Re: [CFRG] Domain separation in HPKE

Benjamin Lipp <> Tue, 02 March 2021 15:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 03EA13A28C7 for <>; Tue, 2 Mar 2021 07:20:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hWCAINlbeeCg for <>; Tue, 2 Mar 2021 07:20:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3AA63A28C5 for <>; Tue, 2 Mar 2021 07:20:32 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.81,216,1610406000"; d="scan'208";a="374540891"
Received: from (HELO []) ([]) by with ESMTP/TLS/AES256-GCM-SHA384; 02 Mar 2021 16:20:29 +0100
References: <>
From: Benjamin Lipp <>
Message-ID: <>
Date: Tue, 2 Mar 2021 16:20:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [CFRG] Domain separation in HPKE
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Mar 2021 15:20:35 -0000

Dear Martin,

Thanks for your remarks.

> HPKE uses string labels for domain separation.  However, this only works because the labels it uses are carefully chosen so that no label is a prefix of any other.  The draft might benefit from mentioning this constraint as it is not obvious.

The first paragraph of Section 8.5 Domain Separation [1] contains

> […] This is achieved by the different prefix-free label parameters in the calls to LabeledExtract() and LabeledExpand(). […]

Do you think that is sufficient?

> Also in the text on domain separation:
>    One way to ensure this is by using an equal or similar
>    prefixing scheme with an identifier different from "HPKE-v1".
> LabeledExpand includes a 2-byte value that encodes the output length before this label, so this advice is wrong for that.

Indeed. I think the advice should instead just be to use LabeledExtract
and LabeledExpand with prefix-free labels, respecting the suite_id as
defined in Section 4 and using a proper kem_id. I drafted a suggestion
in a pull request:

Best regards,