IETF Logo Mail Archive

Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03

Richard Barnes <rlb@ipv.sx> Fri, 08 December 2023 15:10 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4FD5C4B62AD for <cfrg@ietfa.amsl.com>; Fri, 8 Dec 2023 07:10:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fz_iE_p1GM6s for <cfrg@ietfa.amsl.com>; Fri, 8 Dec 2023 07:10:55 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B443CC47A20F for <cfrg@irtf.org>; Fri, 8 Dec 2023 07:10:55 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2c9f8faf57bso27199071fa.3 for <cfrg@irtf.org>; Fri, 08 Dec 2023 07:10:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1702048254; x=1702653054; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+x0KizhYIqTjia8E/VaVWy+fDlZHhIuqwJoMMwK2muQ=; b=Kfp+bRio3ntxvY/AKf4SZC/iztHnSYYze0X2MudZHWNqnt3J0/WLcdsGDqdKvQohuE KgUx0Tp3izU0yhSP+cs8db3o3ZPOwlNkMGhWDDrAAViqqUFZI2D92g8VUMA/EbDecl8G UylDJFPr2tscxow6HK7JL4K3f2XBa+B7fyKXLytECBwksvK0ZEnZ+mxQGULyX/AL+z2X Gch8nutgM+tfNUZfxuUW4dZmFnf9bRFzRi1nxXxBPq4ttcu6xZuAAJvLIgCzW6mXrPSM lf2xkSmEBbxP3mr6N/l2BWZ1ltZuQTNcbuoqX+lTXIkSjG+EkZ6ZmA2x+meOQRQHE3Ox dLWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702048254; x=1702653054; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+x0KizhYIqTjia8E/VaVWy+fDlZHhIuqwJoMMwK2muQ=; b=mAtyvEgKG9HmZX78l71A+vMJv5lAVvbhS/oJBNu3LvDg6dLphAwR6n2K4jVbdI58gh osBc3S/RMob3o4NEt/t6wPtnDDLR6DKJVKNkEcnGRoOhp+QBXPL7JlQCMmw9BEOEILvP NrKfI7ETny6qGRqRqImd8+8Q5YCCCgzY6XjcmqF5xGIs2Z7Krwqo2IRNrBMN9Rp63Dec m3qgnCMt6nDtgjA2e+dt6js6MYHrvqWeKqWCtdYxqKP1mG5rnvrY5g5BB1eTUVbAKh0+ qwUGc5he4g9q7EfJiRlsA77j1rPRvvrwsmxS9xfCb2uneDOPvdW7GIb1SLFSIimvPJmg j21Q==
X-Gm-Message-State: AOJu0Ywwq1vgXFFNF7Zm8u5rm7bpNwRffEoQBQHNdJSX3KdPPCq3/AD3 hKjvLW1mgB8JeBprToaetfmdhBGOJNm/KU4p+jjN+w==
X-Google-Smtp-Source: AGHT+IHmHJsn8zgE1kIXxKEPIORkFYZdIL7/C+nAQ1kQBEZu/a95pqeh9nXq6YDtHFh3k3wcQKTXc/MBrmicaOKzUj4=
X-Received: by 2002:a2e:80c1:0:b0:2ca:2ab0:dda0 with SMTP id r1-20020a2e80c1000000b002ca2ab0dda0mr31221ljg.94.1702048253527; Fri, 08 Dec 2023 07:10:53 -0800 (PST)
MIME-Version: 1.0
References: <ZXLgeY4p2-8_j5mB@LK-Perkele-VII2.locald> <20231208142825.A8F7D608E2@jupiter.mumble.net>
In-Reply-To: <20231208142825.A8F7D608E2@jupiter.mumble.net>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 08 Dec 2023 10:10:42 -0500
Message-ID: <CAL02cgRZzoT3qut7Ar_Y1sbdHW3T+46DD4kx0YnL9T=ix+DYFw@mail.gmail.com>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000008adbd0060c00fd60"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KHJcF49v4KoOUyA7r77NHL8eqlg>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Dec 2023 15:10:56 -0000

On Fri, Dec 8, 2023 at 9:28 AM Taylor R Campbell <campbell+cfrg@mumble.net>
wrote:

> I haven't followed the whole thread here and I have no comment on HPKE
> in lossy networks, but in general DAE supports this use case easily:
> You can put a message number for replay detection in the header
> (associated data), or even keep it secret in the payload.
>
> DAE just obviates the need for a _separate_ fixed-size nonce parameter
> in the cipher that requires your message number to be shoehorned into
> a particular format, and serves to mitigate the damage if the sender's
> counter is reset to zero, e.g. in a VM rollback or a backup restore.
>

Conveniently, HPKE also obviates this need.  The nonce is computed as
(base_nonce XOR seq), and the base_nonce is known to both parties, so you
only need to communicate the sequence number.  Or, as Thomson points out,
enough bits of the sequence number to account for your loss/reordering
tolerances.

As for mitigating damage in the event of sender state loss: AES-GCM-SIV
also meets this brief, without the need for fundamental changes in the HPKE
security model.

--Richard

v2.23.0 | Report a Bug | By Email