Re: [CFRG] Fixing the multi-shot API of HPKE
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Sun, 14 February 2021 01:53 UTC
Return-Path: <prvs=16797bde60=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6D4E3A12A7 for <cfrg@ietfa.amsl.com>; Sat, 13 Feb 2021 17:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.005
X-Spam-Level:
X-Spam-Status: No, score=0.005 tagged_above=-999 required=5 tests=[MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDKzNw-86g76 for <cfrg@ietfa.amsl.com>; Sat, 13 Feb 2021 17:53:45 -0800 (PST)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 571293A12A5 for <cfrg@irtf.org>; Sat, 13 Feb 2021 17:53:44 -0800 (PST)
Received: from LLE2K16-MBX02.mitll.ad.local (LLE2K16-MBX02.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 11E1re83022232; Sat, 13 Feb 2021 20:53:40 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Sse3RLyhSuQY6zR/qzjFcVQq6yMDKgfSJgBq5Rj5GQZ6+Z2BhvJ39CIAC8zXcbhdhw59so9ZK1ADa3r/Ei/4lSS3PkZDsKsdOH7PUlhIr7pZIKdmK99NRulpDCkbpKUhKuUIrIzs5ZXpSb44cVNab2z950bRiGax145wuRHujuNp0f5Pn/VhC5S4ASVeUk4tbrJx5ULOl8zrjDP0/jx8EMVUCeqW5tZ/V7e97b4ks1HybzFhjiZ5fTBRHLmQSlLLvj4vI6zJB18Nmte49n9Xd6oj0mVtTLBogk8beLQYD65IS0LUHJLpv6O4n5b0WohepFddoWI5rjDjKM6n7TszMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TrVexq1bRmK8EWLnK1kI38LzyptYMlcXOxCE7Z/l3y0=; b=HmufGWgptD8t9POaMgCaNURBGBQPebPmY+pHMq/R8HP7t2JR+exixGbHpFKwPp3b/F+tNwn8P0K8XPfF6dJ7XqrtmSjjIYvOdHreLHz4i6Q/+veOnh32vP/r3kVbxosCUjI6Agb72Kyq0bbhC5tz5sdg+IVTSKDiwEW64C4Er8p4Ql8aC66ZwvtmZfN+D2d4u8lFuvfTBq0mdZQGNPQhGXTYpXWbyQkxXWFzCvlynUMKob718FOwMond+F8iBa+rlSs970LuOCQnCY/cULAolYP2HqpRGzo7gGlrV55oyl95R6XJg0ogR7HZQm+95XRzVaf9NFe/EZbTLj9+b37mIg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>, Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Fixing the multi-shot API of HPKE
Thread-Index: AQHXAZcMrnaBhuTgpUC9Z0BiBgaMoKpV7okAgAAVyoCAAI0RgA==
Date: Sun, 14 Feb 2021 01:53:37 +0000
Message-ID: <0E497EBB-0D08-45D7-B75F-691EAEBB1925@ll.mit.edu>
References: <c089c88b-c5f6-f228-31a3-fb4e97a436c8@lounge.org> <4FCD508B-0ECB-4F7B-B252-B92CDFBC5B8B@gmail.com> <1ded9ec0-4da1-981d-fedc-709ca301c166@lounge.org>
In-Reply-To: <1ded9ec0-4da1-981d-fedc-709ca301c166@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.44.20121301
authentication-results: lounge.org; dkim=none (message not signed) header.d=none;lounge.org; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: daf4b6ea-7480-4f37-f1ca-08d8d08b587c
x-ms-traffictypediagnostic: DM3P110MB0556:
x-microsoft-antispam-prvs: <DM3P110MB0556B4EBE2AD9444824DD3EB90899@DM3P110MB0556.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2UGSDs2wbeHvNo+ti7KfUgcp6odCBx3+AtZoFdtuoYmT0s3BtvBa9lSsrGmMwolUnd6A9GO4ogsfZTQv0fx1tCE+tCS8n5yn2y32yZkKVRTI6PXAKj4Jw6D1DzbmT0bkpmyX6j1VRf3TkP+fJ2pVp9G8bZ8s1+zdBV0/4mcPnUl5E5KfiIjv4CKzU4lMMw/jpkQOFRNZxhv+lHge8X+acP3BQgN0EBzbCFb82DIIqOK1UfaXDdMOFSAXm0Ux4ZhUzjlVubGHzekBPz8+CvZIkUXB+avH7ihIWDw1TLZZnXWd8XO+QlOKZr2iqoZzl/++lnT/R3WGicBSsxIVVjTcdGHshyNl50woIssh3RnElLvP5hJAMl78ecLxCiNyU4/htijCWhOsFgwLceN7bZQ92jo0NTwSHfJohZLm4qVEPFi54l7+u9i5JoZfAvwgVU4rcmtlaRRg1UpdtStAQBZJX3HIBMs0W5fiJ10xYZ0IQC941FC8SAtcnA38wVd2XMSlDapzfxVDin42xlWu/v9WODtAQ3NcXtXmt8haV2pUqIx+zJYav1w4IMKYf1zOJMcYgwo4beAnMBeG4Ddwgxu72Cm/P0NP6WFPbvd4x72qmmd6ZOR05fJu1FvIx1kwvZTm65+I5OkbkNNhO9zMzhdEoG9tjWxPOBdE742jngYdz4U=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0234.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(110136005)(33656002)(26005)(66556008)(99936003)(75432002)(186003)(8676002)(8936002)(64756008)(2906002)(5660300002)(66446008)(966005)(83380400001)(53546011)(4326008)(6506007)(6512007)(71200400001)(498600001)(66616009)(66476007)(76116006)(6486002)(66946007)(86362001)(2616005)(956004)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: LuuK4xAaTgPwI7Sb++zWdnf/A12mYiGtIscZLPAlQlWCncZUj/OMlECpIt+HTzTwydG7wOge6oVze20SxP3FTRyNO/zB6rlWOmq2vHGnQCrkMyu9Pt/tY/v9WqnIxCU4nfMJSjWRtabedfT34oS2BnWLRkIU44Z5UG3ew24E2A2KCyb8/b8gVEfcfstICBw/LAZizXZXeAhfYzrvWMOO+dB0/kSS9fcKNTstnRC+mUalhobZAJq/Wsjzd67e5MN8iW9/T2du1Q8nshsi3MBi69Zn00kvIJ+9E5vFJTiGT6nwlqpk8X9c90Y3EGRadF1QngYr4dGODVzwSWaGbzQWQI9DSwCYsA/AqET5cO81j2i+0nkIZbCqlTHcWEiLDKDSzpltKqE8chmST6LMsqVeo5g3rH8s8v3DJQOfZbP+RD58o4pQVlxlopx7jXcVCk3ryg2Jdnz76Lj29MGHlSaWfm4lsFL+D+1ds/BGXEUHN2YifroPzJbZl4Abmjur1tQjgvGgAq6RUas3bFjl8M6CVHwEPNh5MKltmkVCOQprDi4/EGigL93iKQW3YouNS9516DCjSc5ZdvssIL1dLQ8VFmfbye6h4n4NRys52VkUDhrqWPouZnkosDWl+qf3Fjx6AQeZDwkZKhcJKsV6mPnq/1YyEt5LTOI6rkhwq1rWtNiiyJ0YYazfSERcgCQB/MJWXivBr+IIhUL2Xl1s2elNOQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3696094412_2008526837"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0234.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: daf4b6ea-7480-4f37-f1ca-08d8d08b587c
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2021 01:53:37.5120 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AMbE15fX+8iEPbdOwAfi2W1uUogbxfk3tE3n18ocrTedRTcV1PgTyhBGTryppeFH
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0556
X-OriginatorOrg: ll.mit.edu
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-13_02:2021-02-12, 2021-02-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2102140010
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/C7iDcQeKkuFgAVJPGcCmF9RmBSU>
Subject: Re: [CFRG] Fixing the multi-shot API of HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Feb 2021 01:53:48 -0000
Strictly speaking, AES-GCM-SIV does *not* need a nonce, given that the bounds (how many messages of what size are secured with the same key) are observed. I found that a very useful property. Not everybody needs that, and not always - but it's like "you don't need it, until you *really* need it". -- Regards, Uri There are two ways to design a system. One is to make is so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies. - C. A. R. Hoare On 2/13/21, 07:29, "CFRG on behalf of Dan Harkins" <cfrg-bounces@irtf.org on behalf of dharkins@lounge.org> wrote: Hi Karthik, On 2/13/21 3:10 AM, Karthikeyan Bhargavan wrote: > Hi Dan, > > I don’t fully understand the problem you are alluding to. > >> "It is up to the application to ensure that encryptions and >> decryptions are done in the proper sequence, so that encryption >> and decryption nonces align.” > The HPKE stateful API guarantees that nonces cannot be misused, even if you use AES-GCM or Chacha-Poly. (Of course, you could also add a SIV ciphersuite.) > Furthermore, it guarantees that the stream of plaintext messages received by the decryptor is a prefix of the stream of plaintext messages sent by the encryptor. It's not an issue of misuse, it's an issue of the sender and receiver contexts getting out of sync through entirely normal network behavior and becoming unusable. > In the current design, if two ciphertexts are decrypted out-of-order, both decryptions will fail. > So the problem alluded to in the text above is one of functionality; the application has to ensure (using some meta-data) that it is calling decrypt in the right order. > The application usually has to do something like this anyway to put the plaintext stream together. > > I do not see how using AES-GCM-SIV is going to solve the above issue; yes, it would allow you to decrypt the plaintext in any order, but the HPKE receiver would not be able to authenticate the correct order. > Am I missing something? AES-GCM-SIV requires a nonce (although reuse is not tragic in the way it is for GCM) so there still needs to be some guarantee that the nonce plugged into the receiver is the same as the one plugged into the sender when the ciphertext was created. This is a proposal for AES-SIV (defined by Rogaway and Shrimpton) which can do deterministic AEAD (it can also be passed a nonce to be more like a traditional AEAD mode, albeit slower, but that's not what I'm proposing here). No nonce so nothing to worry about getting out of order. Regarding the correct order, for a streaming application yes that's true. The correct order would still be needed and whatever technique you use to ensure that decrypted packets get ordered correctly could probably be used to ensure that packets are decrypted in order. But there are other interesting applications of HPKE that are not streaming and each message can be thought of as self-contained. Imagine a sensor obtaining some environmental data and then sending it off to a server for correlation and processing every <time slice>. It would be quite easy for such a sensor and server to get their HPKE contexts out of sync and that would be a real PITA. regards, Dan. > -Karthik > > > >> On 13 Feb 2021, at 00:29, Dan Harkins <dharkins@lounge.org> wrote: >> >> >> Hello again, >> >> The HPKE spec defines a single shot API for doing things like key-wrapping. >> You pass in the recipient's public key and some plaintext and get back a >> ciphertext. And that's it. One and done. >> >> There is also (what I'll call for lack of a better word) a multi-shot API. >> The idea here is that there's a single asymmetric crypto operation involving >> the recipient's pubic key to derive some state that resides in an opaque HPKE >> context and then multiple calls to encrypt distinct plaintexts. The state >> created includes a base nonce and a sequence number (initialized to zero). >> Each call to another encryption (decryption) increments the sequence number >> which is xor'd with the base nonce and passed to the AEAD algorithm. The HPKE >> APIs take a plaintext, and AAD, and produce a ciphertext, and vice versa. >> >> This multi-shot API is fine if your world is Guaranteed In Order Delivery >> of Packets but that's not the world we all live in. As such, it'll only >> be a matter of time before the sender and receiver are out of sync. The >> HPKE draft alludes to this problem this way: >> >> >> >> Well that's a pain! One of the nice things about HPKE is that one doesn't >> need to worry about the nitty gritty of crypto state management anymore, >> it's all hidden. The API is nice and clean-- pass in a plaintext and get a >> ciphertext, pass in a ciphertext and get a plaintext. >> >> If there was an AEAD mode that did not require a nonce it could be used >> in HPKE's multi-shot API without need for the application to manage state >> and guarantee the parties stay in sync. Thankfully there is such an AEAD >> mode: AES-SIV (RFC 5297). >> >> When I brought this up earlier (and also on github) in the context of >> misuse resistance the response was, there's an export-only API that will >> give you a secret and you can go do any AEAD mode you feel like, including >> AES-SIV, issue closed. >> >> While that is technically true, it applies equally to the AEAD functions >> that HPKE already defines-- you can export a secret and do AES-GCM-256 >> outside of HPKE while managing the necessary state yourself. Yet HPKE >> defines AEAD functions whose state resides in an opaque context so there >> is obviously value in having that functionality. I just want to get that >> value-- a clean, multi-shot API where I don't need to worry about managing >> state or guaranteeing people remain in sync-- for people who don't live >> in the world of Guaranteed In Order Delivery of Packets. >> >> So I'd like to ask the group whether they see value in having a nonce-less >> AEAD mode in HPKE. If so I'll be happy to resurrect the text changes I >> proposed and will be happy to contribute test vectors from my HPKE >> implementation which already does AES-SIV. >> >> One issue is that there are different security properties for a >> deterministic authenticated encryption scheme than for a probabilistic >> scheme. This is discussed in [1] and the security considerations would >> have to mention this. But I don't see that as a formidable problem. >> >> regards, >> >> Dan. >> >> [1] Rogaway and Shrimpton, "Deterministic Authenticated Encryption", >> EUROCRYPT, 2006 >> >> -- >> "The object of life is not to be on the side of the majority, but to >> escape finding oneself in the ranks of the insane." -- Marcus Aurelius >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius _______________________________________________ CFRG mailing list CFRG@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [CFRG] Fixing the multi-shot API of HPKE Dan Harkins
- Re: [CFRG] Fixing the multi-shot API of HPKE Karthikeyan Bhargavan
- Re: [CFRG] Fixing the multi-shot API of HPKE Dan Harkins
- Re: [CFRG] Fixing the multi-shot API of HPKE Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Fixing the multi-shot API of HPKE Richard Barnes
- Re: [CFRG] Fixing the multi-shot API of HPKE Dan Harkins
- Re: [CFRG] Fixing the multi-shot API of HPKE Richard Barnes