Re: [CFRG] HPKE and Key Wrapping
Martin Thomson <mt@lowentropy.net> Wed, 30 March 2022 22:23 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002453A0DD9 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 15:23:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=dHLb5cNR; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=F5VeWl2h
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91zRDJLEKTqn for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 15:23:36 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 332BC3A0D63 for <cfrg@irtf.org>; Wed, 30 Mar 2022 15:23:36 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 94D085C00A6 for <cfrg@irtf.org>; Wed, 30 Mar 2022 18:23:35 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute4.internal (MEProxy); Wed, 30 Mar 2022 18:23:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm2; bh=Ui0uyxchIQAGQ+ a1q7G/GRIzdD5ek8/88P2+XUp03dQ=; b=dHLb5cNR1/TyO6Bg1ZIn2A+upPiVrQ C5aK1LRBEJXTiOiiBGn7Djgh4CbzaPCoB9JfZGeiQOKXGZx/TCDyVn70ur2R/iJ1 AUun24F7V42fpn7RYEcxbwzBKGOpJppLwUfAeH1nMxvIK7uHHsgyz9kGS8xz7v2j iPHyCTBzt2ja7ckpuq92ZD2VtRQnf7m55WF4EgfkRtfZdDhKuj0KLtz0IkBeewUD 1+4enrg5yT958QA79ppLTDdeFn+5jeRjcqimlD7K+CfNPLK2dLweOO2B13hVJBNZ Uot5+lfkfwM3T74PJikd/KxTSp4ANiMWFouca46n735ZijDx2fj7lvLg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=Ui0uyxchIQAGQ+a1q7G/GRIzdD5ek8/88P2+XUp03dQ=; b=F5VeWl2h Dtq2zyIVsocCexlpOllb6EK7Sg7RDiXYKDGIS9GxHTQlQWk9JnaL8iwgknKKVQWd f/r8O4LqjEEBXnMjTqF6QxDsudrzbOpRE9hQeoxrDNolUShSxEltgp1nx8mLtbDO srLZN7R8jwAS08zYb3eZeFZpAZNcri/m95RK0pIbm9FXZMG5/q+AkpNlqaelcB1h spGG1QvWKWvNVd/W6REVqLVPQH0JiUKw4xAMdNJ60XGLLrB5tDgxq2iauvHN537V TPox/qj81R+zjcmNfqCnETeX1c8dgrPafdvI1SjPr3ehSVp9vy6CVPvjkZw/pRcj lqxovSwqcWhK6Q==
X-ME-Sender: <xms:Z9hEYo8Cy-8EUs0KaCccxGTJ8zHnukxsz9hpCZ9QPvsxXHtVhTjLRQ> <xme:Z9hEYguthiM4JxE1ifMQ2gIMK9vwTceKRWge8H7Tg8gtShHM_-gEPx5aJedmCsRG8 hDMDHekXpU1TecR6QE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddrudeifedgtdegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepgfejueduieffledtge elheejvdettdejudduhefggeefgfekgfeuieetgefftddtnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnh gvth
X-ME-Proxy: <xmx:Z9hEYuDnUycOo6ns8CQAKaXy_kgutuGv7s2J4aqvhvP6TpVjk-SUxA> <xmx:Z9hEYodmcGgUqKwBenUjoeGcNaPIuFixGpYFwW104TaJ9KIzPxS3Hw> <xmx:Z9hEYtO1sEapL5RHOM6Ve0q5HvuSKy74B3-9wvcQ4Ws3xqudtpHH-A> <xmx:Z9hEYjaQvbtgObvDTEra7_4U7HjiSZdlUQzkKbkBGbfgvf_1wvrWvw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 6D62D3C0471; Wed, 30 Mar 2022 18:23:35 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4911-g925b585eab-fm-20220323.003-g925b585e
Mime-Version: 1.0
Message-Id: <57c7950c-e7e8-42bb-9bd9-883b86a555b8@beta.fastmail.com>
In-Reply-To: <HE1PR0701MB305062B2908E620E135BC472891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <20220330102724.C64F260BA2@jupiter.mumble.net> <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <F4AABC95-650A-4C9D-A1E9-06F2E7E5D5DA@heapingbits.net> <HE1PR0701MB305062B2908E620E135BC472891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Date: Thu, 31 Mar 2022 09:23:14 +1100
From: Martin Thomson <mt@lowentropy.net>
To: cfrg@irtf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/LgKWMHYptNQ8H7IKj3QYRmQAjbQ>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 22:23:41 -0000
On Thu, Mar 31, 2022, at 04:53, John Mattsson wrote: > - The input to single-shot HPKE used for key wrap would be > > ct = HPKE-single-shot-encrypt(pkR, random bits, aad, pt) > pt = HPKE-single-shot-decrypt(skR, aad, ct) > > where “random bits” are used in GenerateKeyPair(). I agree that this would not be secure if the attacker was even able to cause the same randomness to be used twice. HPKE has a PSK input too. Are you forgetting that option? Given the setting, that is the more relevant mode to consider.
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins