Re: [CFRG] HPKE and Key Wrapping
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 30 March 2022 23:11 UTC
Return-Path: <prvs=208812f564=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C503A1130 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 16:11:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hpQEfRFyxONJ for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 16:11:25 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 835B33A1139 for <cfrg@irtf.org>; Wed, 30 Mar 2022 16:11:25 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local (llex2019-3.llan.ll.mit.edu [172.25.4.125]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22UNBJ0e424760 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 30 Mar 2022 19:11:19 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=wvApMqNg+oFB6orwjJRn6iuNUvuVE7D+9BFDfks/Hu/rcKz7PZcue9X+5aczl654RrnnRLIXttXju4C9qI3ZQjzvQrJLF2RCmxTyif5SUnf9WDinAot7yabgo7F/E+uuIQYT+fQTFOomvgyzX6G3I1JF6n3WigVepSDHzXmKhI29DUyGvgDRUkw8VXC2QVzk7UG+iue5pgGAVT9yBUpdZg6xrYTkbu0RuvDU6t5ou1NK97Cg+jHtNe14gxe0HB6lM77ln7PPi8Lm1Tu2Xzha0l3DsT2SvrO3OVKW4V+Wy8Rqbsce+W2rssAkrR6FYw8ZkKU75P+YIOHKiXGWYvQ8bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gyai8TsWw8FOD0CnAOkppURcEDzH5//rrX4+iTsEolg=; b=nBfts1wgmk99d4SHbuldi/ApH0xtb3dcZzY6gYcxPRfxi8L9mkefXkOuXGVWYVdRVnWgTJTYJjAFvcQHP8GfG4GsmVtj0zL5schM2G/8TeFH2AKpcyIyxVJdOybspINhCgiKf8kb4EHpf1+SjQ9W3WMS9n+XlSHTcYDnkJjXvy6hUL95UADkcvz98LSbwePsGZaZajj3biFQ7KtiTkyuqTCCZtuQAUaK65Hn24+9nsZfiGJlw4OXE1S3bvmD2Tvb0jaapwHjN0MWLd5Ud0X/I7sgfBanD80hDkKLs3P89L3wVXTX8gEP26klFQ3LvjGFpmcl7A1H9SccsCITbmL3iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>, John Mattsson <john.mattsson@ericsson.com>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYQ0u7KP9IsmRXD0Kbvf1+Gh7oQ6zWfNmAgAEP3oOAANnmAP//5qiA
Date: Wed, 30 Mar 2022 23:11:18 +0000
Message-ID: <4EEF2062-C36D-42EB-B90A-E8B75B1302DC@ll.mit.edu>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <35bac2f1-b647-4802-def8-9fee5d49d75e@lounge.org> <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <6614055c-d327-b2de-9f1f-ad38d53bf71d@lounge.org>
In-Reply-To: <6614055c-d327-b2de-9f1f-ad38d53bf71d@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0ce18261-d696-437c-6383-08da12a298a0
x-ms-traffictypediagnostic: BN0P110MB1611:EE_
x-microsoft-antispam-prvs: <BN0P110MB16110FFE0D684070868A9DDD901F9@BN0P110MB1611.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MPi+3zdHYUXeuW4qXVfF6QsNpKd1N41FpIVbYqx/KxI3C1pEsFBpNPt/Ra35ZAmr2PYrFt32lDcxANrYL6O/yERl5CoEvyqjmChk55mZxnTOqRIWluZYQPFYaA5sgrPvWIXOBByNVEgocU5/3u6rHg9u7BmKJlAoNHPe1BIj6lo/ZQeu1Av4gXaoZV4ADyeM46c4sDxo22UmZMHYjXCCBex/OeC5mWxOyeCuVbamW1uQjkH4A6O84p0nE5pF3hNf/FTGbac58auLhgieHH5xvyJLbFXW/TLNkWlFkyBLhpaGAxe3kj7HSQV/H3FUD7fqUj5bqnl9IRhLkOcNiXSjj8X3CSG/YwvtRBanpjvGW3trRHdvHoMU2nx5mjerQ0c6KlakfLb3IG8TQM6ObSmrYHgX6EbMTtmOmf8iERzU4aV5vsSzK0YK499g8t1AG8JdvgqytOxUpvjVyvsT7VMRurwxskl0+aynTKeqD3zrrG2YArKezI4vwjf9GkyPgPLMee7oCM5pN4uuXjJl4uR/UeKkBpcYLkCGZ4Kj4l76ANSbjpQMUwGUMsRO5oUs7mNTb2MKmBaIKeQandknFZ+NNAAblpT9Vl8qzjKi+HwU+WBMwVatTdxCdO2z/xjjn5iejt+wH/cdzDdArI3PjzDfb7UbDTFet9/D25r03LWiQxSyXoxjzZhB0ZO4tne97foWcR4TF3fUkCxVKnewhju6ncDt0QjIHM7cgYPn5g3j1uw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(6512007)(86362001)(6506007)(83380400001)(186003)(26005)(2906002)(75432002)(2616005)(8936002)(5660300002)(38100700002)(110136005)(71200400001)(99936003)(122000001)(38070700005)(316002)(508600001)(33656002)(8676002)(76116006)(6486002)(66946007)(66476007)(66556008)(64756008)(66446008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BWMSipJWjYZxVV0QXY6B7BqsyZvECPS7Th0nmLd8CiHaKwCpWlwpqyx4SvidTmdhI2+zHljKkxHhdWvvqvM8lEajnaiCmufXe05NXdpf/Y7cul8+KLTUFvx/aB0smoyTtHoPE7iINS6/aG+Qzc2+vQ0A/Zp7m0wNnm23GIjavYKvxs8KU3MgonNvbTn+oXz1J2jTrzdyWDyaX+JRdtN5mT/LHTJ65yMJfOMCXZo2Oc5PtAzY5yQZKJJBBfX/DjSS039QjfJagoWd87qTPPLKcKOUwsG7fRIzOc7o6IoDW4mVQgB6l3CKK4+JLjwU+ki2/LqrthTBZeG8T1qu1Cw66PKn+H/3RKHP+VYpqNgutvbV4kFieJADf8Lncj8u4AYkjE733uFg6e+ws2W7dMHQ3Ow54tmDVHdKGPDSzlu1DunxMBAhzd1wm0LLmnXIjSeQDEB8BSRjIcSLbGI28RDE5bJv1NnhbfN9rSXqFhvZcQg++j2p+f6pk0jQb9t1IYUXrSQzsAXCu5tBuEKi08+xJHlmty1quwKYkKExtB28ESOfhjJTz7ccCEiF3A0Ed8kKL5ncJKlGOBxTCADyIBXhz5qE1AsycLNBVT4FqLNCH1UD0ugOlZ/9BjRhRcr9Y/Rv+eDqrzaV4jTEY59tpyklXJW5VSCD08BDQ2UBnjSEqa47ElDj9O13meTKnQ6ze2NXFHL4+5zVQcRTXK1aVqCMQsqVupnDux4NWhEB9RC1yS6uiJFP2M0hEalTgzWdFhDHM+j7AyaElSiPIQwpI97uEzkURLlHSaqAMuKXNdyY2jiO0Q9kv1p6QwPVk/sobLObnPm3b4pX6CqAqVmYKg8PQzUSUirze2ROzX02qCylkoNvfgzFV7vBMwz+UelNkYjhUv0m5VlYHWJ1uvIcPp89khf2xXDtOKnIAYvUVsdlQirjsyEJtJPvhAiQXuw6nkeX8vn3LCvlJlk4pFx40JjeJzAmyuInCODxPzL6DM/gkz+ac+g3mlIezYqgNTxEGEzKRTpPPx4/WpHFXfK4dJ27O/9kRWur+qfNnh7DA26Msul3idzuCFsfvo3FlUgOuFh5HV3ReqgrRCCnDIW8aNB302yFysD56dfE14HUISIyaHfIDDwyiJSFL1b0XxAqdx6biYppAn0MUoidsE7l9Byqgnwn1flRMkCL0TAYt9YLxg6Ode5oBWq2QSnTk2FkrkbFvo/DAhsjbHYafXzZ2VW7E1zUHVFWhYtFuAx6OCmZUkVX3Y6F3AY3GZ6H9iGPgaCTTCcl8rEiPbYFOyXTa3Ftk6XqKN8ZCMN+run35WG8KrppkqyakPBg7OKQMu9nJtj/9xPpj+3o/KI6Rvx/RWrAEtZna76hTflzHn/mJ0svOIz7lQWOlB+s9Nu4BTBQGTnOhzE2FJNkjFhwDJjlEoYH/TfANLsNI8f73lUgYbY+zP71VXdzCuBzZQLJHNwYB2Y9qn3zpNjkhEXbA797OX7hk3GJGma49eIjRPPerukrPPIzUK1gaKQqKLIVPzTZeqsnSZyzCxsfUr37FuvZ9AGpcY66HMYOhn7NqAcwQsf1UROFkBHpguBwUqDIJJYl4lvYDYIuo91JD00jACCwSuoVQEIfze2VrCiSiXjNCaVbAF0KqC2r1Q4aOQIDgH4qb4x9
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3731512277_1514562182"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ce18261-d696-437c-6383-08da12a298a0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 23:11:18.0527 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1611
X-Proofpoint-ORIG-GUID: 2yNF4BwtNXLmEssPNW9OThoFDtLMagbw
X-Proofpoint-GUID: 2yNF4BwtNXLmEssPNW9OThoFDtLMagbw
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-30_06:2022-03-29, 2022-03-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203300111
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6ogE3R8u-sWdGJp6wmdV1ijOw7s>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 23:11:31 -0000
Well one difference is that AES-SIV can take a nonce (probabilistic mode) or not (deterministic mode). If no nonce is provided you get DAE security as described in the Rogaway and Shrimpton paper. If a nonce is provided you can get semantic security provided it is never used twice. It does provide misuse protection, though, in the event it is. With AES-GCM-SIV, you have to pass a nonce, it doesn't have a deterministic mode, and it provides the same guarantees under the same nonce use/misuse as AES-SIV. Yes. And you can compute the boundaries for your use case (whether you do or do not allow for nonce to repeat, how many times, etc.) for each mode. Another difference is the key. AES-SIV uses a "doublewide" key (for AES with a 128 bit key you pass AES-SIV a 256-bit key, AES with 256 uses a 512 bit key) while AES-GCM-SIV uses just a single "normal" sized key. Some people seem to think this is a problem with AES-SIV but KDFs can churn out keys of any length and a call to get a 256-bit key is as easy as a call to get a 512-bit key. >From my point of view, it’s a deficiency of AES-SIV – because it means that instead of feeding the algorithm just one 256-bit key and letting it figure out the rest, I need to create another logical piece that would intake my 256-bit key and produce pseudo-“key schedule” – aka, AES-SIV input keys. An unnecessary complication (from my point of view). Both of them are two pass modes (in order to achieve misuse resistance) but AES-GCM-SIV is probably faster than AES-SIV due to the fact that it uses a polynomial authenticator that can take advantage of the hardware support for carryless multiply while AES-SIV uses CMAC which is considerably slower. But that advantage would really only be seen on the wire and that is not the use case here. This is userland/key exchange, not kernel-level packet encryption. Respectfully disagree here. Speed matters, kernel or “userland”. In all of my use cases, at least – which do encrypt packets, but not “in the kernel”. Yes, my draft does not discuss passing a nonce to AES-SIV in HPKE but it would be possible to do such a thing because AES-SIV takes a vector of AAD and the nonce can be one component of that vector-- AES-SIV doesn't require a distinct input for a nonce. Since I'm trying to deal with using HPKE in lossy networks, I don't really want to have to deal with a nonce unless I have to and if I do, then I really need to export the sequence number (as indicated in my draft) and in that case the need for a DAE cipher is not really there and I might as well just use AES-GCM in that case. We’re in agreement here. The "single shot" HPKE call would not require a random nonce. It will just use the base nonce that gets generated as part of the HPKE key schedule (since the first and only shot will XOR a sequence number of zero onto that base nonce). So a trusted RNG is needed, yes, but that's necessary to achieve the security guarantees of HPKE in the first place (see section 9.7.5 of RFC 9180), there are no additional requirements placed on a RNG to do "single shot" key wrapping. That said, yes I agree: a nonce-less and misuse-resistant mode would be better. A DAE mode can achieve semantic security when the plaintext carries a (random) key-- the exact use case here-- so the principal complaint of DAE goes away. Again, yes. Thanks
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins