Re: [CFRG] misuse-resistant AEAD and HPKE
Dan Harkins <dharkins@lounge.org> Tue, 03 November 2020 00:43 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0C9F3A12E7 for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 16:43:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.145
X-Spam-Level:
X-Spam-Status: No, score=-2.145 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UL_lH3QlrKBK for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 16:43:03 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 237383A12F4 for <cfrg@irtf.org>; Mon, 2 Nov 2020 16:43:03 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QJ70SYHN3BQ4Z@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 02 Nov 2020 18:43:03 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QJ700A503B1RE@trixy.bergandi.net> for cfrg@irtf.org; Mon, 02 Nov 2020 16:42:37 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 02 Nov 2020 16:42:37 -0800
Date: Mon, 02 Nov 2020 16:43:00 -0800
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAL02cgSOH-yT6MY4JYvOwrQZ=kn6f+OWoBZ8m=SbCck1NpVqNg@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: CFRG <cfrg@irtf.org>
Message-id: <e7b99d15-9d0e-28fe-03d9-3dfbce5ae0ec@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_hwT4miXgIaQej014jPmzXQ)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <d2dabd93-0eae-665d-9294-4b81a44670fc@lounge.org> <CAL02cgSOH-yT6MY4JYvOwrQZ=kn6f+OWoBZ8m=SbCck1NpVqNg@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [201102] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-4XYw7mqnf2IUZw4xSMji2Tg4xM>
Subject: Re: [CFRG] misuse-resistant AEAD and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 00:43:05 -0000
Hi Richard, On 11/2/20 3:13 PM, Richard Barnes wrote: > Hi Dan, > > I'm not sure what sort of support you have in mind here. If the idea > is just to define some ciphersuites for SIV or whatnot, feel free to > email IANA once the registry exists. The text surrounding the APIs requires the maintenance of state unless you're doing a single-shot version. Just firing off an email to IANA once the registry exists would be a little too late I think. So what I have in mind is some text in section 5.2 explaining that if (let's imagine how this *might* look) the "MRAE" column in table 5 indicates "yes" then the encryption/decryption need not be stateful. The existing ciphers in table 5 would all have "no" in the "MRAE" column. That's one way of doing it. Since there is a separate section for "single shot APIs" using the stateful API from section 5.2 there could also be a new one for "MRAE APIs" that similarly uses the stateful API from section 5.2. That's another way of doing this. There may be others. > I would not be OK with specializing HPKE so that it *only* supports > misuse-resistant AEADs. Even having different behavior for > misuse-resistant vs. not seems like more trouble than it's worth -- > more code paths and more management overhead (is this one > misuse-resistant or not?) in exchange for saving ~2 hash invocations. I'm not suggesting it *only* support misuse-resistant AEAD; not suggesting the removal of anything. Since AES-SIV takes a double-wide key I'm suggesting the addition of AES-SIV-256 and AES-SIV-512 and text describing what they bring to the table. The issue is not the savings of ~2 hash invocations, it's the introduction of misuse-resistance. Dan. > > --Richard > > > On Mon, Nov 2, 2020 at 3:49 PM Dan Harkins <dharkins@lounge.org > <mailto:dharkins@lounge.org>> wrote: > > > Hello, > > For some use cases it would be good to avoid the stateful > requirements > of the the Seal() and Open() constructs in HPKE. This would seem > especially > important if (skX, pkX) are derived deterministically which could > result > in reuse of a particular nonce-secret for distinct invocations of > Seal() > or Open(). > > Rogaway and Shrimpton formalized the notion of a > misuse-resistant AEAD > scheme in [1]. The mode they defined, AES-SIV, has the following > properties: > > - the nonce can be arbitrary; > - the nonce can repeat without loss of authenticity of the message, > with privacy lost to the extent that one could know that the same > message was sent (if, in fact, it was); > - the nonce is not even required-- truly deterministic AEAD. > > While that last property is pretty cool, it would probably be too > hard to pry into HPKE at this point. But the other properties could > be supported quite straightforwardly I think. > > AES-SIV has been defined in RFC 5297. I would be happy to provide > some suggested text to add support for AES-SIV if there is consensus > that it's a good idea. > > regards, > > Dan. > > [1] "Deterministic Authenticated Encryption, A Provable-Security Treatment > of the Key-Wrap Problem"-- EUROCRYPT '06, St. Petersburg, Russia, 2006. > > > -- > "The object of life is not to be on the side of the majority, but to > escape finding oneself in the ranks of the insane." -- Marcus Aurelius > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org <mailto:CFRG@irtf.org> > https://www.irtf.org/mailman/listinfo/cfrg > -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] misuse-resistant AEAD and HPKE Dan Harkins
- Re: [CFRG] misuse-resistant AEAD and HPKE Richard Barnes
- Re: [CFRG] misuse-resistant AEAD and HPKE Dan Harkins
- Re: [CFRG] misuse-resistant AEAD and HPKE Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] misuse-resistant AEAD and HPKE Dan Harkins