IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Eric Rescorla <ekr@rtfm.com> Sun, 01 October 2023 22:56 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBB3FC151091 for <cfrg@ietfa.amsl.com>; Sun, 1 Oct 2023 15:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3o9nQTMjpbaj for <cfrg@ietfa.amsl.com>; Sun, 1 Oct 2023 15:56:11 -0700 (PDT)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65565C15108A for <cfrg@irtf.org>; Sun, 1 Oct 2023 15:56:11 -0700 (PDT)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-59e77e4f707so191866637b3.0 for <cfrg@irtf.org>; Sun, 01 Oct 2023 15:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1696200970; x=1696805770; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=GWPlY/NqAdHaAdOkhzBeq14NvKeBbT1vIxcEfeLyjME=; b=j2tLSLeMepdA4zVn1P05UmpsYx8LN7825gH06JN5S7U8wJ/DyOMz0wFOOloVN69y4a nCZf3UN4rDU/a/LxAmECodjVla33880eKRTqAEHLScjae+Hu/F8oiqcThP5ifJ4he5R9 rCOM5uW5ETY+AtW5RDG5RRFT5yteZb/WM62OsMUonCwalWxrpMrzyw3kASmJnP4U3Ufd LKkOk/kVkm4IdO0JYkUqZdOcwVbGtVKwnsLYErowcIDP2jHrg9drkcBxTPaewb514cSb zUj8PEk6hBG/Xu8EdlHwmHmP/5x8UR+Pejx7sUKJA5y/GwyJRb/+G8iteBI/d22hJdX/ C2kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696200970; x=1696805770; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GWPlY/NqAdHaAdOkhzBeq14NvKeBbT1vIxcEfeLyjME=; b=p/FAXnq3YIHTcL9B0yyFedbqFPQgciyJIakOh/7loV+VEgINNSfBtg6EvbB9rw4Jv0 RXGtct+EnTauWdxu9+kkLuuTgxW4gzXwH3mSttGfqhuesSPxTBg+LoLu6v4HDzNgz+Q5 F05IUKp2cug9fZzrHHcIJZ+BYeUeJnfz2/vaZpQ838DnEiZrN4rqCjQa9r0UdmZedzWs q8RI4jykQLMejVDKBbGhM4+mCkIBgmdTdEAAMxf21tfaeXaLZt4tIaIJIjSGgn0uFKBZ A6t81eFz6LXEqpqTAgYogIUcGOSdlJE4SDhU02HT/5EbuQcuz7Ifs31NwIKI7vFis8S2 588w==
X-Gm-Message-State: AOJu0YyLzTDVGhGMCKX4K6hA5SOizUgLpC3PrMwWljXa3IOiuEv8a1tu RSAKAmWssW4eVUmBOWRYjaXjaF4gqo4aJlLnIACggyCr6/AJbyKp
X-Google-Smtp-Source: AGHT+IE2OkaWK5ma44Qg/i5jr0EmZ8LCh4hvtOeOFQ1Yjh+zty6GPHPtwONbbnrwWm5I33gW+CgU58ek8yoK5ljgqVE=
X-Received: by 2002:a25:1887:0:b0:d78:15ab:58d3 with SMTP id 129-20020a251887000000b00d7815ab58d3mr5754068yby.0.1696200970485; Sun, 01 Oct 2023 15:56:10 -0700 (PDT)
MIME-Version: 1.0
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com> <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org>
In-Reply-To: <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 01 Oct 2023 15:55:34 -0700
Message-ID: <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="0000000000005070d30606af90ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3eJcr20mirOlLXlBZW15aTSm0u0>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Oct 2023 22:56:15 -0000

On Sun, Oct 1, 2023 at 3:46 PM Dan Harkins <dharkins@lounge.org> wrote:

>
>   Hi Eric,
>
> On 10/1/23 2:15 PM, Eric Rescorla wrote:
>
> On Fri, Sep 29, 2023 at 12:02 PM Dan Harkins <dharkins@lounge.org> wrote:
>
>>
>>    Hello,
>>
>>    First of all, there's a new version of draft-irtf-cfrg-dnhpke out.
>> Please take a look.
>>
>>    At IETF 116 I was told I could get IANA assigned values without
>> the draft becoming an RFC so I applied. I got KEM assignments for
>> compressed output but the experts are refusing to approve assignment
>> for DAE support because it's not IND-CCA2.
>>
>>    So let me digress briefly....
>>
>>    In [1], I noted that this requirement that "all AEADs must be
>> IND-CCA2 secure" appeared in -10 of the HPKE I-D without any real
>> discussion (it wasn't in -09 and there was no discussion on the
>> list) and that I was concerned that they were closing the door on
>> my proposal. But I was told in [2] by an author of HPKE, and the
>> guy who did the security analysis, that the door wasn't closed and
>> that adding new DAE ciphers which were not IND-CCA2 did not affect
>> the existing ciphers which were. There was even a pull request for
>> HPKE to clarify (see [3]) which I was under the impression allowed
>> for addition of new ciphers which were not IND-CCA2 since they were
>> not diluting existing security guarantees.
>>
>>    But now I'm being told by the experts that there is an absolute
>> prohibition on using HPKE with a cipher which is not IND-CCA2. I
>> believe that is incorrect and certainly that was not part of the
>> RGLC approval of the HPKE I-D.
>>
>>    I would like to hear what other people think and would like the
>> experts to be overruled and to approve assignment of the DAE ciphers
>> defined in draft-irtf-cfrg-dnhpke-02.
>>
>
> Without taking a position on the merits of this issue, it's not clear to
> me that CFRG can in fact overrule the experts. Here is what RFC 8126 says
> about appeals of registration decisions (
> https://datatracker.ietf.org/doc/html/rfc8126#section-10):
>
>    Appeals of protocol parameter registration decisions can be made
>    using the normal IETF appeals process as described in [RFC2026],
>    Section 6.5 <https://datatracker.ietf.org/doc/html/rfc2026#section-6.5>.  That is, an initial appeal should be directed to the
>    IESG, followed (if necessary) by an appeal to the IAB.
>
>
> That does seem a bit odd for a registry created by an IRTF document, but nevertheless, I think the process would require you to take it to the IESG.
>
>
>   My point is that the experts are wrong in their interpretation of what
> RFC 9180
> says. There was discussion on the list about forbidding determinstic AE
> cipher
> modes and one of the editors (who I believe is also the guy who did the
> security
> analysis) said they weren't prohibited. The editors even agreed to a pull
> request
> to clarify this. It was certainly presented as "door not closed" when
> discussed in
> RGLC, yet when RFC 9180 comes out the experts say "door is closed". So I
> believe they are enforcing a rule that the RG was told was not there prior
> to
> publication. If the RG agrees then I do not think this prohibition exists
> and
> the experts are mistaken in their reading of the RFC.
>

Hi Dan,

I understand the point you're making, though, as I said, I haven't really
formed
an opinion about the merits of your argument.

My only point here is that I don't believe there is any process by which the
RG tells the Experts that they are reading the document wrong, other than
to publish an RFC (e.g., further clarifying, or perhaps just registering the
code point. So, even if everyone in the RG other than the experts were to
disagree with the experts, that would just be advisory and not binding.

To be clear, I think this is a bug in 8126 and there needs to be some
IRTF-specific text, but presumably that's not going to happen today.

-Ekr



>   I do appreciate you pointing out the appeals process though. It may come
> to that.
>
>   regards,
>
>   Dan.
>
> -Ekr
>
>
>
>>    thanks and regards,
>>
>>    Dan.
>>
>> [1]
>> https://mailarchive.ietf.org/arch/msg/cfrg/dAhw4TluqDfzKvtatqXvXbW0GVY/
>> [2]
>> https://mailarchive.ietf.org/arch/msg/cfrg/MOMY2a3srTUpgW2F_76kySv5IKw/
>> [3] https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233
>>
>> On 9/28/23 11:41 AM, internet-drafts@ietf.org wrote:
>> > Internet-Draft draft-irtf-cfrg-dnhpke-02.txt is now available. It is a
>> work
>> > item of the Crypto Forum (CFRG) RG of the IRTF.
>> >
>> >     Title:   Deterministic Nonce-less Hybrid Public Key Encryption
>> >     Author:  Dan Harkins
>> >     Name:    draft-irtf-cfrg-dnhpke-02.txt
>> >     Pages:   38
>> >     Dates:   2023-09-28
>> >
>> > Abstract:
>> >
>> >     This document describes enhancements to the Hybrid Public Key
>> >     Encryption standard published by CFRG.  These include use of
>> "compact
>> >     representation" of relevant public keys, support for key-wrapping,
>> >     and two ways to address the use of HPKE on lossy networks: a
>> >     determinstic, nonce-less AEAD scheme, and use of a rolling sequence
>> >     number with existing AEAD schemes.
>> >
>> > The IETF datatracker status page for this Internet-Draft is:
>> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-dnhpke/
>> >
>> > There is also an HTMLized version available at:
>> > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-dnhpke-02
>> >
>> > A diff from the previous version is available at:
>> > https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-dnhpke-02
>> >
>> > Internet-Drafts are also available by rsync at:
>> > rsync.ietf.org::internet-drafts
>> >
>> >
>> > _______________________________________________
>> > CFRG mailing list
>> > CFRG@irtf.org
>> > https://www.irtf.org/mailman/listinfo/cfrg
>>
>> --
>> "The object of life is not to be on the side of the majority, but to
>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>
> --
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
>

v2.23.0 | Report a Bug | By Email