Re: [CFRG] HPKE test vector request - deterministic key gen that requires iteration

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 16 July 2022 10:42 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44ECBC14F745 for <cfrg@ietfa.amsl.com>; Sat, 16 Jul 2022 03:42:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.809
X-Spam-Level:
X-Spam-Status: No, score=-1.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, TRACKER_ID=0.1, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKgN1S9T2FeT for <cfrg@ietfa.amsl.com>; Sat, 16 Jul 2022 03:42:10 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 611B6C14F734 for <Cfrg@irtf.org>; Sat, 16 Jul 2022 03:42:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 579B61E22B for <Cfrg@irtf.org>; Sat, 16 Jul 2022 13:42:06 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id HyCOod9BXhmq for <Cfrg@irtf.org>; Sat, 16 Jul 2022 13:42:06 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 30BD67A for <Cfrg@irtf.org>; Sat, 16 Jul 2022 13:42:05 +0300 (EEST)
Date: Sat, 16 Jul 2022 13:42:04 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <Cfrg@irtf.org>
Message-ID: <YtKV/CNrIOIQ9LX/@LK-Perkele-VII2.locald>
References: <d12619ce-eb68-415e-9c3e-3e2ed37ef263@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <d12619ce-eb68-415e-9c3e-3e2ed37ef263@cs.tcd.ie>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4zwl_y5YN6OU9oeWZOMHNOlOa2w>
Subject: Re: [CFRG] HPKE test vector request - deterministic key gen that requires iteration
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2022 10:42:12 -0000

On Sat, Jul 16, 2022 at 12:44:09AM +0100, Stephen Farrell wrote:
> 
> Hiya,
> 
> HPKE includes deterministic key generation based on an
> initial key material (IKM) value. There's an iterative
> DeriveKeyaPair scheme for NIST curves. [1]
> 
> I recently added some tests using the test vectors from
> RFC9180 but the deterministic key gen ones I found only
> seem to exercise the code that doesn't need to iterate,
> i.e., they succeed immediately with the counter at zero.
> 
> Does anyone have a test vector with an IKM value that
> requires iteration?

No idea if this is correct, but with my implementation of HPKE, I get:

kemid:   P256
ikm:     000000000000000000000000000000000000000000000000000000030138b5ec
dkp_rpk: 55f64db8e620e8373551ae9e45e6802a985b027cd043d73dd0fec6de9e094367
bytes0:  ffffffff213dbec7d0a4e48002a3abc2ae736d3de1e19755c65ee86fba8d7307
bytes1:  02010edfe618aeb55ba93bae1521c4a1e83c3db89cd976cc459a822bd1034bb4

As note, the first candidate scalar it computes is:

115792089213856954898469474048607274691333539784456088236989463005489886229255

Which exceeds the P-256 order:

115792089210356248762697446949407573529996955224135760342422259061068512044369

(115792089213... > 115792089210...)

The second candidate is:

   906495204980253860296648081872579350626967427403362137130682426765428870068

Which is in range so it is the result.


Finding P-256 vector causing two iterations would require massive
effort. And finding P-384 and P-521 vectors causing iteration is just
far beyond what can be done. And even single iterations with P-256 are
1 in ~4 billion events.





-Ilari