Re: [Cfrg] hpke encoding of DH output

Christopher Wood <caw@heapingbits.net> Thu, 20 August 2020 18:43 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C8383A12C8 for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=E1P18dpz; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=K3HMi+S4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A99EyKgLygTu for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:43:39 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5173A07A9 for <cfrg@irtf.org>; Thu, 20 Aug 2020 11:43:39 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 3BEBFE89 for <cfrg@irtf.org>; Thu, 20 Aug 2020 14:43:38 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Thu, 20 Aug 2020 14:43:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=LMgUOVZZ8kwKp4OCE5kIRTgPomruitz xx6tL/cxWM0M=; b=E1P18dpzw4z83Ue897eGQrdLLvfXdLD7f8wRcUXsY3qanNO Vs+pxYvMvM+7nd8zeIa2+AUspdc1FmyuMN/2rZF9TdLoKYvYDeUmFkk553WseeqZ 6EB/YWyXhs+DUrVPIa1y9sZPjkc4nohP6mSDOaBEv1HXoAp29OZoJow5hwU3Ohga zSnLmofMhF3soBTsj2/DeBaOQ6L8J3d8M0IvVoGCrhxmNqHrrK4i419ZGjhgMTVU DYWzMDN1TT7XQTdpNBlQiVhoXXTi1WILmpJUe9kGNGbsME/PHG5WpQew6vI9+mTc 7kFPxlyqyn56Yn/VvY9iYXTN3R8Fhy63h+XhhaQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=LMgUOV ZZ8kwKp4OCE5kIRTgPomruitzxx6tL/cxWM0M=; b=K3HMi+S4kotz6jFEu9mvAQ TRPDLxiQHLPmcBTbIJnQyWLuhmA1Kb2Otr6ZWvL1/beNWa7C0kLEAzEwPHsna3FT 3vf3zQWtk3o4hQHlDKRejHtk18l+qGWFIqAZ5lYtXKzzSqi0/s/xwdcj4r8Mgl6z yI+3ZVoLDQgN1Y/qU+FKOiNYHDFudWy2Mh5SGJM5yMbYUDQ+H4y1GIpXMpfgJmnv 84I896Z+JaXreR+Y+JsSgKnDEAtdhkvpyCnUEvep5EvH+Xmgsl2xAFLurf+Td9Qp 6/HnzM8h73g5on7hATTN+o5k0F8wMBvkL759CfmpKWgzfbpIw72xKPkOJslhooFA ==
X-ME-Sender: <xms:WcQ-X2x7vUov9ZyvTB8qcD750ehYuI9ZDVxwRFw1OSyfyNFukyX-2w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedruddutddgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdlqdegmdenucfjughrpefofg ggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgv rhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqeenucggtffrrg htthgvrhhnpedtveeugfefgfevueelvdfgkeejgfeuleekfeelfedtkeevheefheeltedt tdeujeenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhnihhsthdrghhovhdpshgvtg hgrdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:WcQ-XySxFsdMLnpF-ZGjvqtKKOPaDSsYBjDl6zTgEwZY6HOAya1vJg> <xmx:WcQ-X4UcYKTU6jx-LRKr6bHManHhN0PKpQuvy4iLJdQ-3JmNI1Kc8w> <xmx:WcQ-X8gOCzwDeHhw9cd9iCkrTJENwAXYp_-ZMEg_frQUbclYQTwE8Q> <xmx:WcQ-XwzexKRTM2-nRFdoGhqA2Y42GvpJZv-iDTLum-KFiWyyuClf-Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9FCC73C00A1; Thu, 20 Aug 2020 14:43:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-214-g5a29d88-fm-20200818.002-g5a29d882
Mime-Version: 1.0
Message-Id: <9fc1db17-3f9d-4d32-b4a6-1c4e807a8321@www.fastmail.com>
In-Reply-To: <CAL02cgQne5i-BDo_VbwFnUSkdMsRTJh0n19cVf+uEPnDL-kiWA@mail.gmail.com>
References: <627dbf76-25c5-ae56-d602-d8cf2c63fb50@cs.tcd.ie> <CAL02cgQne5i-BDo_VbwFnUSkdMsRTJh0n19cVf+uEPnDL-kiWA@mail.gmail.com>
Date: Thu, 20 Aug 2020 11:43:16 -0700
From: Christopher Wood <caw@heapingbits.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/J_kYBLg1JmLodiBOoQ_z0_M4M-o>
Subject: Re: [Cfrg] hpke encoding of DH output
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 18:43:42 -0000

On Thu, Aug 20, 2020, at 11:29 AM, Richard Barnes wrote:
> Hi Stephen,
> 
> I think you're right here.  I just re-checked both the NIST and SECG 
> specifications for ECDH [1][2], and they're in agreement that the 
> secret value is the X-coordinate.  I'll work with my coauthors to get 
> this implemented.

A proposed fix is here:

   https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/148

Thanks,
Chris

> 
> --Richard
> 
> [1] Section 5.7.1.2 of 
> https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf
> [2] Section 3.3.1 of https://www.secg.org/sec1-v2.pdf
> 
> 
> 
> On Thu, Aug 20, 2020 at 2:04 PM Stephen Farrell 
> <stephen.farrell@cs.tcd.ie> wrote:
> > 
> > Hi,
> > 
> > I ran into an interop problem with draft-05 that I think is
> > worth bringing to the list.
> > 
> > Draft-05 says:
> > 
> > "For the variants of DHKEM defined in this document, the
> > size Ndh of the Diffie-Hellman shared secret is equal to
> > Npk, and the size Nsecret of the KEM shared secret is equal
> > to the output length of the hash function underlying the
> > KDF."
> > 
> > What that means is that, for the NIST curves, the DH
> > value (used to be zz I think) is represented as a public
> > key in uncompressed form. My code uses the OpenSSL
> > EVP_PKEY_derive() function (same as it did for draft-02)
> > which only gives me the X co-ordinate, and OpenSSL doesn't
> > seem to have an easy way to get the uncompressed version
> > from that. I don't know, but I'd guess that other libraries
> > might be similar. In draft-02 only the X co-ordinate was
> > used btw, and I don't recall this change being brought
> > up on the list.
> > 
> > I don't think there's any security benefit in treating
> > the output of the DH operation as a public key. If there
> > were, then I'd be fine with changing to use lower level
> > calls to do the DH operation. But that seems a bit wrong,
> > so I'd argue that we'd be better to not treat the DH
> > shared secret value as a public key when encoding that.
> > 
> > Separately, it'd be good to add those values to the
> > test vectors - took me a while to find this - in the
> > end I had to add more tracing to the go implementation
> > to spit out these values.
> > 
> > Lastly, even if we don't make a change, it'd be good
> > to add text to clarify this, but I think I'd prefer we
> > make the change if there's no security downside.
> > 
> > Cheers,
> > S.
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>