IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Eric Rescorla <ekr@rtfm.com> Sun, 01 October 2023 21:16 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741D3C151078 for <cfrg@ietfa.amsl.com>; Sun, 1 Oct 2023 14:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xu5Zelt4kO70 for <cfrg@ietfa.amsl.com>; Sun, 1 Oct 2023 14:16:29 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9781C14CE3F for <cfrg@irtf.org>; Sun, 1 Oct 2023 14:16:29 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-d81afd5273eso17528892276.3 for <cfrg@irtf.org>; Sun, 01 Oct 2023 14:16:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1696194988; x=1696799788; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PBsVWUzXq3VpfyjPY7gkMTjby9k/vAvksNLXbde/5rQ=; b=r+T9XSYP/my7wrgctbsxyGF1Uo/wWtiji2zM6AKZDPzLKWd1KQ5fWapuMJOn0R6FAM thFUEQQEvIaB0Oi4LOLB3Jw0KV/1+MPsIVimX/q0KIiiCGCUzD3DaT+68HA6amXLI39H olxeSKGosQxEDxbpLVbOwFoJC7MVA+sgrVHvCM950ePIWSxSpNDhOVJCZ+MX5qfs39J0 EIfIOdsdeiV7nGUXw43fk3GLTzxnwuLNHHjH3d65+zDVMj6cJm0roNsJLX2d8JETKMAD 8Uj76ghZDROOFbW7S1BymKaJRFp4BIa/RgRbSE/n5tUkN6QUM193C0S2bnfhHkXqAgX1 k6ew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696194988; x=1696799788; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PBsVWUzXq3VpfyjPY7gkMTjby9k/vAvksNLXbde/5rQ=; b=eqdHdHt6j8EEAqjhtvEavamqKEggQkxiylxOW3knIwiPzoEbu2GPc/1ale8GRGvVYf hfHy7z8eHmqyV6M+bH92uQfGn04aE3ms0Y04rZLvTZw/I1Plm8ga1DgY3r+Qbyw4HH9n 97BDkt92oDj2ZBoW+JgofjhcZRW86mmsYoXbux2EzLZkNPD5mBOZjnqoydZM9dBDmC8M xX1OoIuns054ZHRJ1meMAiQJ3jF7eKHNlajTcfQyqcxquMXtt4XURDHminPSGhynD7YU frXdCFswsXHgy904/vfGwgSjQgmfghCOZ+mSLpanHqXvbkx9u+Zy9bz22heSyPH3rTPc lg7w==
X-Gm-Message-State: AOJu0YyBaSFUKPHS3ZFxW98IwBifeiowGHUD37a2v6z5JofF8qtVwv4l C7Pf+bf2ejhLTltLIL9vqKSXh/6q6qfefYZ1KxQbyRJyfXAOG1HoDV8=
X-Google-Smtp-Source: AGHT+IHaH5azK+Vr9ze47bXH0s26UI115xU8ofLEZ/YWOrpL1sQ70ihNCpWPRs9yIC1qAiLCogGjMTcPqIvkaTNWHic=
X-Received: by 2002:a5b:90b:0:b0:d7e:9eeb:998e with SMTP id a11-20020a5b090b000000b00d7e9eeb998emr8224726ybq.4.1696194988324; Sun, 01 Oct 2023 14:16:28 -0700 (PDT)
MIME-Version: 1.0
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org>
In-Reply-To: <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 01 Oct 2023 14:15:51 -0700
Message-ID: <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com>
To: Dan Harkins <dharkins@lounge.org>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000bfd94e0606ae2b2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4kaXcRqMTmyRklAxdQyUdqRMtU0>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Oct 2023 21:16:33 -0000

On Fri, Sep 29, 2023 at 12:02 PM Dan Harkins <dharkins@lounge.org> wrote:

>
>    Hello,
>
>    First of all, there's a new version of draft-irtf-cfrg-dnhpke out.
> Please take a look.
>
>    At IETF 116 I was told I could get IANA assigned values without
> the draft becoming an RFC so I applied. I got KEM assignments for
> compressed output but the experts are refusing to approve assignment
> for DAE support because it's not IND-CCA2.
>
>    So let me digress briefly....
>
>    In [1], I noted that this requirement that "all AEADs must be
> IND-CCA2 secure" appeared in -10 of the HPKE I-D without any real
> discussion (it wasn't in -09 and there was no discussion on the
> list) and that I was concerned that they were closing the door on
> my proposal. But I was told in [2] by an author of HPKE, and the
> guy who did the security analysis, that the door wasn't closed and
> that adding new DAE ciphers which were not IND-CCA2 did not affect
> the existing ciphers which were. There was even a pull request for
> HPKE to clarify (see [3]) which I was under the impression allowed
> for addition of new ciphers which were not IND-CCA2 since they were
> not diluting existing security guarantees.
>
>    But now I'm being told by the experts that there is an absolute
> prohibition on using HPKE with a cipher which is not IND-CCA2. I
> believe that is incorrect and certainly that was not part of the
> RGLC approval of the HPKE I-D.
>
>    I would like to hear what other people think and would like the
> experts to be overruled and to approve assignment of the DAE ciphers
> defined in draft-irtf-cfrg-dnhpke-02.
>

Without taking a position on the merits of this issue, it's not clear to me
that CFRG can in fact overrule the experts. Here is what RFC 8126 says
about appeals of registration decisions (
https://datatracker.ietf.org/doc/html/rfc8126#section-10):

   Appeals of protocol parameter registration decisions can be made
   using the normal IETF appeals process as described in [RFC2026],
   Section 6.5 <https://datatracker.ietf.org/doc/html/rfc2026#section-6.5>.
That is, an initial appeal should be directed to the
   IESG, followed (if necessary) by an appeal to the IAB.

That does seem a bit odd for a registry created by an IRTF document,
but nevertheless, I think the process would require you to take it to
the IESG.

-Ekr



>    thanks and regards,
>
>    Dan.
>
> [1]
> https://mailarchive.ietf.org/arch/msg/cfrg/dAhw4TluqDfzKvtatqXvXbW0GVY/
> [2]
> https://mailarchive.ietf.org/arch/msg/cfrg/MOMY2a3srTUpgW2F_76kySv5IKw/
> [3] https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233
>
> On 9/28/23 11:41 AM, internet-drafts@ietf.org wrote:
> > Internet-Draft draft-irtf-cfrg-dnhpke-02.txt is now available. It is a
> work
> > item of the Crypto Forum (CFRG) RG of the IRTF.
> >
> >     Title:   Deterministic Nonce-less Hybrid Public Key Encryption
> >     Author:  Dan Harkins
> >     Name:    draft-irtf-cfrg-dnhpke-02.txt
> >     Pages:   38
> >     Dates:   2023-09-28
> >
> > Abstract:
> >
> >     This document describes enhancements to the Hybrid Public Key
> >     Encryption standard published by CFRG.  These include use of "compact
> >     representation" of relevant public keys, support for key-wrapping,
> >     and two ways to address the use of HPKE on lossy networks: a
> >     determinstic, nonce-less AEAD scheme, and use of a rolling sequence
> >     number with existing AEAD schemes.
> >
> > The IETF datatracker status page for this Internet-Draft is:
> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-dnhpke/
> >
> > There is also an HTMLized version available at:
> > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-dnhpke-02
> >
> > A diff from the previous version is available at:
> > https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-dnhpke-02
> >
> > Internet-Drafts are also available by rsync at:
> > rsync.ietf.org::internet-drafts
> >
> >
> > _______________________________________________
> > CFRG mailing list
> > CFRG@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
>
> --
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email