IETF Logo Mail Archive

Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)

Thad Thompson <thad@litepipe.com> Mon, 08 April 2024 18:12 UTC

Return-Path: <thad@litepipe.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01A74C151547 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 11:12:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=litepipe.com header.b="Kyi8v016"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="dJvbctpr"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6gfXFZWcne8 for <cfrg@ietfa.amsl.com>; Mon, 8 Apr 2024 11:11:57 -0700 (PDT)
Received: from fhigh2-smtp.messagingengine.com (fhigh2-smtp.messagingengine.com [103.168.172.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84BBCC151072 for <cfrg@irtf.org>; Mon, 8 Apr 2024 11:11:57 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 90A501140131; Mon, 8 Apr 2024 14:11:56 -0400 (EDT)
Received: from imap51 ([10.202.2.101]) by compute3.internal (MEProxy); Mon, 08 Apr 2024 14:11:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=litepipe.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm2; t=1712599916; x=1712686316; bh=udZnp5OERN DxD8pewZJG1qv4oBg8ZK7EyWNpY/McYz4=; b=Kyi8v0166fjOzldvWAkU4GsBpQ 7iJZ3PjbXi8LnOTMvupFaLJR2Q//bJ3VhZMpOfhF21pbPl4sbiEntLBDR3lhFJ94 AxsXvQqszeMvP6YfeVMXzJWMcIE0PhqoHeru75UTMqdl4mD2xtGmZMFaVpcycfJj g+iENe7GJ3bQtyXp1mWTSX8MxBd8wBTWM1Zn/Z4jlGRECAt62XYk4tgKyuKcd0iG bkFL8iMpR7jfRL7ra9Ov7F01tojxc/PXQOVarxZw7ny39BbZRJkWOtveGSneFa48 20ZQeGqrHvZDCnnv8R3/hzcV8oU9q/p33S4KBQTl6c2Z1uFK/8eX6APH40uA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1712599916; x=1712686316; bh=udZnp5OERNDxD8pewZJG1qv4oBg8 ZK7EyWNpY/McYz4=; b=dJvbctprrMcaGDsgeGMZl0Uz7xvgKBtlDdgyNayNZX+b B7Fif9LttSwklvRTCMjObtokH9OeMBaTcmLdShV4AJDkUwKtjggByQSfDWtc28pk MHL7FBZ+tNhjENHk6mei+FzBzESd74+F2eDYdRAVgnUWQHwM6ypbe/eEssH0Y9ZO xF+rWAfxEkQcdmu5STYyTQKuGttdCQU7N6rCO72qdP1nKxXb0vpthq197GVsX8fS gPCfTq0T6Tcpl3fDSpV7rPrRfnMtTaNGyRtwayleLtw7KMYfGiaCxE+N9M2YsG0O 5QshYL+ojqOkGsQPDaALFML9vnzQOvU5lSo9Vf2erg==
X-ME-Sender: <xms:bDMUZjiDwGdeCAOzyIY9LhLyjkoHgCB5SVHxf5rafg2BCPtjR-TRbA> <xme:bDMUZgBLcvJwFvGhJyJxbS2lR2xcxp7DTB2rojg8l5m7hor5Ewle7cGyzyqRDeZ0U fy4AAIY3edevGsniRI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudegiedguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvvefutgesrgdtreerreertdenucfhrhhomhepfdfv hhgrugcuvfhhohhmphhsohhnfdcuoehthhgrugeslhhithgvphhiphgvrdgtohhmqeenuc ggtffrrghtthgvrhhnpedvjeetffejgedvtddufedvteffudfhkeetjeefueetgedvvdff teeuteegleegheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh hrohhmpehthhgrugeslhhithgvphhiphgvrdgtohhm
X-ME-Proxy: <xmx:bDMUZjFHbAX6eD9AeU2vTywVxRtybMR1GSUTNiuGVZA5gDvTguqx-A> <xmx:bDMUZgTCH_uobmz-i9KLtD-e-OB-DTlDz-rg_jpNvoUURa_f7kOhEw> <xmx:bDMUZgz4yAQ_5_Az1JKKL8gZC4peBrhn-5S8XFkSgHjMYTYbN75Vdg> <xmx:bDMUZm4BYywF4AcrgsWY1wrn1E4-60J0OLlRkJpOAUR1lWrFKi1-6A> <xmx:bDMUZr96fnr6ZTH23NHNieb-f6ADD_j7cbDlDWos6sl5k8D2ItWay5qD>
Feedback-ID: i4ea14616:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 17C92B60092; Mon, 8 Apr 2024 14:11:56 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-368-gc733b1d8df-fm-20240402.001-gc733b1d8
MIME-Version: 1.0
Message-Id: <789eeffd-c021-480c-81b0-6b424aac4b11@app.fastmail.com>
In-Reply-To: <6B2EF6E4-91E0-4F26-9623-A722BAAEDF3B@gmail.com>
References: <73d28971-0470-4339-9ae8-f2d07f2303ae@dennis-jackson.uk> <6B2EF6E4-91E0-4F26-9623-A722BAAEDF3B@gmail.com>
Date: Mon, 08 Apr 2024 13:11:35 -0500
From: Thad Thompson <thad@litepipe.com>
To: Neil Madden <neil.e.madden@gmail.com>, Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
Cc: cfrg@irtf.org
Content-Type: multipart/alternative; boundary="5c846a9013d749e0b3fd8a9060391e24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Lq8WWPlQfdnPzGtuKQMbCiGTytA>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 18:13:25 -0000

Hey Neil,
For what it's worth, as an Internet rando (non-cryptographer) implementing a scheme very similar to the one you're suggesting, my understanding from the RFC was that the target security property of KEM authentication rather explicitly only covers two parties:

> 5.1.3.  Authentication Using an Asymmetric Key
>
>   This variant extends the base mechanism by allowing the recipient to
>   authenticate that the sender possessed a given KEM private key.  This
>   is because AuthDecap(enc, skR, pkS) produces the correct KEM shared
>   secret only if the encapsulated value enc was produced by
>   AuthEncap(pkR, skS), where skS is the private key corresponding to
>   pkS.  In other words, at most two entities (precisely two, in the
>   case of DHKEM) could have produced this secret, so if the recipient
>   is at most one, then the sender is the other with overwhelming
>   probability.

Am I not understanding that correctly? I assume that limitation is part of the reason MLS relies on asymmetric signatures for authentication.

However, I would agree that the limitations of KEM based authentication feel maybe a bit out of place. Besides the fact that it only proves authentication in a two-participant system, it also becomes fiddly when moving to PQ KEMs. You either wind up with a halfway 'quantum safe key exchange but NOT quantum safe authentication' scheme like Signal's PQXDH, or it is dropped entirely, like in X-Wing. In any case, it seems like the authenticated KEM modes in HPKE take up a large space in the standard for what turns out to be rather limited functionality with caveats. I wonder if HPKE 2.0 would include such modes at all?

Cheers!
- Thad

v2.23.0 | Report a Bug | By Email