Re: [CFRG] Questions for the group from the HPKE presentation
Dan Harkins <dharkins@lounge.org> Tue, 10 August 2021 20:58 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5583A1C1C for <cfrg@ietfa.amsl.com>; Tue, 10 Aug 2021 13:58:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6zLXKK0sKJY for <cfrg@ietfa.amsl.com>; Tue, 10 Aug 2021 13:58:23 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4038F3A1C19 for <cfrg@irtf.org>; Tue, 10 Aug 2021 13:58:23 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QXN2FYFL69A3A@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 10 Aug 2021 15:58:22 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QXN00MDH659XE@trixy.bergandi.net> for cfrg@irtf.org; Tue, 10 Aug 2021 13:55:59 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Tue, 10 Aug 2021 13:55:58 -0700
Date: Tue, 10 Aug 2021 13:58:18 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: CFRG <cfrg@irtf.org>
Message-id: <54dc31ca-16e7-44d0-f310-6f0a8babf052@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_7bUYSwmY2GTXrG0qV30eIg)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <CAFDDyk8yZegN6aWSZg=K7Wy+V2upq=GBuvGyQYowrRuehPDqYQ@mail.gmail.com> <CAL02cgTc34pSUOYqFiCKkfcobtj8y5=LashfsDNdabQ6g6P=gQ@mail.gmail.com> <2c0986bc-07c0-ed32-97b6-722fca39253e@lounge.org> <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [210809] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C61hMFOPhbViFYiSZrHbu24sNLU>
Subject: Re: [CFRG] Questions for the group from the HPKE presentation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2021 20:58:29 -0000
An alternative proposal for using HPKE on lossy or unreliable networks... 1000 pardons for the pseudo-python (which undoubtedly has some semantic issues) but that's what HPKE uses so I'm trying to align with that. The idea here is that there is a new API for Seal and Open called DSeal and DOpen. They are passed an additional datum which is used to construct the nonce used by the AEAD algorithm (it no longer uses self.seq to construct the nonce). Senders ensure this is a monotonically increasing number and receivers check whether they've seen this number before in a sliding window of acceptable reordering/dropping. For these APIs I've repurposed seq to be the sender's last sent number and the edge of the receiver's window (seq can be used the old fashioned way when calling Seal() and Open(), I'm not proposing a change to them). The receiver does an immediate droppage check upon receipt and if it passes tries to open the message. If opening succeeds the receiver window is updated to indicate this number has been seen. This is analogous to the floating receiver window that IPsec uses [1] which was written by James Hughes and Harry Varnis, all errors are mine. def ContextS.DSeal(aad, num, pt): if num <= self.seq raise SealError ct = Seal(self.key, self.ComputeNonce(num), aad, pt) self.seq = num return ct def ContextR.DOpen(aad, num, ct): if CheckSeq(num) == Bad raise OpenReplay pt = Open(self.key, self.ComputeNonce(num), aad, ct) if pt == OpenError: raise OpenError else UpdateWindow(num) return pt where CheckSeq() and UpdateWindow() are as follows: windowSize = 32 (or whatever) def CheckSeq(num) if num == 0 return Bad if num > self.seq return Good diff = self.seq - num if diff > windowSize return Bad if and(self.window, (1 << diff)) == 0 return Good else return Bad def UpdateWindow(num) if (num > self.seq) diff = num - self.seq if diff < windowSize self.window <<= diff self.window = or(self.window, 1) else self.window = 1 self.seq = num else diff = self.seq - num self.window = or(self.window, (1 << diff)) return This does not require deterministic authenticated encryption modes but can, instead, use the existing AEAD cipher modes so there is no worry about getting DAE instead of IND-CCA2 when you're dealing with loss and reordering. Bouquets? Brickbats? If this seems like a better way to go I can write it up in an -01 of my draft. regards, Dan. [1] https://datatracker.ietf.org/doc/html/rfc2401#appendix-C On 8/9/21 12:56 AM, Richard Barnes wrote: > W.r.t. (1), the obvious solution to me would be a reordering window > outside of the HPKE implementation. Even if the HPKE implementation > required in-order delivery, the application payloads containing HPKE > ciphertexts could have a sequence number indicating the order in which > they were produced, and the receiving application could use this to > ensure that they were fed to the HPKE implementation in order. > > --RLB > > > On Fri, Aug 6, 2021 at 1:56 PM Dan Harkins <dharkins@lounge.org > <mailto:dharkins@lounge.org>> wrote: > > > On 8/6/21 3:49 PM, Richard Barnes wrote: >> 1. I don't think this question is well-formed. HPKE isn't an API, >> it is a construction. In fact, the "API considerations" section >> of the HPKE spec is there precisely because there might be >> different