IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 30 March 2022 23:11 UTC

Return-Path: <prvs=208812f564=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C503A1130 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 16:11:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpQEfRFyxONJ for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 16:11:25 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835B33A1139 for <cfrg@irtf.org>; Wed, 30 Mar 2022 16:11:25 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22UNBJ0e424760 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 30 Mar 2022 19:11:19 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=wvApMqNg+oFB6orwjJRn6iuNUvuVE7D+9BFDfks/Hu/rcKz7PZcue9X+5aczl654RrnnRLIXttXju4C9qI3ZQjzvQrJLF2RCmxTyif5SUnf9WDinAot7yabgo7F/E+uuIQYT+fQTFOomvgyzX6G3I1JF6n3WigVepSDHzXmKhI29DUyGvgDRUkw8VXC2QVzk7UG+iue5pgGAVT9yBUpdZg6xrYTkbu0RuvDU6t5ou1NK97Cg+jHtNe14gxe0HB6lM77ln7PPi8Lm1Tu2Xzha0l3DsT2SvrO3OVKW4V+Wy8Rqbsce+W2rssAkrR6FYw8ZkKU75P+YIOHKiXGWYvQ8bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gyai8TsWw8FOD0CnAOkppURcEDzH5//rrX4+iTsEolg=; b=nBfts1wgmk99d4SHbuldi/ApH0xtb3dcZzY6gYcxPRfxi8L9mkefXkOuXGVWYVdRVnWgTJTYJjAFvcQHP8GfG4GsmVtj0zL5schM2G/8TeFH2AKpcyIyxVJdOybspINhCgiKf8kb4EHpf1+SjQ9W3WMS9n+XlSHTcYDnkJjXvy6hUL95UADkcvz98LSbwePsGZaZajj3biFQ7KtiTkyuqTCCZtuQAUaK65Hn24+9nsZfiGJlw4OXE1S3bvmD2Tvb0jaapwHjN0MWLd5Ud0X/I7sgfBanD80hDkKLs3P89L3wVXTX8gEP26klFQ3LvjGFpmcl7A1H9SccsCITbmL3iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>, John Mattsson <john.mattsson@ericsson.com>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYQ0u7KP9IsmRXD0Kbvf1+Gh7oQ6zWfNmAgAEP3oOAANnmAP//5qiA
Date: Wed, 30 Mar 2022 23:11:18 +0000
Message-ID: <4EEF2062-C36D-42EB-B90A-E8B75B1302DC@ll.mit.edu>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <35bac2f1-b647-4802-def8-9fee5d49d75e@lounge.org> <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <6614055c-d327-b2de-9f1f-ad38d53bf71d@lounge.org>
In-Reply-To: <6614055c-d327-b2de-9f1f-ad38d53bf71d@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0ce18261-d696-437c-6383-08da12a298a0
x-ms-traffictypediagnostic: BN0P110MB1611:EE_
x-microsoft-antispam-prvs: <BN0P110MB16110FFE0D684070868A9DDD901F9@BN0P110MB1611.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MPi+3zdHYUXeuW4qXVfF6QsNpKd1N41FpIVbYqx/KxI3C1pEsFBpNPt/Ra35ZAmr2PYrFt32lDcxANrYL6O/yERl5CoEvyqjmChk55mZxnTOqRIWluZYQPFYaA5sgrPvWIXOBByNVEgocU5/3u6rHg9u7BmKJlAoNHPe1BIj6lo/ZQeu1Av4gXaoZV4ADyeM46c4sDxo22UmZMHYjXCCBex/OeC5mWxOyeCuVbamW1uQjkH4A6O84p0nE5pF3hNf/FTGbac58auLhgieHH5xvyJLbFXW/TLNkWlFkyBLhpaGAxe3kj7HSQV/H3FUD7fqUj5bqnl9IRhLkOcNiXSjj8X3CSG/YwvtRBanpjvGW3trRHdvHoMU2nx5mjerQ0c6KlakfLb3IG8TQM6ObSmrYHgX6EbMTtmOmf8iERzU4aV5vsSzK0YK499g8t1AG8JdvgqytOxUpvjVyvsT7VMRurwxskl0+aynTKeqD3zrrG2YArKezI4vwjf9GkyPgPLMee7oCM5pN4uuXjJl4uR/UeKkBpcYLkCGZ4Kj4l76ANSbjpQMUwGUMsRO5oUs7mNTb2MKmBaIKeQandknFZ+NNAAblpT9Vl8qzjKi+HwU+WBMwVatTdxCdO2z/xjjn5iejt+wH/cdzDdArI3PjzDfb7UbDTFet9/D25r03LWiQxSyXoxjzZhB0ZO4tne97foWcR4TF3fUkCxVKnewhju6ncDt0QjIHM7cgYPn5g3j1uw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(6512007)(86362001)(6506007)(83380400001)(186003)(26005)(2906002)(75432002)(2616005)(8936002)(5660300002)(38100700002)(110136005)(71200400001)(99936003)(122000001)(38070700005)(316002)(508600001)(33656002)(8676002)(76116006)(6486002)(66946007)(66476007)(66556008)(64756008)(66446008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BWMSipJWjYZxVV0QXY6B7BqsyZvECPS7Th0nmLd8CiHaKwCpWlwpqyx4SvidTmdhI2+zHljKkxHhdWvvqvM8lEajnaiCmufXe05NXdpf/Y7cul8+KLTUFvx/aB0smoyTtHoPE7iINS6/aG+Qzc2+vQ0A/Zp7m0wNnm23GIjavYKvxs8KU3MgonNvbTn+oXz1J2jTrzdyWDyaX+JRdtN5mT/LHTJ65yMJfOMCXZo2Oc5PtAzY5yQZKJJBBfX/DjSS039QjfJagoWd87qTPPLKcKOUwsG7fRIzOc7o6IoDW4mVQgB6l3CKK4+JLjwU+ki2/LqrthTBZeG8T1qu1Cw66PKn+H/3RKHP+VYpqNgutvbV4kFieJADf8Lncj8u4AYkjE733uFg6e+ws2W7dMHQ3Ow54tmDVHdKGPDSzlu1DunxMBAhzd1wm0LLmnXIjSeQDEB8BSRjIcSLbGI28RDE5bJv1NnhbfN9rSXqFhvZcQg++j2p+f6pk0jQb9t1IYUXrSQzsAXCu5tBuEKi08+xJHlmty1quwKYkKExtB28ESOfhjJTz7ccCEiF3A0Ed8kKL5ncJKlGOBxTCADyIBXhz5qE1AsycLNBVT4FqLNCH1UD0ugOlZ/9BjRhRcr9Y/Rv+eDqrzaV4jTEY59tpyklXJW5VSCD08BDQ2UBnjSEqa47ElDj9O13meTKnQ6ze2NXFHL4+5zVQcRTXK1aVqCMQsqVupnDux4NWhEB9RC1yS6uiJFP2M0hEalTgzWdFhDHM+j7AyaElSiPIQwpI97uEzkURLlHSaqAMuKXNdyY2jiO0Q9kv1p6QwPVk/sobLObnPm3b4pX6CqAqVmYKg8PQzUSUirze2ROzX02qCylkoNvfgzFV7vBMwz+UelNkYjhUv0m5VlYHWJ1uvIcPp89khf2xXDtOKnIAYvUVsdlQirjsyEJtJPvhAiQXuw6nkeX8vn3LCvlJlk4pFx40JjeJzAmyuInCODxPzL6DM/gkz+ac+g3mlIezYqgNTxEGEzKRTpPPx4/WpHFXfK4dJ27O/9kRWur+qfNnh7DA26Msul3idzuCFsfvo3FlUgOuFh5HV3ReqgrRCCnDIW8aNB302yFysD56dfE14HUISIyaHfIDDwyiJSFL1b0XxAqdx6biYppAn0MUoidsE7l9Byqgnwn1flRMkCL0TAYt9YLxg6Ode5oBWq2QSnTk2FkrkbFvo/DAhsjbHYafXzZ2VW7E1zUHVFWhYtFuAx6OCmZUkVX3Y6F3AY3GZ6H9iGPgaCTTCcl8rEiPbYFOyXTa3Ftk6XqKN8ZCMN+run35WG8KrppkqyakPBg7OKQMu9nJtj/9xPpj+3o/KI6Rvx/RWrAEtZna76hTflzHn/mJ0svOIz7lQWOlB+s9Nu4BTBQGTnOhzE2FJNkjFhwDJjlEoYH/TfANLsNI8f73lUgYbY+zP71VXdzCuBzZQLJHNwYB2Y9qn3zpNjkhEXbA797OX7hk3GJGma49eIjRPPerukrPPIzUK1gaKQqKLIVPzTZeqsnSZyzCxsfUr37FuvZ9AGpcY66HMYOhn7NqAcwQsf1UROFkBHpguBwUqDIJJYl4lvYDYIuo91JD00jACCwSuoVQEIfze2VrCiSiXjNCaVbAF0KqC2r1Q4aOQIDgH4qb4x9
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3731512277_1514562182"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ce18261-d696-437c-6383-08da12a298a0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 23:11:18.0527 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1611
X-Proofpoint-ORIG-GUID: 2yNF4BwtNXLmEssPNW9OThoFDtLMagbw
X-Proofpoint-GUID: 2yNF4BwtNXLmEssPNW9OThoFDtLMagbw
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-30_06:2022-03-29, 2022-03-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203300111
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6ogE3R8u-sWdGJp6wmdV1ijOw7s>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 23:11:31 -0000

Well one difference is that AES-SIV can take a nonce (probabilistic mode) or
not (deterministic mode). If no nonce is provided you get DAE security as 
described in the Rogaway and Shrimpton paper. If a nonce is provided you can
get semantic security provided it is never used twice. It does provide misuse
protection, though, in the event it is. With AES-GCM-SIV, you have to pass a
nonce, it doesn't have a deterministic mode, and it provides the same guarantees
under the same nonce use/misuse as AES-SIV.

 

Yes. And you can compute the boundaries for your use case (whether you do or do not allow for nonce to repeat, how many times, etc.) for each mode.


Another difference is the key. AES-SIV uses a "doublewide" key (for AES with
a 128 bit key you pass AES-SIV a 256-bit key, AES with 256 uses a 512 bit key)
while AES-GCM-SIV uses just a single "normal" sized key. Some people seem to
think this is a problem with AES-SIV but KDFs can churn out keys of any length
and a call to get a 256-bit key is as easy as a call to get a 512-bit key.

 

>From my point of view, it’s a deficiency of AES-SIV – because it means that instead of feeding the algorithm just one 256-bit key and letting it figure out the rest, I need to create another logical piece that would intake my 256-bit key and produce pseudo-“key schedule” – aka, AES-SIV input keys. An unnecessary complication (from my point of view).



  Both of them are two pass modes (in order to achieve misuse resistance) but
AES-GCM-SIV is probably faster than AES-SIV due to the fact that it uses a
polynomial authenticator that can take advantage of the hardware support for
carryless multiply while AES-SIV uses CMAC which is considerably slower. But
that advantage would really only be seen on the wire and that is not the
use case here. This is userland/key exchange, not kernel-level packet
encryption.

 

Respectfully disagree here. Speed matters, kernel or “userland”. In all of my use cases, at least – which do encrypt packets, but not “in the kernel”.



  Yes, my draft does not discuss passing a nonce to AES-SIV in HPKE but it
would be possible to do such a thing because AES-SIV takes a vector of AAD and
the nonce can be one component of that vector-- AES-SIV doesn't require a
distinct input for a nonce. Since I'm trying to deal with using HPKE in lossy
networks, I don't really want to have to deal with a nonce unless I have to
and if I do, then I really need to export the sequence number (as indicated
in my draft) and in that case the need for a DAE cipher is not really there
and I might as well just use AES-GCM in that case. 


We’re in agreement here.

 
  The "single shot" HPKE call would not require a random nonce. It will just use
the base nonce that gets generated as part of the HPKE key schedule (since the
first and only shot will XOR a sequence number of zero onto that base nonce). 
So a trusted RNG is needed, yes, but that's necessary to achieve the security
guarantees of HPKE in the first place (see section 9.7.5 of RFC 9180), there are
no additional requirements placed on a RNG to do "single shot" key wrapping.

  That said, yes I agree: a nonce-less and misuse-resistant mode would be better. 
A DAE mode can achieve semantic security when the plaintext carries a (random) 
key-- the exact use case here-- so the principal complaint of DAE goes away. 

 

Again, yes.

 

Thanks

v2.23.0 | Report a Bug | By Email