IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Christopher Wood <caw@heapingbits.net> Wed, 30 March 2022 15:17 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A85AD3A080F for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 08:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=Y53YDZn8; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=IhFg1e0t
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUNsi8XDqKTs for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 08:17:05 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CBAD3A080B for <cfrg@irtf.org>; Wed, 30 Mar 2022 08:17:05 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id B19075C0070; Wed, 30 Mar 2022 11:17:04 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Wed, 30 Mar 2022 11:17:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; bh=+WXV9IXscigPMQ iErBrY6/UUpxrSfb9YeuinV+syrk4=; b=Y53YDZn8WV6SQaFe1FdbaSm3P9Hjpd qurEaas1C+ujxib02myytAFTEEshq/TEbHU1FZIO9k///q67ff+YY9EvUFUfdOec L7Mu0oFoAd5nF+cHAJLeHaU+mtHJcMkBsUWqMlCcYH3s6As6pVDAtrutNfA2QJHW +1cZWsgzswigzMMZW8L7QxskrDMDGeb8Q2KhiKD4HR3QkspSZ26pr1c1dJguWg5D HFJdmpobxWS3Krk9GzpU6HHFyJWu18N4IpGgbk8lweljRBqUCdy75sV9/hgCgGk+ 3MQFIH8KY7WUbZyfp7nV8NJ3MjdscMR4T7FOOJDldNCkM7WO5OVxIQjQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=+WXV9IXscigPMQiErBrY6/UUpxrSfb9YeuinV+syr k4=; b=IhFg1e0tiE1FRFDXGwOYNTb81drUOGyxlTR7msdZIGKIpNiZTgDSMwZA3 8NvctfW1BKghlxdzVLrX+bPyWA5P5z0GTw6GAhxRjh6qKfqQ4HG9QL/lLKJsbwc3 hMg2pwuw7NxSW4t+FJHPUXg6x8LdSqQ4nU+OwecHC/A9tVgm8RM5PjM9cCk2PPVq +UyAAVOwnQIvuqX5S6DtNSWMbiA4NWzipndMW+2BriGZZewvaLrnN7bWp0346tXA jhst9FW/iqyoyGM1/pPtZ2XQyAfRdlIYKbzAOdcSHeSO4XwsDyVKrSqUHg8WeXXC uIcVfuY6LMmOSFyxJwrM1BQ7Ks/tA==
X-ME-Sender: <xms:cHREYi5pxpo2dPkt8ymx5oQxCCNIJhqtFqFFXk42xfOzJv0frEQq4Q> <xme:cHREYr44WEvWJYNoNEx4XsbdLKqjZklWY_0LHQ94mWlpi1HErus1qYiKN9qYlyRC2 XZduE5sLAIIUSR7UUk>
X-ME-Received: <xmr:cHREYhc1E2Jn5oALCLtEsySt920UBRWU5wJF1va04X5jaFr1t4HJdA1WKXqW2r0FRkBV1NYCWU5FxniukBmvPYJTklabztKB7w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudeivddgkeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtjeenucfhrhhomhepvehhrhhi shhtohhphhgvrhcuhghoohguuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvtheqne cuggftrfgrthhtvghrnhepvddvffeuieeifefgudfgleefgeffteelffelgffgueegheeg ffdttdefudeiuddvnecuffhomhgrihhnpehutggurghvihhsrdgvughupdhfihhrvggvhi gvrdgtohhmpdihphdrthhopdhirggtrhdrohhrghdpghhithhhuhgsrdgtohhmpdgrughv rdhphidpihgvthhfrdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhn vght
X-ME-Proxy: <xmx:cHREYvKw9ysKqz8a7oCpo3hHqikn6WnP901Y8Db-iVudl4axRUN9mA> <xmx:cHREYmKHy3irzcQuYRUGOFI_8QbnWOqaoEnBNsy_sUzvpobPgb-myQ> <xmx:cHREYgxNiZVsn9e25703CrXNiuHx0V229AGIEeRzBwMmltOKaaAFKQ> <xmx:cHREYogoJX61alI8PHBJe2eRsz5gvEe8Zt-Vl_aBJGQgICn9Ohocxg>
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 30 Mar 2022 11:17:03 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Christopher Wood <caw@heapingbits.net>
In-Reply-To: <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Date: Wed, 30 Mar 2022 08:16:58 -0700
Cc: Taylor R Campbell <campbell+cfrg@mumble.net>, IRTF CFRG <cfrg@irtf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F4AABC95-650A-4C9D-A1E9-06F2E7E5D5DA@heapingbits.net>
References: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <20220330102724.C64F260BA2@jupiter.mumble.net> <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/HCGXbYCUsU-9xqBXfmJJp5Wzu6Q>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 15:17:12 -0000

Apologies if I’m misunderstanding something here, but this threat model seems somewhat convoluted. In particular, it assumes an adversary that controls the RNG, and therefore key schedule state as well. The AEAD key and nonce are both derived from this state. However, the DAE security model from [1] assumes the attacker controls the message header and message itself, but not the key. (For MRAE, it assumes the attacker also controls the nonce/IV.) So it’s not clear to me why SIV or similar modes would offer meaningful improvements over the existing HPKE AEADs under the assumption that the attacker controls the nonce and key. Can someone help clarify what I’m missing?

Thanks,
Chris

[1] https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.html

> On Mar 30, 2022, at 4:46 AM, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Thanks Taylor!
>  
> Then it seems to me that AES-256-SIV and AES-512-SIV are the AES-based modes that should be added to HPKE to enable key wrapping security independent of the RNG. These are exactly the two AEADs suggested by draft-harkins-cfrg-dnhpke-01. Key wrapping mechanisms have in the past aimed to provide security even in the case of compromised RNG but it would be interesting to hear if someone think that property is needed in this case.
>  
> Cheers,
> John
>  
> From: Taylor R Campbell <campbell@mumble.net> on behalf of Taylor R Campbell <campbell+cfrg@mumble.net>
> Date: Wednesday, 30 March 2022 at 12:29
> To: John Mattsson <john.mattsson@ericsson.com>
> Cc: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org>
> Subject: Re: [CFRG] HPKE and Key Wrapping
> 
> > Date: Wed, 30 Mar 2022 08:51:44 +0000
> > From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
> > 
> > How does AES-SIV (RFC 5297) compare with AES-GCM-SIV (RFC 8452)? Do
> > we need both algorithms in the future? Does AES-GCM-SIV with a fixed
> > nonce provide the same properties as nonce-less AES-SIV or is there
> > a difference?
> 
> There is a fairly substantial difference.  In the Daence paper I drew
> a table of advantage bounds for AES-SIV and AES-GCM-SIV, using the
> best formulae I could find (with the function/permutation-switching
> lemma of https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a129ecc550c2c3ad&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Fcr.yp.to%2Fpapers.html%23permutations that gives better
> bounds than the conventional q*(q - 1)/2 used in most papers):
> 
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-fc96309953b1fcfb&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Feprint.iacr.org%2F2020%2F067.pdf%23page%3D5
> 
> Smaller advantage bounds, i.e., larger values of n in the 2^-n terms,
> are better.  1 means no advantage bound has been proven at all for
> these parameters.
> 
> This table was computed using the logic at
> 
> https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-ab6fc8eec24511fa&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Fgithub.com%2Friastradh%2Fdaence%2Fblob%2Fmaster%2Fadv.py
> 
> which cites the sources in the literature I used for the formulae.
> You can reuse the same logic to recompute bounds for different message
> sizes/numbers if what you're looking for isn't in the table, of
> course.
> 
> It may be worth noting that the security advertisment in RFC 8452 for
> AES-GCM-SIV explicitly discourages nonce reuse even between different
> users (different keys), which means you should even avoid the policy
> of sequential message numbers that, e.g., TLS 1.3 uses with AES-GCM to
> rule out a class of attacks:
> 
> https://datatracker.ietf.org/doc/html/rfc8452#page-12
> 
> The bottom line is that AES-GCM-SIV is designed for randomized nonces,
> with some level of protection if your RNG fails.  In contrast, AES-SIV
> is designed for security without nonces at all, and is particularly
> well-suited to key-wrap, which should come as no surprise since that's
> what it was designed for originally, as sung in Appendix F of:
> 
> https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.html
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email