IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt

Franziskus Kiefer <franziskuskiefer@gmail.com> Fri, 16 July 2021 07:26 UTC

Return-Path: <franziskuskiefer@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 465B83A2AB2 for <cfrg@ietfa.amsl.com>; Fri, 16 Jul 2021 00:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTnIqczyubrj for <cfrg@ietfa.amsl.com>; Fri, 16 Jul 2021 00:26:12 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCF3D3A2AAE for <cfrg@irtf.org>; Fri, 16 Jul 2021 00:26:11 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id w14so11664407edc.8 for <cfrg@irtf.org>; Fri, 16 Jul 2021 00:26:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=YTkDmquHeFybvn2xQqrOxEYQ1khBsB2HQuCXqm8AAec=; b=O6NzCQZTg053jOyXOc+HF3P1SHdH3z8CA7xMtlYQBP3gyeYFRcT3YD31zmE0j4afck /B4Z0G9Ki6+g5chGy4zWdrT8N2mQ5w9/+lwd4Pc0A/ORVZ8VGw0VFR11BdSxjQb9JLVA 8561pl7SFOf9DOWrf65YFaiPY4EBidoFYteKyy2k8ToWkXtoq1vPguID54TMJfnTnSOB W9Ed92U4ap1SsSNHVk7T48ohqyaUlqInM76WVCSyras6107nuQwacIjnYQKyx0vnQKmL KDz7A55KP0pIoiG8BT0LWXuloEb1hVjWaQB2AYhI8rrVbI1ADt9soxTqtHa0BtMel7xE 34wA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YTkDmquHeFybvn2xQqrOxEYQ1khBsB2HQuCXqm8AAec=; b=gF6uui7DK1W2ulYI+HXh7iFO3pPuacvGYwGQB9HhvyvmhYEhC0VdGz1JSnJ3glUnjo fsH/b72aTXcJwoOxQ8AFV8T+5hYvIljgWhj4+KlWZCZ6zpWYogMXUZvg5q0QCc9Zqmvw hSelDrpxbxb86wl3L3XuzJ0YhVcEyHqqBGR/BkDM34FFngidbB/vmk9ii9n23F03Po9h fIYmSiCL/11/4x1sK0Ikybi11STT+/lT1d6zygbYIyfO5VuAVZyBdIo81w2781PIjgQY fKqxYwjqEv5FIHT7tCN8G5ho7AXBC6OCq6mHpZRlxsuPGQhkwZd2w4aGxEuqRC7InXtk 9Y/A==
X-Gm-Message-State: AOAM531W8QV1Lu9gvOF49RN0NWvrJyBbWBxlUZwH6sfdXyjiUDSGqTqn FEAmJG1rcqlEix0Qw0VxE5CksULRRwRokI6dgKi7C9J9Oma+lg==
X-Google-Smtp-Source: ABdhPJxgYRyaWZ/SNF4ClkiEW/6WoSnqB103wznqJA/lTHRKepJKT1GszkFvZv3TOVwdCGNnvAQrI+pxr1/JMfBQh8Y=
X-Received: by 2002:a05:6402:2935:: with SMTP id ee53mr13031080edb.140.1626420368440; Fri, 16 Jul 2021 00:26:08 -0700 (PDT)
MIME-Version: 1.0
References: <162567329247.15923.4311477568566128956@ietfa.amsl.com> <856d159d-1b7e-ee22-a1da-32b78704da54@lounge.org> <0e12f957-3472-84b9-e152-8372ae520535@lounge.org> <5db11a21-a519-149b-3b14-6a7249e713d3@inria.fr> <c6f748d5-8e24-4272-a9bf-974b2ab09668@www.fastmail.com> <9abed69c-f3d5-3494-a941-5ebf3529ebb4@lounge.org>
In-Reply-To: <9abed69c-f3d5-3494-a941-5ebf3529ebb4@lounge.org>
From: Franziskus Kiefer <franziskuskiefer@gmail.com>
Date: Fri, 16 Jul 2021 09:25:56 +0200
Message-ID: <CAJowLmNHZNeK1LHaj6RsYnam2CUH_xyTut7D5VMVb1L_Q7j6tg@mail.gmail.com>
To: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000051049305c73880aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4HSvWfkfJJ9fkJUM5CDqw4WOYkU>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2021 07:26:17 -0000

Hi all,

>  7.3. Authenticated Encryption with Associated Data (AEAD) Functions

Looking at the IANA considerations I'm wondering why HPKE defines new AEAD
parameters instead of using the existing ones from
https://www.iana.org/assignments/aead-parameters/aead-parameters.xhtml.
Maybe I missed an earlier discussion on it. But I don't see the need for
new AEAD parameters.

Best,
Franziskus

On Tue, 13 Jul 2021 at 19:05, Dan Harkins <dharkins@lounge.org> wrote:

>
>    Chris, Benjamin, et al,
>
>    Thank you very much! That addresses my concern.
>
>    regards,
>
>    Dan.
>
> On 7/13/21 9:43 AM, Christopher Wood wrote:
> > Hi Dan, all,
> >
> > FYI, we just merged this PR to clarify the editorial change:
> >
> >     https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233
> >
> > We'll cut a new version of the draft ASAP.
> >
> > Best,
> > Chris
> >
> > On Tue, Jul 13, 2021, at 3:58 AM, Benjamin Lipp wrote:
> >> Hi Dan,
> >>
> >> On 12/07/2021 23:53, Dan Harkins wrote:
> >>>    I've been having trouble with my mailer and I see in the archives
> you
> >>> responded
> >>> but it's not getting successfully delivered.
> >> That is probably my fault – I first tried to post to the list from the
> >> wrong sender address and so you have probably received my mail twice.
> >> Sorry for that.
> >>
> >>
> >>> The text that's been there for a while talks about the construction
> defined
> >>> in the draft. And yes, use those KEMs and those KDFs and those AEADs
> and
> >>> that's what you get.
> >>>
> >>> But now the draft says,
> >>>
> >>>    "Future specifications may introduce new KEM, KDF, and AEAD
> algorithm
> >>>     identifiers provided they adhere to the security requirements in
> Section
> >>>     9.2, Section 9.3, and Section 9.4, respectively."
> >>>
> >>> And then 9.4 says all AEADs MUST provide IND-CCA2.
> >>>
> >>>    So my reading is that future specifications, like DNHPKE, can
> introduce
> >>> a new AEAD algorithm, which I want to do, provided it provides
> IND-CCA2,
> >>> which SIV does not.
> >> I see now what you mean. I agree the phrasing is problematic or at least
> >> inconvenient if we indeed want to keep the possibility open that some
> >> variants of HPKE do not provide IND-CCA2 but something else/weaker.
> >> Thanks for clarifying.
> >>
> >>
> >>>    If that is your intent I think it can be phrased differently. For
> instance,
> >>> the text in section 7 could be re-written something like:
> >>>
> >>>    "The HPKE construct defined here provides IND-CCA2. Future
> specifications
> >>>     may introduce new KEM, KDF, and AEAD algorithm identifiers and
> retain this
> >>>     security guarantee provided they adhere to the requirements in
> Section 9.2,
> >>>     Section 9.3, and Section 9.4, respectively."
> >>>
> >>> That way it's clear that the intent is to keep the guarantee you need
> all
> >>> the right parts together and if you don't keep all the parts together
> you
> >>> don't get the guarantee.
> >> Thanks for this suggestion.
> >>
> >> I'll bring it to the attention of my co-authors such that we can discuss
> >> what the intent actually was.
> >>
> >> Best regards,
> >> Benjamin.
> >>
> >>
> >>
> >>
> >>
> >>> On 7/12/21 9:39 AM, Dan Harkins wrote:
> >>>>    Hello,
> >>>>
> >>>>    -10 includes a new section, 9.4, that says:
> >>>>
> >>>>       "All AEADs MUST be IND-CCA2-secure, as is currently true for all
> >>>> AEADs
> >>>>        listed in Section 7.3"
> >>>>
> >>>> I don't believe this was discussed on the list and I don't agree with
> it.
> >>>> Using the AEADs in section 7.3 will give you a construction that is
> >>>> IND-CCA2
> >>>> secure but I don't think that all uses of HPKE MUST be.
> >>>>
> >>>>    I have a draft on adding support for deterministic authenticated
> >>>> encryption
> >>>> to HPKE and this subtle addition to -10 closes the door on that. Since
> >>>> we did
> >>>> not discuss this addition I'd like to start discussing it before this
> >>>> draft
> >>>> gets too far.
> >>>>
> >>>>    regards,
> >>>>
> >>>>    Dan.
> >>>>
> >>>> On 7/7/21 8:54 AM, internet-drafts@ietf.org wrote:
> >>>>> A New Internet-Draft is available from the on-line Internet-Drafts
> >>>>> directories.
> >>>>> This draft is a work item of the Crypto Forum RG of the IRTF.
> >>>>>
> >>>>>           Title           : Hybrid Public Key Encryption
> >>>>>           Authors         : Richard L. Barnes
> >>>>>                             Karthik Bhargavan
> >>>>>                             Benjamin Lipp
> >>>>>                             Christopher A. Wood
> >>>>>      Filename        : draft-irtf-cfrg-hpke-10.txt
> >>>>>      Pages           : 104
> >>>>>      Date            : 2021-07-07
> >>>>>
> >>>>> Abstract:
> >>>>>      This document describes a scheme for hybrid public-key
> encryption
> >>>>>      (HPKE).  This scheme provides a variant of public-key
> encryption of
> >>>>>      arbitrary-sized plaintexts for a recipient public key.  It also
> >>>>>      includes three authenticated variants, including one which
> >>>>>      authenticates possession of a pre-shared key, and two optional
> ones
> >>>>>      which authenticate possession of a KEM private key.  HPKE works
> for
> >>>>>      any combination of an asymmetric key encapsulation mechanism
> (KEM),
> >>>>>      key derivation function (KDF), and authenticated encryption with
> >>>>>      additional data (AEAD) encryption function.  Some authenticated
> >>>>>      variants may not be supported by all KEMs.  We provide
> >>>>> instantiations
> >>>>>      of the scheme using widely used and efficient primitives, such
> as
> >>>>>      Elliptic Curve Diffie-Hellman key agreement, HKDF, and SHA2.
> >>>>>
> >>>>>      This document is a product of the Crypto Forum Research Group
> (CFRG)
> >>>>>      in the IRTF.
> >>>>>
> >>>>>
> >>>>> The IETF datatracker status page for this draft is:
> >>>>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/
> >>>>>
> >>>>> There is also an HTML version available at:
> >>>>> https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-10.html
> >>>>>
> >>>>> A diff from the previous version is available at:
> >>>>> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hpke-10
> >>>>>
> >>>>>
> >>>>> Internet-Drafts are also available by anonymous FTP at:
> >>>>> ftp://ftp.ietf.org/internet-drafts/
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> CFRG mailing list
> >>>>> CFRG@irtf.org
> >>>>> https://www.irtf.org/mailman/listinfo/cfrg
> >>> --
> >>> "The object of life is not to be on the side of the majority, but to
> >>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
> >>>
> >> _______________________________________________
> >> CFRG mailing list
> >> CFRG@irtf.org
> >> https://www.irtf.org/mailman/listinfo/cfrg
> >>
> > _______________________________________________
> > CFRG mailing list
> > CFRG@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
>
> --
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email