The result that four rounds is sufficient (given good enough PRF) only > hold for balanced case. Unbalanced casese can require more rounds. And > they definitely do once things get highly unbalanced. > > And every octet should avalanche to every octet right (that would > certainly happen with block cipher)? So informations being different > does not matter. > > One of the issues with always balancing it is that if number of octets > is odd, one of the octets gets split, with 4 bits ending up on one side > and 4 to the other. > > > > (2) Does this have similar security properties to a normal block cipher > > > with 16 bytes of entropy? > > Four round balanced Feistel with good enough PRF is normal block cipher. > > AES is not a PRF, but I would expect it to behave very close to one if > number of samples available is not huge. E.g., trivial collision- > checking requires on order of 2^64 samples. > > > -Ilari >
