Re: [Cfrg] hpke encoding of DH output
Christopher Wood <caw@heapingbits.net> Thu, 20 August 2020 18:43 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C8383A12C8 for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=E1P18dpz; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=K3HMi+S4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A99EyKgLygTu for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:43:39 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5173A07A9 for <cfrg@irtf.org>; Thu, 20 Aug 2020 11:43:39 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 3BEBFE89 for <cfrg@irtf.org>; Thu, 20 Aug 2020 14:43:38 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Thu, 20 Aug 2020 14:43:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=LMgUOVZZ8kwKp4OCE5kIRTgPomruitz xx6tL/cxWM0M=; b=E1P18dpzw4z83Ue897eGQrdLLvfXdLD7f8wRcUXsY3qanNO Vs+pxYvMvM+7nd8zeIa2+AUspdc1FmyuMN/2rZF9TdLoKYvYDeUmFkk553WseeqZ 6EB/YWyXhs+DUrVPIa1y9sZPjkc4nohP6mSDOaBEv1HXoAp29OZoJow5hwU3Ohga zSnLmofMhF3soBTsj2/DeBaOQ6L8J3d8M0IvVoGCrhxmNqHrrK4i419ZGjhgMTVU DYWzMDN1TT7XQTdpNBlQiVhoXXTi1WILmpJUe9kGNGbsME/PHG5WpQew6vI9+mTc 7kFPxlyqyn56Yn/VvY9iYXTN3R8Fhy63h+XhhaQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=LMgUOV ZZ8kwKp4OCE5kIRTgPomruitzxx6tL/cxWM0M=; b=K3HMi+S4kotz6jFEu9mvAQ TRPDLxiQHLPmcBTbIJnQyWLuhmA1Kb2Otr6ZWvL1/beNWa7C0kLEAzEwPHsna3FT 3vf3zQWtk3o4hQHlDKRejHtk18l+qGWFIqAZ5lYtXKzzSqi0/s/xwdcj4r8Mgl6z yI+3ZVoLDQgN1Y/qU+FKOiNYHDFudWy2Mh5SGJM5yMbYUDQ+H4y1GIpXMpfgJmnv 84I896Z+JaXreR+Y+JsSgKnDEAtdhkvpyCnUEvep5EvH+Xmgsl2xAFLurf+Td9Qp 6/HnzM8h73g5on7hATTN+o5k0F8wMBvkL759CfmpKWgzfbpIw72xKPkOJslhooFA ==
X-ME-Sender: <xms:WcQ-X2x7vUov9ZyvTB8qcD750ehYuI9ZDVxwRFw1OSyfyNFukyX-2w>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedruddutddgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucgfrhhlucfvnfffucdlqdegmdenucfjughrpefofg ggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgv rhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqeenucggtffrrg htthgvrhhnpedtveeugfefgfevueelvdfgkeejgfeuleekfeelfedtkeevheefheeltedt tdeujeenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhnihhsthdrghhovhdpshgvtg hgrdhorhhgpdhirhhtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgr mhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:WcQ-XySxFsdMLnpF-ZGjvqtKKOPaDSsYBjDl6zTgEwZY6HOAya1vJg> <xmx:WcQ-X4UcYKTU6jx-LRKr6bHManHhN0PKpQuvy4iLJdQ-3JmNI1Kc8w> <xmx:WcQ-X8gOCzwDeHhw9cd9iCkrTJENwAXYp_-ZMEg_frQUbclYQTwE8Q> <xmx:WcQ-XwzexKRTM2-nRFdoGhqA2Y42GvpJZv-iDTLum-KFiWyyuClf-Q>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 9FCC73C00A1; Thu, 20 Aug 2020 14:43:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-214-g5a29d88-fm-20200818.002-g5a29d882
Mime-Version: 1.0
Message-Id: <9fc1db17-3f9d-4d32-b4a6-1c4e807a8321@www.fastmail.com>
In-Reply-To: <CAL02cgQne5i-BDo_VbwFnUSkdMsRTJh0n19cVf+uEPnDL-kiWA@mail.gmail.com>
References: <627dbf76-25c5-ae56-d602-d8cf2c63fb50@cs.tcd.ie> <CAL02cgQne5i-BDo_VbwFnUSkdMsRTJh0n19cVf+uEPnDL-kiWA@mail.gmail.com>
Date: Thu, 20 Aug 2020 11:43:16 -0700
From: Christopher Wood <caw@heapingbits.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/J_kYBLg1JmLodiBOoQ_z0_M4M-o>
Subject: Re: [Cfrg] hpke encoding of DH output
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 18:43:42 -0000
On Thu, Aug 20, 2020, at 11:29 AM, Richard Barnes wrote: > Hi Stephen, > > I think you're right here. I just re-checked both the NIST and SECG > specifications for ECDH [1][2], and they're in agreement that the > secret value is the X-coordinate. I'll work with my coauthors to get > this implemented. A proposed fix is here: https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/148 Thanks, Chris > > --Richard > > [1] Section 5.7.1.2 of > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186-draft.pdf > [2] Section 3.3.1 of https://www.secg.org/sec1-v2.pdf > > > > On Thu, Aug 20, 2020 at 2:04 PM Stephen Farrell > <stephen.farrell@cs.tcd.ie> wrote: > > > > Hi, > > > > I ran into an interop problem with draft-05 that I think is > > worth bringing to the list. > > > > Draft-05 says: > > > > "For the variants of DHKEM defined in this document, the > > size Ndh of the Diffie-Hellman shared secret is equal to > > Npk, and the size Nsecret of the KEM shared secret is equal > > to the output length of the hash function underlying the > > KDF." > > > > What that means is that, for the NIST curves, the DH > > value (used to be zz I think) is represented as a public > > key in uncompressed form. My code uses the OpenSSL > > EVP_PKEY_derive() function (same as it did for draft-02) > > which only gives me the X co-ordinate, and OpenSSL doesn't > > seem to have an easy way to get the uncompressed version > > from that. I don't know, but I'd guess that other libraries > > might be similar. In draft-02 only the X co-ordinate was > > used btw, and I don't recall this change being brought > > up on the list. > > > > I don't think there's any security benefit in treating > > the output of the DH operation as a public key. If there > > were, then I'd be fine with changing to use lower level > > calls to do the DH operation. But that seems a bit wrong, > > so I'd argue that we'd be better to not treat the DH > > shared secret value as a public key when encoding that. > > > > Separately, it'd be good to add those values to the > > test vectors - took me a while to find this - in the > > end I had to add more tracing to the go implementation > > to spit out these values. > > > > Lastly, even if we don't make a change, it'd be good > > to add text to clarify this, but I think I'd prefer we > > make the change if there's no security downside. > > > > Cheers, > > S. > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] hpke encoding of DH output Stephen Farrell
- Re: [Cfrg] hpke encoding of DH output Richard Barnes
- Re: [Cfrg] hpke encoding of DH output Christopher Wood
- Re: [Cfrg] hpke encoding of DH output Stephen Farrell
- Re: [Cfrg] hpke encoding of DH output Dan Harkins