APIs to an HPKE implementation. > > It may not be perfectly formed but its obvious what is being > asked. My answer > to it is that once you find out that your contexts are out of sync > it's too late. > I think it's more important to just be able to deal with > out-of-order and lost > packets. > > Yes, it's "a construction"...that hides a datum from the user > and makes the > construction fragile for some use cases. So I'd like to remove > that fragility for > those use cases. The easiest and least intrusive, to the > construction, way is > to just have Nn=0 for these new AEAD algorithms and not worry > about the nonce. > > One thing I failed to mention during my presentation is that > even if the > user adds a counter/nonce as AAD or a plaintext tweak (to hide > whether the same > thing is encrypted twice) and screws it up, the DAE security > guarantees > remain. SIV is the original misuse-resistant mode. > > Instead "resetting the nonce counter" we could do > somethinganalogous to what > IPsec does with a floating window that prevents replay but allows > out-of-order > delivery modulo some limit (really late packets will just get > dropped). But that > might require some changes to the API...err, the construction, so > we'd be back > to a reformed question #1. > >> Given all that, I would be in favor of no action here. There are >> several existing ways for an HPKE-based protocol to deal with >> out-of-order delivery. > > You mean like using deterministic authenticated encryption? If > not that, then what > exactly are you referring to? > >> 2. Personally, I don't have a use case for either of these. > > Well, will you admit that while these might not be your use > cases that they are > legitimate nonetheless? > > Serialization should have never used SEC uncompressed format. > There's no valid > reason to do that. I regret that I didn't bring this issue up > until it was > officially "too late". But that can be rectified pretty easily and > no one will force > you to use compact representation if you really don't want to. > > Dan. > >> On Fri, Aug 6, 2021 at 12:31 PM Nick Sullivan >> <nick=40cloudflare.com@dmarc.ietf.org >> <mailto:40cloudflare.com@dmarc.ietf.org>> wrote: >> >> Dear CFRG participants, >> >> At IETF 111, Dan Harkins made a presentation >> <https://datatracker.ietf.org/meeting/111/materials/slides-111-cfrg-new-kems-and-aeads-for-hpke-00> >> with two proposals: >> - a proposal to define new codepoints for HPKE representing >> new KEMs for compressed NIST points >> - a proposal to define new codepoints to support >> deterministic authenticated encryption schemes that don't use >> a nonce. This is in service of the use case of out-of-order >> delivery of ciphertexts. /In the discussion, it was noted >> thatHPKE uses a nonce to ensure that it never leaks whether >> the same plaintext was encrypted twice and that this proposal >> does not provide this security property./ >> >> Also during the discussion, an alternative proposal was made >> to solve the out-of-order use case: modify the API for HPKE >> to enable the user to reset the nonce counter. This API would >> enable out-of-order delivery of ciphertexts with existing >> HPKE AEADs. >> >> The chairs would like to ask the group a few questions: >> 1) Does the research group support adding an API to HPKE for >> resetting the nonce counter? >> 2) Is there interest in pursuing a work item to explore >> defining either of the following: >> - new codepoints for compressed curve points in HPKE? >> - new codepoints for deterministic authenticated >> encryption in HPKE (given the answer to (1) was no)? >> >> >> >> Regards, >> Nick (for the chairs) >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org <mailto:CFRG@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg >> <https://www.irtf.org/mailman/listinfo/cfrg> >> > > -- > "The object of life is not to be on the side of the majority, but to > escape finding oneself in the ranks of the insane." -- Marcus Aurelius > -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] Questions for the group from the HPKE pres… Nick Sullivan
- Re: [CFRG] Questions for the group from the HPKE … Richard Barnes
- Re: [CFRG] Questions for the group from the HPKE … Christopher Patton
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Richard Barnes
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Christopher Wood
- Re: [CFRG] Questions for the group from the HPKE … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Questions for the group from the HPKE … Natanael
- Re: [CFRG] Questions for the group from the HPKE … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Martin Thomson
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Martin Thomson
- [CFRG] Utility of nonce misuse resistance [was: Q… Loup Vaillant-David
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins