Re: [CFRG] Domain separation in HPKE

Benjamin Lipp <benjamin.lipp@inria.fr> Tue, 02 March 2021 15:20 UTC

Return-Path: <benjamin.lipp@inria.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03EA13A28C7 for <cfrg@ietfa.amsl.com>; Tue, 2 Mar 2021 07:20:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWCAINlbeeCg for <cfrg@ietfa.amsl.com>; Tue, 2 Mar 2021 07:20:33 -0800 (PST)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3AA63A28C5 for <cfrg@irtf.org>; Tue, 2 Mar 2021 07:20:32 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.81,216,1610406000"; d="scan'208";a="374540891"
Received: from c80-217-0-47.bredband.comhem.se (HELO [192.168.0.11]) ([80.217.0.47]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES256-GCM-SHA384; 02 Mar 2021 16:20:29 +0100
To: cfrg@irtf.org
References: <708df80a-bc73-4d91-af33-4bb3fd351808@www.fastmail.com>
From: Benjamin Lipp <benjamin.lipp@inria.fr>
Message-ID: <cabb3ee2-ddb9-fdd2-82c6-a1134001ff92@inria.fr>
Date: Tue, 2 Mar 2021 16:20:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <708df80a-bc73-4d91-af33-4bb3fd351808@www.fastmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6HojUaIlV_4ZmoJqcA-pzCrSXjQ>
Subject: Re: [CFRG] Domain separation in HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 15:20:35 -0000

Dear Martin,

Thanks for your remarks.

> HPKE uses string labels for domain separation.  However, this only works because the labels it uses are carefully chosen so that no label is a prefix of any other.  The draft might benefit from mentioning this constraint as it is not obvious.

The first paragraph of Section 8.5 Domain Separation [1] contains

> […] This is achieved by the different prefix-free label parameters in the calls to LabeledExtract() and LabeledExpand(). […]

Do you think that is sufficient?


> Also in the text on domain separation:
> 
>    One way to ensure this is by using an equal or similar
>    prefixing scheme with an identifier different from "HPKE-v1".
> 
> LabeledExpand includes a 2-byte value that encodes the output length before this label, so this advice is wrong for that.

Indeed. I think the advice should instead just be to use LabeledExtract
and LabeledExpand with prefix-free labels, respecting the suite_id as
defined in Section 4 and using a proper kem_id. I drafted a suggestion
in a pull request:
https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/212

Best regards,
Benjamin


[1]
https://cfrg.github.io/draft-irtf-cfrg-hpke/draft-irtf-cfrg-hpke.html#section-8.5