IETF Logo Mail Archive

Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)

Martin Thomson <mt@lowentropy.net> Tue, 02 April 2024 23:12 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17F58C14F703 for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2024 16:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="oV9y7Ifo"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Hb8Sxiaw"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mlsNJf7ie2oo for <cfrg@ietfa.amsl.com>; Tue, 2 Apr 2024 16:12:15 -0700 (PDT)
Received: from fout1-smtp.messagingengine.com (fout1-smtp.messagingengine.com [103.168.172.144]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DFEFC14F6F1 for <cfrg@irtf.org>; Tue, 2 Apr 2024 16:11:57 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfout.nyi.internal (Postfix) with ESMTP id C547F138009C for <cfrg@irtf.org>; Tue, 2 Apr 2024 19:11:56 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Tue, 02 Apr 2024 19:11:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1712099516; x=1712185916; bh=PKSc+ymt5//MEeSwhBk2iV2InMHq5z/JV8qOc21KzEY=; b= oV9y7IfozhbAqovbwy+Z8i5XIZ+VzPtS22RiJPX0BHQIr0a/dN38eXvNvxPge7c+ bp9rcg9Cmbpbq9dCIaPxHkFsHEhFzWNTeNAfqIZimn+V1ooQhK0Od1j32vmMhbKe 5yK2WlyF9H81LKwW7t9OEkv4ZOG5Z57V8VSsVlQi2NDW15wB8Ubpwt3ESGhPmpuO hwNcRYdgnsEYq02hVCndQZDc2AybyrFVObAyKa+5tTDKXdH+WsAX0HPbPTk6310V NMsezF9eryPNJRkgEVUsXgBb7KILUlr8o6Gtmk1e1kWMRLCv4Hov/N6JKhTxWgxQ saKow3Bshy4Vdlo9iYYw1g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1712099516; x= 1712185916; bh=PKSc+ymt5//MEeSwhBk2iV2InMHq5z/JV8qOc21KzEY=; b=H b8SxiawSopGl1DNE7zE9uxIwbaudyNV7S5qzZFdOW1rYXYLHEePuiSsVHVaTHXD2 4Rp1R9db1k07H0Oa4F+gL40epENdWGd58pkIm0VR1AF4zvOvmUuVA2EiPmyYGvPx UH7x1S+2shtvaoe/an8gpWkWHZHRUFm4EqgDedp37jZaYEGEZ/Sh3DjjtsSLWJN7 bA0vTHx5l9uoR1rnxs3xHx75q+1ZzE6OR6JW/PUUJwyK7CGRC8CkX9v3YR7NQ+W2 NsjciQJG5pAdPyv0yr4lTA+BiErZQa5ZQdQGvxMoSZCHIOQocWj3Ank3ieECzW9B 0SsvYfxoHYo2mlF4zUeHw==
X-ME-Sender: <xms:vJAMZjJtJMlhz_0SnCVaAUyyeV-ephVfjq5ejJ4oQtBM48S0IZ5RbQ> <xme:vJAMZnKGq6zWeALlv5EmOT_iaizHSFzzssT4xC08wVIOeZRNBIIRRM4C8znC7ee3b 9oKFzzxDakMuIDs0ak>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudeffedgudelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepteeiveeiledtkeeuff fhtdetvdeiueetuedttdekgfehfeeukedtvefgkeeukedvnecuffhomhgrihhnpehrfhgt qdgvughithhorhdrohhrghdpihhrthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:vJAMZrsCS2TjTBgXgV_6XzshsA65wivZduNJeGFIu-XzK14fueOmHA> <xmx:vJAMZsaXqwu7XmNXX_8M4hpKuPO0vIuUBk0RcrE9YBx21-EKuEgfNQ> <xmx:vJAMZqZHN_2g5wtQIMcuWNQbstBKa5Fr11kUkzrYuyFP_1gnsJTtkQ> <xmx:vJAMZgBC1_x9Oq47qbCg4oW6y7j2nxfLM2bi8oGoFNQAe77GRsgV1g> <xmx:vJAMZtyVVxm8XyWbD4wSD2Pn6tUxU2lLlLaIRbv0iKAI4ogMP9BPDbOg>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 788322340080; Tue, 2 Apr 2024 19:11:56 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-333-gbfea15422e-fm-20240327.001-gbfea1542
MIME-Version: 1.0
Message-Id: <31cdc56a-db7e-4f06-9ac5-818aaa5fd9ea@betaapp.fastmail.com>
In-Reply-To: <F1F7DDAB-1161-48C7-A545-285BE9ABB31A@gmail.com>
References: <20240130102359.887F91A3A476@rfcpa.amsl.com> <F1F7DDAB-1161-48C7-A545-285BE9ABB31A@gmail.com>
Date: Wed, 03 Apr 2024 10:11:36 +1100
From: Martin Thomson <mt@lowentropy.net>
To: cfrg@irtf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-gPshrtnwEGJTtI5ysZ2CmKK0XQ>
Subject: Re: [CFRG] Fwd: [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 23:12:21 -0000

>From my perspective, this erratum at least is not really errata-worthy.  It's great feedback on the document, but not strictly an error that needs correction. Oversights, omissions, and lost opportunities are to be expected.

The correct disposition for this sort of thing is "Hold for Document Update".

On Wed, Apr 3, 2024, at 07:46, Neil Madden wrote:
> Anyone know what’s going on with errata for HPKE? I reported this one 
> in January and not heard anything about it. There appears to be 3 
> errata on RFC 9180 that are in “reported” state, 2 of which date back 
> to 2022. Is anyone looking at them?
>
> Regards,
>
> Neil
>
> Begin forwarded message:
>
>> *From:* RFC Errata System <rfc-editor@rfc-editor.org>
>> *Date:* 30 January 2024 at 10:24:00 GMT
>> *To:* rlb@ipv.sx, karthikeyan.bhargavan@inria.fr, ietf@benjaminlipp.de, caw@heapingbits.net, irsg@irtf.org
>> *Cc:* neil.e.madden@gmail.com, rfc-editor@rfc-editor.org
>> *Subject:* *[Technical Errata Reported] RFC9180 (7790)*
>> 
>> The following errata report has been submitted for RFC9180,
>> "Hybrid Public Key Encryption".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid7790
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Neil Madden <neil.e.madden@gmail.com>
>> 
>> Section: 9.1.2
>> 
>> Original Text
>> -------------
>>   A detailed computational analysis of HPKE's Auth mode single-shot
>>   encryption API has been done in [ABHKLR20].  The paper defines
>>   security notions for authenticated KEMs and for authenticated public
>>   key encryption, using the outsider and insider security terminology
>>   known from signcryption [SigncryptionDZ10].  The analysis proves that
>>   DHKEM's AuthEncap()/AuthDecap() interface fulfills these notions for
>>   all Diffie-Hellman groups specified in this document. 
>> 
>> 
>> Corrected Text
>> --------------
>>   A detailed computational analysis of HPKE's Auth mode single-shot
>>   encryption API has been done in [ABHKLR20].  The paper defines
>>   security notions for authenticated KEMs and for authenticated public
>>   key encryption, using the outsider and insider security terminology
>>   known from signcryption [SigncryptionDZ10].  The analysis proves that
>>   DHKEM's AuthEncap()/AuthDecap() interface fulfills the notions of 
>>   Outsider-CCA, Insider-CCA, and Outsider-Auth for all Diffie-Hellman 
>>   groups specified in this document. It does not fulfill the notion of
>>   Insider-Auth defined in the paper.
>> 
>> Notes
>> -----
>> The referenced paper defines four notions of security, Outsider-CCA, Insider-CCA, Outsider-Auth, and Insider-Auth. It proves that HPKE meets the first three, but, contrary to the current text of the RFC, it proves that it does *not* meet Insider-Auth security and that this is infeasible for HPKE. This is an important negative security result that should have been highlighted in the RFC.
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". (If it is spam, it 
>> will be removed shortly by the RFC Production Center.) Please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party  
>> will log in to change the status and edit the report, if necessary.
>> 
>> --------------------------------------
>> RFC9180 (draft-irtf-cfrg-hpke-12)
>> --------------------------------------
>> Title               : Hybrid Public Key Encryption
>> Publication Date    : February 2022
>> Author(s)           : R. Barnes, K. Bhargavan, B. Lipp, C. Wood
>> Category            : INFORMATIONAL
>> Source              : Crypto Forum Research Group
>> Area                : N/A
>> Stream              : IRTF
>> Verifying Party     : IRSG
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://mailman.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email