IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Richard Barnes <rlb@ipv.sx> Wed, 30 March 2022 19:44 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C073A07E1 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 12:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMSZtvJ3Ocrv for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 12:44:01 -0700 (PDT)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 657D23A0819 for <cfrg@irtf.org>; Wed, 30 Mar 2022 12:44:01 -0700 (PDT)
Received: by mail-qk1-x72d.google.com with SMTP id r127so17553340qke.13 for <cfrg@irtf.org>; Wed, 30 Mar 2022 12:44:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Eivybj7p8IMZn4sfgpIFKb5/POI15aQy9rLTZ14iwTU=; b=nmQOXicqsvTufR2DzxC5P2UpvIELMMFo2Fu5ay3NDn7oQdISq8ZmyL8uzpWVD9bFoU caWfOtDej6M0nVSZxj0w42BcXIpY6lR4ka9ErCB0U9tgjliy7zwJggUerNB/WFKWqbSz 6NIakF1hLyjtY0UT682+xyZVfqGoI+piHCNck1G6zKGezKO5lcr56YLkAF42zhbDjOOQ MpJjtPGZPh++rquncqY/Dat0IGoQf7NDRVDK4NzL0pUM3+D/Q23cykuPeuKaObZ+A8CA LFS1WhzFprKfSO7uVdRishhg9xGplptAa98N8oNOiaHK8D7aIw2F1CKvfzG8PIQ7PuOO LI4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Eivybj7p8IMZn4sfgpIFKb5/POI15aQy9rLTZ14iwTU=; b=B5hqSVrr0rg4PRMMmPDdW18gfoFXja/ZSTTtlHTIb2H98ra10YPABHefuT4Lt1RM5e ZODTJC3Y5dWgHeYBPCIP9GTM9wsSGqnaY71pjFTOYvBYhPdpNWNsSQLqGSAJOrpuOMTS wRBgIHCO0ZbpL2AOwGi5J9V2hins7H9akKGLIlbaocuKKTzIDUf7dlMAYKWuf/Bpb8Z5 4c3Lwnav7Bb7d/piu0Zm2K7Lnz9LcKCLK0baqmO/ECt52edP6AVVASsnNwvKOGfhAe4G v7LZg43be92iIBwL19++VVyRd/5x1rm+OTT1YtdgKXWRuo+QidajrZQ/bnZLVd6Tz3H4 Hgcg==
X-Gm-Message-State: AOAM533IcHML7+b1tvWIWjUIFVXKw26yI2hJjv++JyTGW3DwZ35gN4LA lcv12yzsY9RCU0E4P/FXZTfZMLuGez7wtGDaX827TY+IGJQOEQ==
X-Google-Smtp-Source: ABdhPJwiyJJ0mVbLqirNh5OINdFZ4bzSX7VQldKmhvvHcb2pQl4MtLP2Tt9PikgCDMS997cgbtZ1/yu4U20Kqjy2quU=
X-Received: by 2002:a05:620a:4310:b0:67e:8460:5a10 with SMTP id u16-20020a05620a431000b0067e84605a10mr933967qko.636.1648669439649; Wed, 30 Mar 2022 12:43:59 -0700 (PDT)
MIME-Version: 1.0
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <HE1PR0701MB305054EA87D9754596E754AF891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <101A36AA-CB1E-40D2-95EF-4FBA2DF2E9B0@ll.mit.edu>
In-Reply-To: <101A36AA-CB1E-40D2-95EF-4FBA2DF2E9B0@ll.mit.edu>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 30 Mar 2022 15:43:48 -0400
Message-ID: <CAL02cgRnyCAjp5Qmm0x4+Xw4CVRANrRZwzc93Hs6Bto1aPg6Tg@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000004d7cd305db74c44a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/B52chxIAjvXLXKg3ll2rog8yK6A>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 19:44:09 -0000

This thread seems pretty confused.  For purposes of RNG resilience, it
doesn't matter if you use AES-SIV, AES-GCM, or GOST 28147-89 -- none of the
symmetric algorithms are fed by an RNG in HPKE.   The symmetric parameters
are all determined based on the KEM interaction.

So if you want HPKE to survive in a model where you assume the RNG is
compromised, you'll need a KEM that is OK in that model.  And given the
IND-CCA2 requirement and the API, it seems like Encap(pkR) is inevitably
going to rely on an RNG.

--RLB


On Wed, Mar 30, 2022 at 2:10 PM Blumenthal, Uri - 0553 - MITLL <
uri@ll.mit.edu> wrote:

> Key wrapping mechanisms has in the past tried to provide security even in
> the case of compromised RNG and state. To keep that attack model, I think
> HPKE would need to be augmented with something like AES-KWP, AES-SIV, or
> AES-GCM-SIV.
>
>
>
> +1
>
>
>
> AES-SIV may be better with nonce reuse than AES-GCM-SIV (based on Taylor’s
> analysis), but either one would be OK from cryptographic point of view.
>
>
>
> I would personally chose the algorithm with the best properties over NIST
> approval stamp (HPKE is not NIST approved either). I think it makes sense
> for CFRG to add AES-SIV and/or AES-GCM-SIV to HPKE.
>
>
>
> I have to agree. It makes perfect sense to add AES-SIV and/or AES-GCM-SIV.
> (I could probably live with Deoxys-II-256 from CAESAR competition as well)
>
>
>
> Unfortunately, NIST approval stamp on cipher modes seems to have lost its
> relevance. Note that despite multiple requests, NIST has yet to “approve” a
> nonce misuse-resistant mode – so far they’ve been saying “no” or “we’re
> thinking about it”.   <Sigh>
>
>
>
> Thanks!
>
>
>
> *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Martin Thomson <
> mt@lowentropy.net>
> *Date: *Wednesday, 30 March 2022 at 02:32
> *To: *cfrg@irtf.org <cfrg@irtf.org>
> *Subject: *Re: [CFRG] HPKE and Key Wrapping
>
> On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote:
> > Would it make sense to standardize AES-KWP for HPKE or do CFRG believe
> > that AES-SIV is the future of key wrapping? Irrespectively I think the
> > CFRF should produce a good recommendation on how to use HPKE for key
> > wrapping.
>
> What is wrong with the existing HPKE cipher suites for protecting keying
> materials?  That is, aside from not carrying a NIST approval stamp.
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
>
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=c95f3aec-4703-4832-9b62-2c7a79363887&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email