Re: [CFRG] HPKE and Key Wrapping
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 30 March 2022 18:10 UTC
Return-Path: <prvs=208812f564=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB1E23A040B; Wed, 30 Mar 2022 11:10:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wkNmzWMwYYXW; Wed, 30 Mar 2022 11:09:56 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AADA33A043C; Wed, 30 Mar 2022 11:09:55 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX3.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 22UI9rO9156838 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 30 Mar 2022 14:09:53 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=zbCw7Q+Q8qKqFDGi7FqJvoip+2BuVe1a2nvx0qSYXkU7LW0SG99T+B4ktV0gzlnUIXuilaS5CyaXc/R1FYfLT+O4QeDfs1LoezfTeJuMrpv90EV2svsxPpL8UjLXzgqJHysxMAJIB/gNxGzIYSLfIguSn0M+L12MS/Nj3HFDrZVt+nFUIgGT4jgPa7TLUjcdR+ZJ2GTd5H/u3ct7JNAKY7NzgX1DjqDc5h9OgzL6Hw7576GLnAtGUpOZxCZEBSuD9iwtx9Qrw8s+6TBzXvb9CwPhMPFDpU5BvI1B9X+BIRVbRSoiqCdSaNCDmC0x1+TtgH239s+Uki9Ra4G1pyhTMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Eiz3FPxRRCGxc7hePFoJ8FxaT0H2KeP6lPzhIC0wKqQ=; b=HErj/oNZIAtcNGEMnwNH08a/QAUZr699upfSVCuRwQiHRiZ4nUNkIwfOdO6M4qCf+vlM8XmFWyUNCPvVQYGEK2D+oLqsSeiFW1L7LsQjfPUc+kp+rb7Ve7t5gQX1lJxxyAHCVyWDDsu5ov3wH0/m15VBtjgErsSrD9uGHqhyi2XnMEtj1TQy4kwGfeIlwfD/Y9oLxabwebRt6opveb7j0aqftoZI2NTbEvWzzB0y2k2Mpww9PosRBhor6k46xfXRU78LUAZR4OYnZAseXZhdVyBodTptLys6j+3ekv51cAOTCMS5w23COXRq99oWsBkFgLMvhA5R7s5zTq4ry42NKQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Martin Thomson <mt@lowentropy.net>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYQ0u7KP9IsmRXD0Kbvf1+Gh7oQ6zXFHKAgACQ5q+AAFO1gA==
Date: Wed, 30 Mar 2022 18:09:51 +0000
Message-ID: <101A36AA-CB1E-40D2-95EF-4FBA2DF2E9B0@ll.mit.edu>
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <HE1PR0701MB305054EA87D9754596E754AF891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB305054EA87D9754596E754AF891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8c95a52b-2c93-42c6-a276-08da12787c46
x-ms-traffictypediagnostic: BN0P110MB1734:EE_
x-microsoft-antispam-prvs: <BN0P110MB1734EC479E0AA32477A35A97901F9@BN0P110MB1734.NAMP110.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gitGqk4f+pZoi+emXE9Fbm678mZ2mpE9WW7k9dTUlVO2XrGExyl4cqOTcbPdguufoDFlAhIdihkG66wIxmFfh1fY/zRH7mAg7yKFljeeAQCG6dibouQ777LtjRALNs7qegptCTMd5VBTjy4QPuazZ82LNbGTKFaj5xZIupRgFUx0Qzpe5qByw97sRfUIgtegeBM4oI95Xi1852YNtEO9iXvnpTS6VAfrhJ9jjhwwBaSYhDdMzVV4yXlXg486oyl8vJI5uun8Mtu4tWD5X/5ZOUM6bEm2bFbWJzkmSBZQslXGK3dwk8Vx5/+APRshRU3M27T5RBl3xhqgkb+nEcAAMjJ84EmeLrP/khQW60nqrTZYX43R0PQtnLOWP3X87wUMWAv2ELquhauEEc9ExgjFjhoq2L6ja8GPAacyzEIhEpf9jTFQXI3ameN3AvLFDac48k0vzOYtl0t10MBCoN/F/TJX/rOJTIHCRTSGAZ6ea9kFb0YInHtYbYVPXLJj8chnF4pIpsd0hqKSCOjHkFleMVTwHpewl9eEvRRZwer4OO6BUvr0aR0XR4/YsJ9RLAiJ5/KO9QCXIYI1DkwFOzntK7x2ZSkVeu/3kuGDgeynvqr3Zh8FQHEZQo1NNl2LpuCGUHnu2o1WmNKxW95h7e83lXpFQPssVCHbbgEh+OCsJ2EJHnlH+zMl5N3cApzVX8R9jz4J9HSlg46flD1N2Ici7FHeb+z8pfgzNXXK93rnyFo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(366004)(186003)(26005)(38070700005)(86362001)(83380400001)(2616005)(122000001)(38100700002)(75432002)(166002)(71200400001)(6486002)(33656002)(66946007)(498600001)(66446008)(5660300002)(8676002)(76116006)(66556008)(110136005)(66