IETF Logo Mail Archive

Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 08 September 2020 21:41 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 990313A14F1 for <cfrg@ietfa.amsl.com>; Tue, 8 Sep 2020 14:41:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.597
X-Spam-Level:
X-Spam-Status: No, score=-9.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=KcvMaXqu; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=XBizgUSM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEWkCRk8svHj for <cfrg@ietfa.amsl.com>; Tue, 8 Sep 2020 14:41:15 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 982033A14F3 for <cfrg@irtf.org>; Tue, 8 Sep 2020 14:41:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14932; q=dns/txt; s=iport; t=1599601275; x=1600810875; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ug35fOPLQQLrel2hrAZMquenG+B7zhcSv2kK2J3u3/g=; b=KcvMaXquoeX5jDLDkYqpUcqrnXfx0EIBsEtsoSpNGkseQC5aFQXb4w3y nQVAlQ/BiJcESIo44qPTBr3NqLayGQIeK2I+mP7JkF7NY7fyE6BptJAes AVMDCTLOw5ZmgJ0DdqIDYcC94tXFj7mgK2FMJxpV9SYOAex4RbUl/gr/z A=;
IronPort-PHdr: 9a23:4cH4ORdbslbf4bBoSeE3Yog+lGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaQAdfU7vtFj6zdtKWzEWAD4JPUtncEfdQMUhIekswZkkQmB9LNEkz0KvPmLklYVMRPXVNo5Te3ZE5SHsutaFjbo3n05jkXSV3zMANvLbHzHYjfx828y+G1/cjVZANFzDqwaL9/NlO4twLU48IXmoBlbK02z0jE
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DFCAAR+ldf/4YNJK1fHgEBCxIMggQLgSMvUQdwWS8sCoQug0YDjXKBApMBhG6BQoERA1ULAQEBDAEBJQgCBAEBhEsCF4F6AiQ3Bg4CAwEBCwEBBQEBAQIBBgRthVwMhXIBAQEBAxIRChMBATcBDwIBCBEEAQErAgICMB0IAgQBDQUIGoMFgX5NAy4BDqdrAoE5iGF2gTKDAQEBBYEzARNBgw0YghADBoE4gnGDaIJAgk6BJh0bgUE/gRFDghg1PoJcAgMBgSE8K4JqM4ItkxuGaooSklcKgmWIaJFrgwmJb5NeklGKTpUJAgQCBAUCDgEBBYFqJIFXcBU7gjUBATJQFwINV41ICRqDToUUhUJ0NwIGAQkBAQMJfIxfAYEQAQE
X-IronPort-AV: E=Sophos;i="5.76,407,1592870400"; d="scan'208,217";a="826626267"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Sep 2020 21:41:13 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 088LfEpR023014 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 Sep 2020 21:41:14 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 8 Sep 2020 16:41:13 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 8 Sep 2020 16:41:13 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 8 Sep 2020 16:41:13 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=N0Wt/O+yZD2KI1I//XyEsvbi5sV5YI5fjDj6dYzwjNx02YC54CKyWBb6iOoPcBkXFgyU1K7qN9SLtwGp1wUIhTKS0hbIye2i0qKlZLDWDkn8MOFfeJ98rOAXaqbODuLEyco7jR9713Xw8rkmLstgYilDnqvYCqIiM/AjWqJ6NOclqvcbnYSHW29PukINmy9ZaBCQuTrT/3qgv56vodkoyrOwvDSwL4OGqkbvbFeuQHiFS/p4IQxXyLIkeFgyjP+Dkt+37LGPnPJODdu3gygcv46y30ZyFe7yCQTppJfQ4nUm+oUU+f/aacqzxN8egqNB3Rlixivwp1/PQWHCQvksyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ug35fOPLQQLrel2hrAZMquenG+B7zhcSv2kK2J3u3/g=; b=gjeIFCo+1+YKM99Z1IctYGYZUyGyXJmY1xK0w3Fqbk6FFXD87L7RZygFler63BMQHfZrofG54GlujkOENaOYMvetbUk27xbpPKt5numr1kGTjhuhIlDb2E1DuMr6fB2R5aRnUnofqjcEYuIa13fvVCibkZvFTS2E5m4rsn7fJTnLdPS5gac8+pTLjq2y6+1H3VyW8RDkcuqyiqbMiyzpAvSYWfxvzIjguAuRdFVlcmfiaJSQ61LVgM+ugMvA5dzizFq21EujT0gCaFc5PL8fIiqi4Hzn+ExvyMCUuIO38CvCtWGeYg/30BtbdbI+an3VwF2IMAU+Dx5mloB849uUAQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ug35fOPLQQLrel2hrAZMquenG+B7zhcSv2kK2J3u3/g=; b=XBizgUSMEyKiiCvWFwCv77enY03gj1kk/TQMWRaIdIAwO142l1AYYbJDn4YAZYixYQIRZehkCHL1vHP9Nl7wDXtQ6b5IA0UunDQboR4q9B6q4uf+B2b7gXI3ZjwgIJX/vjO7QNyjGS38AuA/zWz+jXxjm4x83cc5gPM3wiXzqOI=
Received: from BN7PR11MB2641.namprd11.prod.outlook.com (2603:10b6:406:b1::25) by BN7PR11MB2705.namprd11.prod.outlook.com (2603:10b6:406:b6::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.16; Tue, 8 Sep 2020 21:41:12 +0000
Received: from BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::5018:edeb:b77d:4d65]) by BN7PR11MB2641.namprd11.prod.outlook.com ([fe80::5018:edeb:b77d:4d65%3]) with mapi id 15.20.3348.019; Tue, 8 Sep 2020 21:41:12 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>
CC: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Thread-Topic: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke
Thread-Index: AQHWc6ptBbpPrrqIBUG8UVo1T+NxNKlfT5ZQ
Date: Tue, 08 Sep 2020 21:41:11 +0000
Message-ID: <BN7PR11MB2641A86B0BC57A1BAD8E1465C1290@BN7PR11MB2641.namprd11.prod.outlook.com>
References: <CAMr0u6k5Yx1i6KmdZVvBmonQHPDT_3+tWNTdJkpyLLRrwWuLfg@mail.gmail.com>
In-Reply-To: <CAMr0u6k5Yx1i6KmdZVvBmonQHPDT_3+tWNTdJkpyLLRrwWuLfg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [173.38.117.71]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7a3b2179-8bb7-409c-72a3-08d8543fe7c0
x-ms-traffictypediagnostic: BN7PR11MB2705:
x-microsoft-antispam-prvs: <BN7PR11MB27056C2BEB5FCDB4F4F0AD57C1290@BN7PR11MB2705.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Qu4QEu+PMBiK2wq4hoBmYhs6zQXBEO5ml21audhvg60V8xt6Q/SIBglk3ozgoYV2+hBMKODRrOjpjh1bpncRDnUnw2BYgzkxJX73SJEl3tO0/mmJzKmWDg/WaglPW31Zv8klc2jZLouPwYUjXq1sLp/QkLXAR8M+ei5DzaexTw6iFRjk1PI3So876PPEI9LO5pg9e7VrWVr+klX3EvN9KV+RiPLdOYREBGaayTZfK/L2SODRwQHyL3FTL2g7ec0mVtGog5Y6Sxrf9/QEe45c888JORFse0+t0Xn/hiyjam0dCh9rdSJ6XQvqsRF0d4421a58epxgBIm3Lq4cp7nAe8mbs/CZy9Wa16MEaIq7rZbSp+6B13tgbwvt7mfLksp7DPGE+BEWltAMkNWdabTnOA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2641.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(136003)(366004)(396003)(39860400002)(9686003)(316002)(52536014)(8676002)(966005)(55016002)(110136005)(71200400001)(5660300002)(86362001)(76116006)(7696005)(83380400001)(33656002)(53546011)(166002)(6506007)(26005)(4326008)(8936002)(2906002)(186003)(478600001)(64756008)(66446008)(66476007)(66556008)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: jBu8alyouZxQ72KFnPgu2V9Fs+TYfL4oSu31jJ9qyin0tpoJi+JCgZaqpPb/D/cxHxDq+3yNKne/BjbNi5+/x92Hc7FCVF86sZwcYWBXsjInajYmaltmJ8Juje7aS7pEM9GikaaQedoaMG/BK0OPqTNlFNswphwZT6ah2Hh9CxSMp2QSvs3D+6JKY4k3hd75AQ+rGaN0vVrM5u9cqZxiBkcC5tcf3NnyalLXyEdrFBaD0yp5yMu0OCWgdsi6hNL1n+6ldEf/YtLUP11I1ZFvhSeYp9By4yKjuKtT3G0dPc2+gdGr9AocPUgd0Crx041GEna3cA6iHKobswpxZdFMGma7fvhjEUF34+ebOLXZmaF8iBh1IlZ6sTRjZbzKeGJW/his6KHTJMlqD6q/QdiuHTPJ5vU1DxuS9t3038E8PIY3k8FQRtBg18vOWgF2ZM4qDjIHIHxBzq7aa/drGblScntRmSzYYi9tvAGud907ExudRQCmE/w2dblshgQOEO3yYGQxtjf/zL82zDa1BhSJRh/tdssVcbRhp3nRycQQmpZtcKvQ9Siq2OUO3xpXE0chykv91Daj5Y7IcMUfX/7fqucMpV5i7O4QYRV6nXH0172m7o7L02ccZAu3qbWG7bVFEmxo0QFDg0hJVUxIdJiolA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2641A86B0BC57A1BAD8E1465C1290BN7PR11MB2641namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2641.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7a3b2179-8bb7-409c-72a3-08d8543fe7c0
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Sep 2020 21:41:11.9058 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: JfEBzaGEEO8ZdfgeyMEHTTiXitOkJh9t4mGDqzSWB5OZyllr4w5GXJ9kx1TmgtQ/1o7GfmlAza5vYNAPZ+xjrA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2705
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/BK7qIG4tNfbmpWGz8NWMG2lfDuI>
Subject: Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2020 21:41:18 -0000

Sorry for being a bit later than the deadline, however here are some comments anyways.

This is a fairly boring document (boring in cryptography is, of course, a good thing); one concern I had was whether it required concat’ing two variable length fields (which would lead to the possibility of a post-concat collision); I’m pretty sure that in all cases at most one of the inputs is variable length, but someone may want to double check.

Section 5.2
This section correctly states that the encryption (which is a nonce-based AEAD method) needs to be stateful.  However, it also makes the decryption process also stateful; that is, if one encrypted message is lost or corrupted, then later encrypted messages cannot be decrypted.  Is this the intended semantic?

Section  7.1.2
   The keys that "DeriveKeyPair()" produces have only as much entropy as
   the provided input keying material.  For a given KEM, the "ikm"
   parameter given to "DeriveKeyPair()" SHOULD have length at least
   "Nsk", and SHOULD have at least "Nsk" bytes of entropy.
Well, for the defined KEMs (all EC-based), this isn’t bad advice (and is obviously sufficient in all cases).  However, if someone were to define, say, a McEliece KEM, well, it’s rather dramatic overkill (and, yes, as per the note below, McEliece wouldn’t work; it’s just an example).  It might be better to list the suggested entropy based on the security target of the KEM, rather than the secret key length.

One security property (section 8.1) that this does not provide is replay protection; if an adversary were to replay a previous set of messages, the receiver would decrypt it successfully into the a reply of the original plaintext messages.  While this property would be difficult to provide with a noninteractive protocol, this (IMHO) should be listed as a cavaet in the security properties section.

Finally, not a correction, but a word of warning to the authors: this doesn’t translate as well as one would hope into the postquantum realm.  The problem is that (unless you’re relying on PSKs) this design uses a Noninteractive Key Exchange (NIKE) with CCA security; ECDH is a fine example, but postquantum versions are harder to come by.  In particular, none of the NIST finalists and alternatives are NIKEs, and so they would not work here.  Again, this is not something requiring any change to the text…

From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev
Sent: Sunday, August 16, 2020 4:50 AM
To: CFRG <cfrg@irtf.org>
Cc: cfrg-chairs@ietf.org
Subject: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke

Dear CFRG participants,

This message starts a second 2-week RGLC on "Hybrid Public Key Encryption" (draft-irtf-cfrg-hpke-05), that will end on August 31st. See https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ for the latest version of the draft.

We are having the second RGLC because we didn't have much feedback during the first RGLC and because we have obtained two new Crypto Panel reviews:
https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppnBQQSlEkE/
https://mailarchive.ietf.org/arch/msg/cfrg/7zhOHPFkCyZC00xLZnsEBT3o6ZU/

Please send your comments, as well as expression of support to publish as an RFC (or possible reasons for not doing so) in reply to this message or directly to CFRG chairs.

Regards,
Stanislav, Nick and Alexey

v2.23.0 | Report a Bug | By Email