IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Christopher Wood <caw@heapingbits.net> Mon, 02 October 2023 17:01 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18B25C14E513 for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 10:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.803
X-Spam-Level:
X-Spam-Status: No, score=-2.803 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b="hNuh0Zwy"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="YKcTzqcH"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIl-0kbLBTFT for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 10:01:03 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B1EBC151543 for <cfrg@irtf.org>; Mon, 2 Oct 2023 10:01:02 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 4B5CA320030E; Mon, 2 Oct 2023 13:01:01 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Mon, 02 Oct 2023 13:01:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-type:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; t=1696266060; x= 1696352460; bh=L+jxESzXXxA9dK2NNvs9vhTQiCrFT5/4r7pTK8uSTig=; b=h Nuh0Zwym7s60T7lq+0LxCYbG4MBl6/XOQ7M33U/ZSlHH9GKQK5AN0UAwMMaPCP6N 5jjrdIgLv8KDqbQyKICZ3cN6psVLmilayUsfhJaAusF3QeG4Ze9p0Q2387ktu1NW jDgEfbYs4o1Ncl+0qXeO8gTEdjX2B58WVTEmtpkfj+croBfv7b7uQCP4O5FsNwjE bIXKFxxzJ1U9Oubku/idd9RisSh49Hg+smUujZQkl+rx9B6B6GDS5ruu8EmTOQuL b1YTyceSRZGKEIS5tK1AhxdK+CF+n/smAtZbHmkYSLIkSoltmufp6b0n08PgFZQQ QJR83Igsna27TxCLCNbmQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1696266060; x=1696352460; bh=L+jxESzXXxA9d K2NNvs9vhTQiCrFT5/4r7pTK8uSTig=; b=YKcTzqcHa5mjbkfpOKlDaTbzelCAR Rv26hWkRn7kKlMQc98hpLpdzG06SYH87xPoyDoTbfsQMF/t/QO/fKNzFI0saV8kh Ni6ofPuhF4GAYux1mIFmUJFX8/zfzr380qvbSHsJzNp4tQrM6TkvSw4uss5y9KwV fPhYX2ClGOwuTzu8hH5JgJJdEABRcSgXTjVVkI24hdEJnxO4FELg7rDDg9MBQksf nSjXHrLtcoh5OZJtNu09T93ttO3xru4ERqK5jsJkLDxomwMIUlU0HTkbiPf+Hjbe Hrxl6T19wB6lpkErUqbI8OYXkA4BSq0VZs5/IWO5cCOTqCWW2zlyzf4zg==
X-ME-Sender: <xms:TPcaZZQs1yzY01FxJDZzC3FVbVvjR4lgQKS7RIX2oMwtlUWth6_i8A> <xme:TPcaZSwPESL144p4XGgNmXMo6wXQofk6sznQQpU2JkH4sXENqlHKZVj5sD6O7ylnc 3qigIwGUkfGRLqVfPQ>
X-ME-Received: <xmr:TPcaZe1V1fAH2ULURmx7CN8JP9D4rzReGe_iu_9YcvGkLM3dUDqI1nLg35GvuLydM_WCU75MJnJkBYazMPVn-mkSCV1VsE2eOaqp_VmkTZ0SknpXBhgv7Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvdelgddutdekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhephffktgggufffjgevvfhfofesrgdtmherhhdtjeenucfhrhhomhepvehhrhhi shhtohhphhgvrhcuhghoohguuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvtheqne cuggftrfgrthhtvghrnheptdekvdelgffhgeetfeevkefhleefudejiedtgffgveegheef leduffffveffueefnecuffhomhgrihhnpehivghtfhdrohhrghdpuhgtuggrvhhishdrvg guuhdpihhrthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:TPcaZRDwZzfE7VcNJyRAw7WIWusHZFlXTOE8O46GrAYFpjjFrIJ2-w> <xmx:TPcaZShb82OKHLQENwBZbn6GiZhT3CfZ4QnBsn1pZwT_n4_TpY06ww> <xmx:TPcaZVpcSmyjKiXDJ5XqrqtFJvEHbOIwmFM4yCWYH_ijxskr26sHLg> <xmx:TPcaZaJjbFJyWO3U8VEXftM6XEhNacd8tYI0sOi-zuoWtGDmYntr9g>
Feedback-ID: i2f494406:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 2 Oct 2023 13:01:00 -0400 (EDT)
From: Christopher Wood <caw@heapingbits.net>
Message-Id: <DF685977-C75E-428F-9A4A-9E7062DDAF18@heapingbits.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_ECE1B324-9116-4958-9B42-F99D1E0C470D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Date: Mon, 02 Oct 2023 12:51:31 -0400
In-Reply-To: <c5f570b2-c49e-b44a-947e-575798afca2e@lounge.org>
Cc: cfrg@irtf.org
To: Dan Harkins <dharkins@lounge.org>
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com> <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org> <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com> <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com> <C1948A98-B3E4-42EE-BDDC-31BCFD0656FA@akamai.com> <CH0PR11MB5739C38E222CE46C63D56CC69FC5A@CH0PR11MB5739.namprd11.prod.outlook.com> <c5f570b2-c49e-b44a-947e-575798afca2e@lounge.org>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/57TTD41d8fsKUvHIP_stgLZn8QQ>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2023 17:01:09 -0000

> On Oct 2, 2023, at 12:27 PM, Dan Harkins <dharkins@lounge.org> wrote:
> 
>   But getting back to this procedural issue. One of the editors of
> HPKE (and I believe the person who did the security analysis), when it 
> was still an I-D, said that "the door is not closed" on using a DAE cipher 
> mode. And I expressed confusion given the new text that just appeared 
> in -10 of that I-D, so clarifying text was added to say that you get an
> IND-CCA2 guarantee when you abide by the requirements in 9.4. The 
> implication being, you can get a DAE mode assignment but then you 
> will not have the IND-CCA2 guarantee. That was impression that the 
> editors were giving when they accepted the pull request. Now, post
> publication, I am being told something quite different. 

I believe this is a misinterpretation of facts. If you look at the entire email, Benjamin writes:

"The draft on DNHPKE contains the following paragraph:

> The security guarantee of the HPKE AEAD modes is IND-CCA2. This is achieved in part through the unique nonce requirement they all share. By removing the requirement for a unique nonce, the security guarantee of HPKE is changed for these new DAE cipher modes but the security of the existing AEAD modes is unchanged.

https://www.ietf.org/archive/id/draft-harkins-cfrg-dnhpke-00.html

Here, the DNHPKE draft changes the security guarantee for HPKE. If the
draft can do that, it should also be able to override the requirement
for AEADs used within HPKE?"
This again points to the need to update the requirement that IND-CCA2 security is required for all future AEADs, as specified in Section 9.4.

In any case, regardless of what “impression” was given on the list, what matters here is the requirement as written in RFC9180, and that requirement is quite clear. If you want to make forward progress, the correct course of action is to try and build consensus around safely relaxing this requirement in RFC9180, rather than trying to work around the requirement itself.

Best,
Chris

> 
>   regards,
> 
>   Dan.
> 
> [1]  https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
> 
>> ---
>> Mike Ounsworth
>>  
>> From: CFRG <cfrg-bounces@irtf.org> <mailto:cfrg-bounces@irtf.org> On Behalf Of Salz, Rich
>> Sent: Monday, October 2, 2023 8:30 AM
>> To: Richard Barnes <rlb@ipv.sx> <mailto:rlb@ipv.sx>; Eric Rescorla <ekr@rtfm.com> <mailto:ekr@rtfm.com>
>> Cc: cfrg@irtf.org <mailto:cfrg@irtf.org>
>> Subject: [EXTERNAL] Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
>>  
>> My interpretation of the question here is: - HPKE has been proven IND-CCA2 secure if the KEM and AEAD are IND-CCA2 secure - RFC 9180 makes no claims about the security of the construction if the AEAD is *not* IND-CCA2 secure - The request here 
>> My interpretation of the question here is:
>> - HPKE has been proven IND-CCA2 secure if the KEM and AEAD are IND-CCA2 secure
>> - RFC 9180 makes no claims about the security of the construction if the AEAD is *not* IND-CCA2 secure
>> - The request here is to register an AEAD algorithm that is affirmatively *not* IND-CCA2 secure (can't be, not even claimed to be)
>>  
>> If this is an accurate summary, then I don’t see a reason for the experts to reject the algorithm.
>>  
>> So the question for the RG is -- Are folks OK with values being registered that do not meet the security requirements in the RFC?
>>  
>> Well, the RFC doesn’t have that requirement.  It says “if X then Y” not “only X is valid.” But I gave it a quick read, so if I’m wrong please point to the section where it says IND-CCA2 is required.
>>  
>> The TLS registries have learned that we need to have a notes column, and a recommended-or-not column. Perhaps an update that adds a Note column and the draft could cay “not IND-CCA2”. In fact, the IANA action to add that column could be part of this draft.
>>  
>>  
>> Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. 
>> 
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org <mailto:CFRG@irtf.org>
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> -- 
> "The object of life is not to be on the side of the majority, but to
> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org <mailto:CFRG@irtf.org>
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email