Re: [Cfrg] hpke encoding of DH output

Richard Barnes <rlb@ipv.sx> Thu, 20 August 2020 18:30 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C983A1247 for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDrUg4qQWUIA for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:30:13 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7BE83A1243 for <Cfrg@irtf.org>; Thu, 20 Aug 2020 11:30:12 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id n129so2385311qkd.6 for <Cfrg@irtf.org>; Thu, 20 Aug 2020 11:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ggpMyqgSEgVPZS9QSq13+wV4VPgwdo35LOhCCy+bqUY=; b=rs9a8QyAyFTpOYcur5tiw+ASnlgHmdypbW+bIq6L2y/EEXgW9zf5hBld4EavzWXxkD 2EZDAxjCNtH1cNKxt3sPF8526JBX6hpBH75aLCnhETjg4D5ci4dnE/akah+U8/0PVmHg TqgKfdsHnZjwt9kIYtv6zLj84omCswnvUuh0GI1ywvDXJnfRbyOWTcq7OATsskvUG5KK v25C65AZCJwyB0h4S+Vt3x3HEAQMwLoLVaAOeTYGA7w1xZ/dZu7Q6A1Sf2t5Wcg5zuO/ aDO5y/SYpqisjtqDlKUXXQ7RniowB/8ia7/WqyEIu/DxUHFGVGxI0XdckI7Y7bd3iZ0T zh2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ggpMyqgSEgVPZS9QSq13+wV4VPgwdo35LOhCCy+bqUY=; b=EYQIowa8oXdpuHKLJkvBAsrx5y19A6SIfB7e6St5jP+SM8qSUwzrEEZ+dcOgdZvgcq ktjXoZvrBbmaAj9l4DT2SxFl/sXxuE+d0xYHAI6r6XbpxovZ+UU18E5IaBM8bznjOE2K wau+7Z4sV9MRjfXygdz6eVPIXJ72/f9lJtauA9lKEqqNtxIujkKg5zJMp83rjZIMIMED t28lI32tc2rYuiY2oKBMusD2dHb0DOEumwdJNSzZQXdEk3n5e6BF/5QMeu2JUO1jCO/+ uI594CR/a+iVx68PKwqBZq5SxnI433nMRE1oIyOYy70Tue6HByL4juGbHVz9zzELEcNE BXmA==
X-Gm-Message-State: AOAM530dAsIybRGnso5MEoAXD222Y0j8gNJbxu7W3WJjHwKLBTPZeV20 xg7R81judi3pRgLBk8iVeFQSb7dyH/zd1U++C4AXlOdalyF7kRwn
X-Google-Smtp-Source: ABdhPJwSx0ZoXMPwUxzAuSPk4h2Ar7dOw3g0RDkilChh4VdZTDfH4WtP1adyg/65XymA0kCDPjS+TXnDtDKTVeIzrQk=
X-Received: by 2002:a37:99c7:: with SMTP id b190mr3758409qke.347.1597948211703; Thu, 20 Aug 2020 11:30:11 -0700 (PDT)
MIME-Version: 1.0
References: <627dbf76-25c5-ae56-d602-d8cf2c63fb50@cs.tcd.ie>
In-Reply-To: <627dbf76-25c5-ae56-d602-d8cf2c63fb50@cs.tcd.ie>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 20 Aug 2020 14:29:50 -0400
Message-ID: <CAL02cgQne5i-BDo_VbwFnUSkdMsRTJh0n19cVf+uEPnDL-kiWA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000087488005ad534f81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1-hH55slm_V6K28Y0bakKT4klyg>
Subject: Re: [Cfrg] hpke encoding of DH output
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 18:30:15 -0000

Hi Stephen,

I think you're right here.  I just re-checked both the NIST and SECG
specifications for ECDH [1][2], and they're in agreement that the secret
value is the X-coordinate.  I'll work with my coauthors to get this
implemented.

--Richard

[1] Section 5.7.1.2 of
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf
[2] Section 3.3.1 of https://www.secg.org/sec1-v2.pdf



On Thu, Aug 20, 2020 at 2:04 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hi,
>
> I ran into an interop problem with draft-05 that I think is
> worth bringing to the list.
>
> Draft-05 says:
>
> "For the variants of DHKEM defined in this document, the
> size Ndh of the Diffie-Hellman shared secret is equal to
> Npk, and the size Nsecret of the KEM shared secret is equal
> to the output length of the hash function underlying the
> KDF."
>
> What that means is that, for the NIST curves, the DH
> value (used to be zz I think) is represented as a public
> key in uncompressed form. My code uses the OpenSSL
> EVP_PKEY_derive() function (same as it did for draft-02)
> which only gives me the X co-ordinate, and OpenSSL doesn't
> seem to have an easy way to get the uncompressed version
> from that. I don't know, but I'd guess that other libraries
> might be similar. In draft-02 only the X co-ordinate was
> used btw, and I don't recall this change being brought
> up on the list.
>
> I don't think there's any security benefit in treating
> the output of the DH operation as a public key. If there
> were, then I'd be fine with changing to use lower level
> calls to do the DH operation. But that seems a bit wrong,
> so I'd argue that we'd be better to not treat the DH
> shared secret value as a public key when encoding that.
>
> Separately, it'd be good to add those values to the
> test vectors - took me a while to find this - in the
> end I had to add more tracing to the go implementation
> to spit out these values.
>
> Lastly, even if we don't make a change, it'd be good
> to add text to clarify this, but I think I'd prefer we
> make the change if there's no security downside.
>
> Cheers,
> S.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>