IETF Logo Mail Archive

Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

Neil Madden <neil.e.madden@gmail.com> Mon, 02 October 2023 14:08 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DE0C1519BC for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 07:08:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HbSUrsC7i0iG for <cfrg@ietfa.amsl.com>; Mon, 2 Oct 2023 07:08:19 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97047C1516E2 for <cfrg@irtf.org>; Mon, 2 Oct 2023 07:08:19 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-3200b181b67so2520938f8f.0 for <cfrg@irtf.org>; Mon, 02 Oct 2023 07:08:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1696255697; x=1696860497; darn=irtf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=wwFPHjZ0SquEbQhO1D8TFcIIb8yGj2ix0K+LwL4VgqY=; b=YiWYz5TKiFE/ybdx8LSuDzw+HfZnHTaUVCMF4jTMlfvvW0kg0CKNG4e9iK0/WUkUW8 4kxBcfVvDKw/4eg2IvoerkLUmCc++OezD+cBgt4x6b5azWzZrObBsUO2Wqc9AcAS4fsj sZc0h4yzIrKBcgDKjf33alfGEbZE4/BpK2UTT37garYLvy/PXOYoE+SkZdPlPT/eNixf kKcct42XW8y03DfNXY7tlEW72tdERENEOiEl5ezUicNrcUPqdL6WgGoVYLi72j/77Ytv 9UNOhVBTYwiXb6YBIwcI3eb705sD71p46M5/7ZDsaB8fCh1yicZYLy9Xu9APfv2Gb+UM KJ5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1696255697; x=1696860497; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wwFPHjZ0SquEbQhO1D8TFcIIb8yGj2ix0K+LwL4VgqY=; b=LKNqiGT/yIkixj7nCdSvvCyif4Fkl4oKgfm2OdV9x8SzKvFR1MwNxDgClTazqr7cgy zsPE4gjXiBCNN0cuQihPO3rgB2w0iyw6X56l0HOc5MQCzzsZhj1ja5Ys/TqVvLkT+bTj YXqZKDcEjVaGz4cLD438f93b+hq9meLd9KzgbyvX0zvqGj3QAwJirJ28AXTEucJZ27F1 ijd7CFflCmoWH1CB+fLdnrmqsE+is9QpKuHuKh46jUR0SN4WvOcYbMHpdLjkLW9I5Kao YFp2sij5K1P4hN1pBHzv1pMilg6QNBf35eMlbBXQ+3mtfXH2IIKCs6Cmu4GxnrXM/u71 WHQA==
X-Gm-Message-State: AOJu0Yw3wOlkqpIqU7jQRuKm2iArK33TuW6+lOfHklR9jC5VwpatVRah UpEG7lEMdmXF41x4+DhUWZE5Thc4xFeZtA==
X-Google-Smtp-Source: AGHT+IFSnC0cszLIAhLuWRi4CvYeqQZQh4ZSUCLtDGTEvaVVFUaOOrNa1ho6SBnc9GQ1fW+6G2JQ1w==
X-Received: by 2002:a5d:49c2:0:b0:317:5f08:32a3 with SMTP id t2-20020a5d49c2000000b003175f0832a3mr9810901wrs.6.1696255697060; Mon, 02 Oct 2023 07:08:17 -0700 (PDT)
Received: from smtpclient.apple ([213.31.127.176]) by smtp.gmail.com with ESMTPSA id o30-20020adf8b9e000000b003231ca246b6sm22033758wra.95.2023.10.02.07.08.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 Oct 2023 07:08:16 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-6EBB9AE5-61CB-4D38-9EAB-45F7D78DFD53"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Mon, 02 Oct 2023 15:08:05 +0100
Message-Id: <1E5D6366-E327-44DD-A6EC-BBB046BD78DD@gmail.com>
References: <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, cfrg@irtf.org
In-Reply-To: <CAL02cgRUTNMf6vt1ppwQbO=UqXMY3ujfgsws8J7NnxfU-ZT8TQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: iPhone Mail (20G75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JF8KF_u61QWcD4OxWMruQq1SEdc>
Subject: Re: [CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2023 14:08:23 -0000

> On 2 Oct 2023, at 13:53, Richard Barnes <rlb@ipv.sx> wrote:
> 
> 
> EKR - I think the point is less procedural / adversarial than you're thinking.  The point of this thread is more seeking feedback for the experts on how to interpret the text in RFC 9180.
> 
> My interpretation of the question here is:
> - HPKE has been proven IND-CCA2 secure if the KEM and AEAD are IND-CCA2 secure
> - RFC 9180 makes no claims about the security of the construction if the AEAD is *not* IND-CCA2 secure
> - The request here is to register an AEAD algorithm that is affirmatively *not* IND-CCA2 secure (can't be, not even claimed to be)
> 
> So the question for the RG is -- Are folks OK with values being registered that do not meet the security requirements in the RFC?  Or does Specification Required truly mean that anything that is written down is OK?  Note that the expansive interpretation here would allow obviously insecure things, e.g., null ciphers or ROT13.  (Not saying this request is so obviously insecure, but it doesn't meet the RFC's security bar, and we should create a new, undocumented bar, so we're left with no bar.)
> 
> My personal analysis is that the expansive interpretation is risky, especially if we broaden the lens to CFRG more broadly.  In recent years, there has been a positive trend toward making crypto tools harder to misuse -- nonce-reuse-resistant AEAD, more rigid elliptic curves, etc.  In algorithm-agile schemes like HPKE, allowing algorithms that are not safe in context goes against this trend.  You wouldn't be able to have confidence your PKE is secure just because you're using HPKE with a registered algorithm, you would have to do a bunch of secondary research to verify that the algorithm is good.  This degrades the value of all the good vetting that CFRG does, because the consumer is left with uncertainty as to whether a given construction is safe.  My evaluation in this case is to avoid heading down this particular slippery slope.

I may be wrong, but my (admittedly mostly intuitive) understanding is that using a DAE scheme in this way would result in HPKE being IND-CCA2 secure, because the KEM ensures each message uses a fresh key. (ie is HPKE in fact IND-CCA2 if the symmetric scheme only provides *one-time ciphertext integrity* per Boneh/Shoup section 9.1.1 https://toc.cryptobook.us/book.pdf#page375 ?)

If so that would seem a safer relaxation of the requirement that rules out rot13 etc. 

— Neil

v2.23.0 | Report a Bug | By Email