476007)(64756008)(53546011)(8936002)(966005)(6506007)(6512007)(2906002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /bainlXT3oMiw7T1WqEg7uY0Qq67Z+pa2knm3baRbLR6JEdc/gNLGgcL9h1LJ+dE3qhURrOdwqj1b3Yow991ahmV4KAEKkB27sH8dxrwnX6Krr8WCs/MM3CWuoY1DKJhw6rEHiavpfEVKzAIKfkf2hJagFje/hS7rviU8vOgStEkTytDhn6dfDf0OCL4xnl+yaobp08/w+x/L4uwCBDsie65kOmHMfvdfcWP8LIFFEd5RSihTEWPU7yBzslU9L52qEtn8EbPJMkclmSEXx689T/CuVdiH7O7661NKi31OBQQ1+L1QP0qNcPv+b+Mr2/An/r4GWeyMebSeolFB44gOkByGzj4jFfDv15WYnPjTK34va4OzQ5UU0Zq7fit7fdrW839sLdWHzAjb5xxgGJ4+/SEU/WdMTF3ocHA+b/ZZek=
Content-Type: multipart/alternative; boundary="_000_101A36AACB1E40D295EF4FBA2DF2E9B0llmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c95a52b-2c93-42c6-a276-08da12787c46
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 18:09:51.5944 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1734
X-Proofpoint-ORIG-GUID: 17sSPNXCyvUdydfAhqR6RAZ6z6fjC6L4
X-Proofpoint-GUID: 17sSPNXCyvUdydfAhqR6RAZ6z6fjC6L4
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.850 definitions=2022-03-30_06:2022-03-29, 2022-03-30 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 malwarescore=0 spamscore=0 bulkscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203300088
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CYWkfsPvL3bH2klSOlBmUJmrFy8>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 18:10:01 -0000
Key wrapping mechanisms has in the past tried to provide security even in the case of compromised RNG and state. To keep that attack model, I think HPKE would need to be augmented with something like AES-KWP, AES-SIV, or AES-GCM-SIV. +1 AES-SIV may be better with nonce reuse than AES-GCM-SIV (based on Taylor’s analysis), but either one would be OK from cryptographic point of view. I would personally chose the algorithm with the best properties over NIST approval stamp (HPKE is not NIST approved either). I think it makes sense for CFRG to add AES-SIV and/or AES-GCM-SIV to HPKE. I have to agree. It makes perfect sense to add AES-SIV and/or AES-GCM-SIV. (I could probably live with Deoxys-II-256 from CAESAR competition as well) Unfortunately, NIST approval stamp on cipher modes seems to have lost its relevance. Note that despite multiple requests, NIST has yet to “approve” a nonce misuse-resistant mode – so far they’ve been saying “no” or “we’re thinking about it”. <Sigh> Thanks! From: CFRG <cfrg-bounces@irtf.org> on behalf of Martin Thomson <mt@lowentropy.net> Date: Wednesday, 30 March 2022 at 02:32 To: cfrg@irtf.org <cfrg@irtf.org> Subject: Re: [CFRG] HPKE and Key Wrapping On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote: > Would it make sense to standardize AES-KWP for HPKE or do CFRG believe > that AES-SIV is the future of key wrapping? Irrespectively I think the > CFRF should produce a good recommendation on how to use HPKE for key > wrapping. What is wrong with the existing HPKE cipher suites for protecting keying materials? That is, aside from not carrying a NIST approval stamp. _______________________________________________ CFRG mailing list CFRG@irtf.org https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=c95f3aec-4703-4832-9b62-2c7a79363887&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins