Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 18 December 2019 16:19 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01926120963 for <cfrg@ietfa.amsl.com>; Wed, 18 Dec 2019 08:19:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxHGfVTXeV7W for <cfrg@ietfa.amsl.com>; Wed, 18 Dec 2019 08:19:34 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FCC5120925 for <cfrg@irtf.org>; Wed, 18 Dec 2019 08:19:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7AE31BE24; Wed, 18 Dec 2019 16:11:07 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b2eP7v2RxAQ0; Wed, 18 Dec 2019 16:11:05 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 39231BE20; Wed, 18 Dec 2019 16:11:05 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1576685465; bh=EgQrRONdWi3v0iyufEqw2emqDmwz6NDxy/HMS2026qo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=ssvOqsOG9ZPg/hOtNnpLzcJWlVzYeRRnZl76pe7CHyZyAMeDNEFfx1nCmGQJ0fY8r Jed94kf6uW6jdw7DlqQ3Xdobbexhhj5+lfYajMilkhLbMCMd0/sJmcGuAwuFi2AXmm eZOdYhjI2oNCk2GV1YKqjPjjOU95qv0eGuqz4yeM=
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
References: <F8BB57F1-4490-4FE4-B935-EF1D3C028D81@ericsson.com> <5689d764-d6b2-ddcb-6214-89b998f56f8e@cs.tcd.ie> <20191218155003.GA2202306@LK-Perkele-VII>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <30919e3a-dd3f-00da-85a0-c98b00f476f5@cs.tcd.ie>
Date: Wed, 18 Dec 2019 16:11:03 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <20191218155003.GA2202306@LK-Perkele-VII>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="PtiOwzYNJIplpoHjyxTBmCPSwEgfAagEt"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/1S0YckAXe5ilO1_O2x1Oo-5AZH4>
Subject: Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 16:19:37 -0000
Hiya, On 18/12/2019 15:50, Ilari Liusvaara wrote: > On Wed, Dec 18, 2019 at 01:39:56PM +0000, Stephen Farrell wrote: >> >> On 18/12/2019 13:24, John Mattsson wrote: >> >> Since I didn't get a substantive response on the list, >> I'll repeat: >> >> "Urgh. Why do we always need to define every possible >> option even though there's no real demand? There are >> already far too many combinations of modes and suites >> in hpke." >> >> Having more or less finished my implementation now, I >> feel more strongly that additional combinatoric mess >> is a bad plan. Removing options/simplifying would be >> far better. > > I do not see combinatoric mess. In fact, trying to "simplify" by > eliminating combinations could very well _increase_ complexity due > to some actual combinatorial mess. I'm fine with the encoding of the suites/modes in the HPKE context, so I'm not arguing for a single 16-bit ciphersuite number. But for implementation/test the cobminatorics still kick in - with the current spec there are 96 combinations of mode/kem/kdf/aead. The test vectors have one for each (with one messed up I think and with confusion as to compressed/uncompressed encoding for the NIST curves in others). 96 options is approx 95 (or maybe 94) too many. > > What can not be done is taking various axes, multiplying the > number of points and taking the resulting product as some kind of > metric of "complexity". In many cases, the sum is better metric than > the product. > > Remember the SSL 3.0/TLS 1.0-1.2 ciphersuite mess? That was result > of trying to enumerate combinations. If you think it looks bad, it > is even worse to implement... Even restricted only to recommended > ones. > > That said, I would drop NIST P-521 (as seems pretty much everybody > is using NIST P-384 instead). > > Then SHA-512 is on-the-fence: SHA-384 is likely more than strong > enough, but SHA-384 is not strength-matched with Curve448 (assume > P-521 gets dropped), while SHA-512 is. And having SHA-256, SHA-384 > and SHA-512 is very little additional complexity on top of SHA-256 > and SHA-384. > > If one wanted combined curve/hash pairs, I would have: > > NIST P-256 with SHA-256 > NIST P-384 with SHA-384 > X25519 with SHA-256 > X448 with SHA-512 > > However, this may be bad idea from complexity standpoint (it > does not reduce complexity very much if at all). > > Combining groups with ciphers is definitely a bad idea from > complexity standpoint. > >> We (CFRG) could punt on this by using existing IETF >> IANA registries instead of creating new ones. There is >> an almost fine match between what we need and some >> existing registries (if one squints just a little;-) >> that'd remove all this wrangling from our plate and >> that could result in the hpke RFC having only one MUST >> implement kem, kdf and aead. Additional options could >> then be haggled over in the IETF each time someone >> claims a need before subsequently being ignored by >> almost all implementers and an even higher proportion >> of deployments;-) > > What registeries? Ok, from here on, you'll probably want to hold your noses;-) HPKE currently wants to create IANA registries for the KEM, KDF and AEAD. I think in two of those cases we could fairly easily reuse TLS registries for HPKE - the TLS supported groups [1] is a nice match for the KEM, and the TLS hash algorithms [2] would be fine for the HKDF variant. I'm not sure if it'd be a good or bad idea to use the TLS ciphersuites registry [3] for the AEAD - while one can easily map those I guess the ambiguity could cause interop issues, so maybe that'd be a bad plan. But maybe the AEAD parameters registry [4] would be fine. Or there may also be other IANA registries that could be re-used for HPKE. Cheers, S. [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 [2] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18 [3] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 [4] https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml > > For groups there is the TLS groups, which actually has only four > recommended entries (P256/384 and X25519/448). Unfortunately it > has variety of less-than-cute stuff (not all of that banned in TLS > 1.3) marked not recommended. Bonus points for having 3 entries that > are duplicates except one is banned in TLS 1.3 and one is not. > > Then for ciphers, there is TLS ciphersuite registry for TLS 1.3 > ciphers. That one combines hashes, sometimes in bit cryptographically > "interesting" ways. It also recommends AES-128-CCM, which is not great > (as it is associated with IoT stuff), plus has already got some less- > than-cute stuff (including NULL ciphers and 64-bit tags) marked not > recommended (with more less-than-cute stuff pending). > > And both of these registeries are expert review, so they tend > to accumulate variety of stuff. > > > And future problem point is if someone lobs in some post-quantum key > exchange stuff. Which will work somewhere between poorly and not at > all. And post NISTPQC, that can very well have Recommended set. > > > > -Ilari >
- [Cfrg] Review of draft-irtf-cfrg-hpke-02 John Mattsson
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Richard Barnes
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Salz, Rich
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 John Mattsson
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 John Mattsson
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Ilari Liusvaara
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell
- Re: [Cfrg] Review of draft-irtf-cfrg-hpke-02 Stephen Farrell