IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Orie Steele <orie@transmute.industries> Tue, 03 October 2023 14:00 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7508BC15257A for <cfrg@ietfa.amsl.com>; Tue, 3 Oct 2023 07:00:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbmO0bE3XLZE for <cfrg@ietfa.amsl.com>; Tue, 3 Oct 2023 07:00:22 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB2DC1519AF for <cfrg@irtf.org>; Tue, 3 Oct 2023 07:00:22 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-5230a22cfd1so1626416a12.1 for <cfrg@irtf.org>; Tue, 03 Oct 2023 07:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1696341620; x=1696946420; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+aiVPu5S9SKCSKkXmH2un6VBXAyJyrehuNhU+EP3yvU=; b=fFloqaDJRTDseUH3L9tam/XT3IoC4ExUkiZy0IxyC13+f+zsF/u5zXubsJinz1euou IoHzjQfGa8fsPiHc8G7Gm7sO7tjcdEQHocJS9Ebz8rD4yNg9MvACMNo4N3IbBagLV1ay 08A/DFzL/84/dsUSJn286bUA1ReBVl0fKz8g/paMnabgTpXb/6PMEqwTfxIqsAemh8BN BsLf42ZmaFBn1ii44Fz2SGqzRDPvNPZw48SMmXCO4DsmnrFvtzJKUWqHX7bDUC+Y5M+/ WwVoZiY5BvdtxVntL937IjqpLRDO21FNDh8VMI1H6L4X7RhxiWh2i/eODqjloTDxe8RW gUMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696341620; x=1696946420; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+aiVPu5S9SKCSKkXmH2un6VBXAyJyrehuNhU+EP3yvU=; b=pQldOiRJhzoDf90OrJfJta+3fiaKZ17RL6H2wMPiPtOz4nNKpYu0OBVXAeIJo3JXpf 6Py0w/m01y89zlc+Xt0Ne2HKJ6lOPi9M7i7WuXzNlI5Td1wRqlZyXw1fYlTsCM1+Q6va xbjVgqViKgSClpQWFcI3Vm+vEMii4dU9ocZppJXHufzddopQcf/RNSzZUlmSMwwIGTcr 80xQ+KkV0i3nqGQS94seGOmQX0q6KiJWiz9/1ffzJewyoPclVvkKRtIdJVaZY87c6clZ jJ1GCbSBPInP5/98Dgn8xrSAvE85z+hSuXItiUg0OHNd5o5CH7j/4LellqJC0ffNXouG H1sQ==
X-Gm-Message-State: AOJu0Yw5L3xdOaijAfDxDjjCkY9nusLctGWK1VW/x8b44bOupEYoR0Yt fsjM0CDXaluEzuZSg+vzqLH8GdnUTj5cru9r/4ckWwBVcW4k0x0q0lM=
X-Google-Smtp-Source: AGHT+IEEWKl5izlW+06OO8993Bubt6jQ676hUL0FtmRkBGIkGkcEAmPei0lyz6KM3WJUijHfsf0Uvp1vvlzG4LPSRDg=
X-Received: by 2002:aa7:ca48:0:b0:522:38cb:d8cb with SMTP id j8-20020aa7ca48000000b0052238cbd8cbmr11980497edt.20.1696341619674; Tue, 03 Oct 2023 07:00:19 -0700 (PDT)
MIME-Version: 1.0
References: <169592647633.22478.7564567661859429538@ietfa.amsl.com> <105f3992-d271-d3fd-e3eb-23751f763e15@lounge.org> <CABcZeBNG9TTMK7AP8+ecWjzD+k5w6YBOdM0QuePMdc+PD5QXog@mail.gmail.com> <09ef9418-0c6c-3771-a82a-900c8143afc4@lounge.org> <CABcZeBP1+4Tof9K0Zf7mjmHAhqHAs2nqoNSiHhPS9scZJ-E8Hw@mail.gmail.com> <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com> <ZRwY-tB57z30ivp4@LK-Perkele-VII2.locald>
In-Reply-To: <ZRwY-tB57z30ivp4@LK-Perkele-VII2.locald>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 03 Oct 2023 09:00:08 -0500
Message-ID: <CAN8C-_KkPGtyU6MO6c5eivJ=i7hEdmgb7knjeYSvLzjH9VAS1w@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000a8ab9a0606d04f48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ANaLInjLzpKA15ZOB5ApsV0WYNQ>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Oct 2023 14:00:26 -0000

I tend to agree with Ilari, but I would highlight that this is now
essentially a "reputation and naming" issue... not a technical registry
issue.

If you name "HPKE-not-IND-CCA2", HYDE (HYbrid Deterministic public key
Encryption, or some more clever name chosen more carefully to inform users,
of the difference without sarcasm / humor : ), and give it a new
registry...
the name is different, the reputation of both is independent, and the
capabilities of both systems are preserved, including their unique security
properties.

Names, reputation and capabilities matter a lot.

I'd avoid mudding the waters here for HPKE,
but I don't think that should stop people from tackling use cases that need
something that is like HPKE but has different security properties... just
don't call it HPKE, that means new registries.

OS



On Tue, Oct 3, 2023 at 8:37 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Mon, Oct 02, 2023 at 08:52:48AM -0400, Richard Barnes wrote:
> > EKR - I think the point is less procedural / adversarial than you're
> > thinking.  The point of this thread is more seeking feedback for the
> > experts on how to interpret the text in RFC 9180.
> >
> > So the question for the RG is -- Are folks OK with values being
> registered
> > that do not meet the security requirements in the RFC?  Or does
> > Specification Required truly mean that anything that is written down is
> > OK?  Note that the expansive interpretation here would allow obviously
> > insecure things, e.g., null ciphers or ROT13.  (Not saying this request
> is
> > so obviously insecure, but it doesn't meet the RFC's security bar, and we
> > should create a new, undocumented bar, so we're left with no bar.)
> >
> > My personal analysis is that the expansive interpretation is risky,
> > especially if we broaden the lens to CFRG more broadly.  In recent years,
> > there has been a positive trend toward making crypto tools harder to
> misuse
> > -- nonce-reuse-resistant AEAD, more rigid elliptic curves, etc.  In
> > algorithm-agile schemes like HPKE, allowing algorithms that are not safe
> in
> > context goes against this trend.  You wouldn't be able to have confidence
> > your PKE is secure just because you're using HPKE with a registered
> > algorithm, you would have to do a bunch of secondary research to verify
> > that the algorithm is good.  This degrades the value of all the good
> > vetting that CFRG does, because the consumer is left with uncertainty as
> to
> > whether a given construction is safe.  My evaluation in this case is to
> > avoid heading down this particular slippery slope.
>
> In my view, there are two distinct kinds of trouble:
>
> 1) Algorithms that are just broken and insecure.
>
> 2) Algorithms that do not provode expected properties in constructions
> used.
>
> Obiviously, it is not possible to perfectly avoid the first kind, since
> algorithms can go SIKE (or go bad in less dramatic fashion), but being
> conservative avoids most of these.
>
> The second kind can still be very nasty landmines. There have been
> many cases of critical security vulnerabilities arising from using
> algorithms that fail to have expected properties (even if such
> algorithms are not in any way weak).
>
> In general, it is very bad idea to mix algorithms with different
> properties under a single interface.
>
> To archive expected properties for present HPKE interfaces, one needs
> IND-CCA2 (modulo some unexploitable pathological stuff).
>
> I think it is impossible to add support for unreliable multi-message
> to the present HPKE interfaces without running into trouble of the
> second kind. Therefore, to add unreliable multi-message, one would need
> to add new interfaces. And that is much more involved operation than
> just registering new algorithms.
>
>
>
>
> -Ilari
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email