Re: [CFRG] HPKE and Key Wrapping
Taylor R Campbell <campbell+cfrg@mumble.net> Wed, 30 March 2022 10:27 UTC
Return-Path: <campbell@mumble.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7640F3A19A4 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 03:27:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.089
X-Spam-Level:
X-Spam-Status: No, score=0.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oJ2opj8csPxe for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 03:27:26 -0700 (PDT)
Received: from jupiter.mumble.net (jupiter.mumble.net [74.50.56.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED8393A19EB for <cfrg@irtf.org>; Wed, 30 Mar 2022 03:27:25 -0700 (PDT)
Received: by jupiter.mumble.net (Postfix, from userid 1014) id C64F260BA2; Wed, 30 Mar 2022 10:27:24 +0000 (UTC)
From: Taylor R Campbell <campbell+cfrg@mumble.net>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
CC: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org>
In-reply-to: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> (john.mattsson=40ericsson.com@dmarc.ietf.org)
Date: Wed, 30 Mar 2022 10:27:24 +0000
Sender: Taylor R Campbell <campbell@mumble.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <20220330102724.C64F260BA2@jupiter.mumble.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/29KqpUZnDI0KGYz0HAq3HN7iuUw>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 10:27:31 -0000
> Date: Wed, 30 Mar 2022 08:51:44 +0000 > From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> > > How does AES-SIV (RFC 5297) compare with AES-GCM-SIV (RFC 8452)? Do > we need both algorithms in the future? Does AES-GCM-SIV with a fixed > nonce provide the same properties as nonce-less AES-SIV or is there > a difference? There is a fairly substantial difference. In the Daence paper I drew a table of advantage bounds for AES-SIV and AES-GCM-SIV, using the best formulae I could find (with the function/permutation-switching lemma of https://cr.yp.to/papers.html#permutations that gives better bounds than the conventional q*(q - 1)/2 used in most papers): https://eprint.iacr.org/2020/067.pdf#page=5 Smaller advantage bounds, i.e., larger values of n in the 2^-n terms, are better. 1 means no advantage bound has been proven at all for these parameters. This table was computed using the logic at https://github.com/riastradh/daence/blob/master/adv.py which cites the sources in the literature I used for the formulae. You can reuse the same logic to recompute bounds for different message sizes/numbers if what you're looking for isn't in the table, of course. It may be worth noting that the security advertisment in RFC 8452 for AES-GCM-SIV explicitly discourages nonce reuse even between different users (different keys), which means you should even avoid the policy of sequential message numbers that, e.g., TLS 1.3 uses with AES-GCM to rule out a class of attacks: https://datatracker.ietf.org/doc/html/rfc8452#page-12 The bottom line is that AES-GCM-SIV is designed for randomized nonces, with some level of protection if your RNG fails. In contrast, AES-SIV is designed for security without nonces at all, and is particularly well-suited to key-wrap, which should come as no surprise since that's what it was designed for originally, as sung in Appendix F of: https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.html
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins