Re: [Cfrg] hpke encoding of DH output
Richard Barnes <rlb@ipv.sx> Thu, 20 August 2020 18:30 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C983A1247 for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDrUg4qQWUIA for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:30:13 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7BE83A1243 for <Cfrg@irtf.org>; Thu, 20 Aug 2020 11:30:12 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id n129so2385311qkd.6 for <Cfrg@irtf.org>; Thu, 20 Aug 2020 11:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ggpMyqgSEgVPZS9QSq13+wV4VPgwdo35LOhCCy+bqUY=; b=rs9a8QyAyFTpOYcur5tiw+ASnlgHmdypbW+bIq6L2y/EEXgW9zf5hBld4EavzWXxkD 2EZDAxjCNtH1cNKxt3sPF8526JBX6hpBH75aLCnhETjg4D5ci4dnE/akah+U8/0PVmHg TqgKfdsHnZjwt9kIYtv6zLj84omCswnvUuh0GI1ywvDXJnfRbyOWTcq7OATsskvUG5KK v25C65AZCJwyB0h4S+Vt3x3HEAQMwLoLVaAOeTYGA7w1xZ/dZu7Q6A1Sf2t5Wcg5zuO/ aDO5y/SYpqisjtqDlKUXXQ7RniowB/8ia7/WqyEIu/DxUHFGVGxI0XdckI7Y7bd3iZ0T zh2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ggpMyqgSEgVPZS9QSq13+wV4VPgwdo35LOhCCy+bqUY=; b=EYQIowa8oXdpuHKLJkvBAsrx5y19A6SIfB7e6St5jP+SM8qSUwzrEEZ+dcOgdZvgcq ktjXoZvrBbmaAj9l4DT2SxFl/sXxuE+d0xYHAI6r6XbpxovZ+UU18E5IaBM8bznjOE2K wau+7Z4sV9MRjfXygdz6eVPIXJ72/f9lJtauA9lKEqqNtxIujkKg5zJMp83rjZIMIMED t28lI32tc2rYuiY2oKBMusD2dHb0DOEumwdJNSzZQXdEk3n5e6BF/5QMeu2JUO1jCO/+ uI594CR/a+iVx68PKwqBZq5SxnI433nMRE1oIyOYy70Tue6HByL4juGbHVz9zzELEcNE BXmA==
X-Gm-Message-State: AOAM530dAsIybRGnso5MEoAXD222Y0j8gNJbxu7W3WJjHwKLBTPZeV20 xg7R81judi3pRgLBk8iVeFQSb7dyH/zd1U++C4AXlOdalyF7kRwn
X-Google-Smtp-Source: ABdhPJwSx0ZoXMPwUxzAuSPk4h2Ar7dOw3g0RDkilChh4VdZTDfH4WtP1adyg/65XymA0kCDPjS+TXnDtDKTVeIzrQk=
X-Received: by 2002:a37:99c7:: with SMTP id b190mr3758409qke.347.1597948211703; Thu, 20 Aug 2020 11:30:11 -0700 (PDT)
MIME-Version: 1.0
References: <627dbf76-25c5-ae56-d602-d8cf2c63fb50@cs.tcd.ie>
In-Reply-To: <627dbf76-25c5-ae56-d602-d8cf2c63fb50@cs.tcd.ie>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 20 Aug 2020 14:29:50 -0400
Message-ID: <CAL02cgQne5i-BDo_VbwFnUSkdMsRTJh0n19cVf+uEPnDL-kiWA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000087488005ad534f81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1-hH55slm_V6K28Y0bakKT4klyg>
Subject: Re: [Cfrg] hpke encoding of DH output
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 18:30:15 -0000
Hi Stephen, I think you're right here. I just re-checked both the NIST and SECG specifications for ECDH [1][2], and they're in agreement that the secret value is the X-coordinate. I'll work with my coauthors to get this implemented. --Richard [1] Section 5.7.1.2 of https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf [2] Section 3.3.1 of https://www.secg.org/sec1-v2.pdf On Thu, Aug 20, 2020 at 2:04 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hi, > > I ran into an interop problem with draft-05 that I think is > worth bringing to the list. > > Draft-05 says: > > "For the variants of DHKEM defined in this document, the > size Ndh of the Diffie-Hellman shared secret is equal to > Npk, and the size Nsecret of the KEM shared secret is equal > to the output length of the hash function underlying the > KDF." > > What that means is that, for the NIST curves, the DH > value (used to be zz I think) is represented as a public > key in uncompressed form. My code uses the OpenSSL > EVP_PKEY_derive() function (same as it did for draft-02) > which only gives me the X co-ordinate, and OpenSSL doesn't > seem to have an easy way to get the uncompressed version > from that. I don't know, but I'd guess that other libraries > might be similar. In draft-02 only the X co-ordinate was > used btw, and I don't recall this change being brought > up on the list. > > I don't think there's any security benefit in treating > the output of the DH operation as a public key. If there > were, then I'd be fine with changing to use lower level > calls to do the DH operation. But that seems a bit wrong, > so I'd argue that we'd be better to not treat the DH > shared secret value as a public key when encoding that. > > Separately, it'd be good to add those values to the > test vectors - took me a while to find this - in the > end I had to add more tracing to the go implementation > to spit out these values. > > Lastly, even if we don't make a change, it'd be good > to add text to clarify this, but I think I'd prefer we > make the change if there's no security downside. > > Cheers, > S. > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] hpke encoding of DH output Stephen Farrell
- Re: [Cfrg] hpke encoding of DH output Richard Barnes
- Re: [Cfrg] hpke encoding of DH output Christopher Wood
- Re: [Cfrg] hpke encoding of DH output Stephen Farrell
- Re: [Cfrg] hpke encoding of DH output Dan Harkins