IETF Logo Mail Archive

Re: [CFRG] misuse-resistant AEAD and HPKE

Dan Harkins <dharkins@lounge.org> Tue, 03 November 2020 00:43 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0C9F3A12E7 for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 16:43:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.145
X-Spam-Level:
X-Spam-Status: No, score=-2.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UL_lH3QlrKBK for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 16:43:03 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 237383A12F4 for <cfrg@irtf.org>; Mon, 2 Nov 2020 16:43:03 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QJ70SYHN3BQ4Z@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 02 Nov 2020 18:43:03 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QJ700A503B1RE@trixy.bergandi.net> for cfrg@irtf.org; Mon, 02 Nov 2020 16:42:37 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 02 Nov 2020 16:42:37 -0800
Date: Mon, 02 Nov 2020 16:43:00 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAL02cgSOH-yT6MY4JYvOwrQZ=kn6f+OWoBZ8m=SbCck1NpVqNg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: CFRG <cfrg@irtf.org>
Message-id: <e7b99d15-9d0e-28fe-03d9-3dfbce5ae0ec@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_hwT4miXgIaQej014jPmzXQ)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <d2dabd93-0eae-665d-9294-4b81a44670fc@lounge.org> <CAL02cgSOH-yT6MY4JYvOwrQZ=kn6f+OWoBZ8m=SbCck1NpVqNg@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [201102] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-4XYw7mqnf2IUZw4xSMji2Tg4xM>
Subject: Re: [CFRG] misuse-resistant AEAD and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 00:43:05 -0000

   Hi Richard,

On 11/2/20 3:13 PM, Richard Barnes wrote:
> Hi Dan,
>
> I'm not sure what sort of support you have in mind here. If the idea 
> is just to define some ciphersuites for SIV or whatnot, feel free to 
> email IANA once the registry exists.

   The text surrounding the APIs requires the maintenance of state unless
you're doing a single-shot version. Just firing off an email to IANA once
the registry exists would be a little too late I think.

   So what I have in mind is some text in section 5.2 explaining that if 
(let's
imagine how this *might* look) the "MRAE" column in table 5 indicates "yes"
then the encryption/decryption need not be stateful. The existing ciphers in
table 5 would all have "no" in the "MRAE" column. That's one way of 
doing it.
Since there is a separate section for "single shot APIs" using the 
stateful API
from section 5.2 there could also be a new one for "MRAE APIs" that 
similarly
uses the stateful API from section 5.2. That's another way of doing 
this. There
may be others.

> I would not be OK with specializing HPKE so that it *only* supports 
> misuse-resistant AEADs.  Even having different behavior for 
> misuse-resistant vs. not seems like more trouble than it's worth -- 
> more code paths and more management overhead (is this one 
> misuse-resistant or not?) in exchange for saving ~2 hash invocations.

   I'm not suggesting it *only* support misuse-resistant AEAD; not 
suggesting
the removal of anything. Since AES-SIV takes a double-wide key I'm 
suggesting
the addition of AES-SIV-256 and AES-SIV-512 and text describing what they
bring to the table.

   The issue is not the savings of ~2 hash invocations, it's the 
introduction of
misuse-resistance.

   Dan.

>
> --Richard
>
>
> On Mon, Nov 2, 2020 at 3:49 PM Dan Harkins <dharkins@lounge.org 
> <mailto:dharkins@lounge.org>> wrote:
>
>
>       Hello,
>
>       For some use cases it would be good to avoid the stateful
>     requirements
>     of the the Seal() and Open() constructs in HPKE. This would seem
>     especially
>     important if (skX, pkX) are derived deterministically which could
>     result
>     in reuse of a particular nonce-secret for distinct invocations of
>     Seal()
>     or Open().
>
>       Rogaway and Shrimpton formalized the notion of a
>     misuse-resistant AEAD
>     scheme in [1]. The mode they defined, AES-SIV, has the following
>     properties:
>
>        - the nonce can be arbitrary;
>        - the nonce can repeat without loss of authenticity of the message,
>          with privacy lost to the extent that one could know that the same
>          message was sent (if, in fact, it was);
>        - the nonce is not even required-- truly deterministic AEAD.
>
>     While that last property is pretty cool, it would probably be too
>     hard to pry into HPKE at this point. But the other properties could
>     be supported quite straightforwardly I think.
>
>       AES-SIV has been defined in RFC 5297. I would be happy to provide
>     some suggested text to add support for AES-SIV if there is consensus
>     that it's a good idea.
>
>       regards,
>
>       Dan.
>
>     [1] "Deterministic Authenticated Encryption, A Provable-Security Treatment
>          of the Key-Wrap Problem"-- EUROCRYPT '06, St. Petersburg, Russia, 2006.
>
>
>     -- 
>     "The object of life is not to be on the side of the majority, but to
>     escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
>     _______________________________________________
>     CFRG mailing list
>     CFRG@irtf.org <mailto:CFRG@irtf.org>
>     https://www.irtf.org/mailman/listinfo/cfrg
>

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email