Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt
Dan Harkins <dharkins@lounge.org> Tue, 13 July 2021 17:05 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EDBD3A0D7A for <cfrg@ietfa.amsl.com>; Tue, 13 Jul 2021 10:05:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pAUUTlEY8Zif for <cfrg@ietfa.amsl.com>; Tue, 13 Jul 2021 10:05:15 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6055A3A0D7C for <cfrg@irtf.org>; Tue, 13 Jul 2021 10:05:15 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QW721IPS0SPP9@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 13 Jul 2021 12:05:13 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QW7006CX0SKVL@trixy.bergandi.net> for cfrg@irtf.org; Tue, 13 Jul 2021 10:05:09 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Tue, 13 Jul 2021 10:05:09 -0700
Date: Tue, 13 Jul 2021 10:05:11 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <c6f748d5-8e24-4272-a9bf-974b2ab09668@www.fastmail.com>
To: cfrg@irtf.org
Message-id: <9abed69c-f3d5-3494-a941-5ebf3529ebb4@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <162567329247.15923.4311477568566128956@ietfa.amsl.com> <856d159d-1b7e-ee22-a1da-32b78704da54@lounge.org> <0e12f957-3472-84b9-e152-8372ae520535@lounge.org> <5db11a21-a519-149b-3b14-6a7249e713d3@inria.fr> <c6f748d5-8e24-4272-a9bf-974b2ab09668@www.fastmail.com>
X-PMAS-Software: PreciseMail V3.3 [210712a] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NPgAEfK9XedCQSdlwgB_Tfia94Y>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 17:05:21 -0000
Chris, Benjamin, et al, Thank you very much! That addresses my concern. regards, Dan. On 7/13/21 9:43 AM, Christopher Wood wrote: > Hi Dan, all, > > FYI, we just merged this PR to clarify the editorial change: > > https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233 > > We'll cut a new version of the draft ASAP. > > Best, > Chris > > On Tue, Jul 13, 2021, at 3:58 AM, Benjamin Lipp wrote: >> Hi Dan, >> >> On 12/07/2021 23:53, Dan Harkins wrote: >>> I've been having trouble with my mailer and I see in the archives you >>> responded >>> but it's not getting successfully delivered. >> That is probably my fault – I first tried to post to the list from the >> wrong sender address and so you have probably received my mail twice. >> Sorry for that. >> >> >>> The text that's been there for a while talks about the construction defined >>> in the draft. And yes, use those KEMs and those KDFs and those AEADs and >>> that's what you get. >>> >>> But now the draft says, >>> >>> "Future specifications may introduce new KEM, KDF, and AEAD algorithm >>> identifiers provided they adhere to the security requirements in Section >>> 9.2, Section 9.3, and Section 9.4, respectively." >>> >>> And then 9.4 says all AEADs MUST provide IND-CCA2. >>> >>> So my reading is that future specifications, like DNHPKE, can introduce >>> a new AEAD algorithm, which I want to do, provided it provides IND-CCA2, >>> which SIV does not. >> I see now what you mean. I agree the phrasing is problematic or at least >> inconvenient if we indeed want to keep the possibility open that some >> variants of HPKE do not provide IND-CCA2 but something else/weaker. >> Thanks for clarifying. >> >> >>> If that is your intent I think it can be phrased differently. For instance, >>> the text in section 7 could be re-written something like: >>> >>> "The HPKE construct defined here provides IND-CCA2. Future specifications >>> may introduce new KEM, KDF, and AEAD algorithm identifiers and retain this >>> security guarantee provided they adhere to the requirements in Section 9.2, >>> Section 9.3, and Section 9.4, respectively." >>> >>> That way it's clear that the intent is to keep the guarantee you need all >>> the right parts together and if you don't keep all the parts together you >>> don't get the guarantee. >> Thanks for this suggestion. >> >> I'll bring it to the attention of my co-authors such that we can discuss >> what the intent actually was. >> >> Best regards, >> Benjamin. >> >> >> >> >> >>> On 7/12/21 9:39 AM, Dan Harkins wrote: >>>> Hello, >>>> >>>> -10 includes a new section, 9.4, that says: >>>> >>>> "All AEADs MUST be IND-CCA2-secure, as is currently true for all >>>> AEADs >>>> listed in Section 7.3" >>>> >>>> I don't believe this was discussed on the list and I don't agree with it. >>>> Using the AEADs in section 7.3 will give you a construction that is >>>> IND-CCA2 >>>> secure but I don't think that all uses of HPKE MUST be. >>>> >>>> I have a draft on adding support for deterministic authenticated >>>> encryption >>>> to HPKE and this subtle addition to -10 closes the door on that. Since >>>> we did >>>> not discuss this addition I'd like to start discussing it before this >>>> draft >>>> gets too far. >>>> >>>> regards, >>>> >>>> Dan. >>>> >>>> On 7/7/21 8:54 AM, internet-drafts@ietf.org wrote: >>>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>> directories. >>>>> This draft is a work item of the Crypto Forum RG of the IRTF. >>>>> >>>>> Title : Hybrid Public Key Encryption >>>>> Authors : Richard L. Barnes >>>>> Karthik Bhargavan >>>>> Benjamin Lipp >>>>> Christopher A. Wood >>>>> Filename : draft-irtf-cfrg-hpke-10.txt >>>>> Pages : 104 >>>>> Date : 2021-07-07 >>>>> >>>>> Abstract: >>>>> This document describes a scheme for hybrid public-key encryption >>>>> (HPKE). This scheme provides a variant of public-key encryption of >>>>> arbitrary-sized plaintexts for a recipient public key. It also >>>>> includes three authenticated variants, including one which >>>>> authenticates possession of a pre-shared key, and two optional ones >>>>> which authenticate possession of a KEM private key. HPKE works for >>>>> any combination of an asymmetric key encapsulation mechanism (KEM), >>>>> key derivation function (KDF), and authenticated encryption with >>>>> additional data (AEAD) encryption function. Some authenticated >>>>> variants may not be supported by all KEMs. We provide >>>>> instantiations >>>>> of the scheme using widely used and efficient primitives, such as >>>>> Elliptic Curve Diffie-Hellman key agreement, HKDF, and SHA2. >>>>> >>>>> This document is a product of the Crypto Forum Research Group (CFRG) >>>>> in the IRTF. >>>>> >>>>> >>>>> The IETF datatracker status page for this draft is: >>>>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ >>>>> >>>>> There is also an HTML version available at: >>>>> https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-10.html >>>>> >>>>> A diff from the previous version is available at: >>>>> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hpke-10 >>>>> >>>>> >>>>> Internet-Drafts are also available by anonymous FTP at: >>>>> ftp://ftp.ietf.org/internet-drafts/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> CFRG mailing list >>>>> CFRG@irtf.org >>>>> https://www.irtf.org/mailman/listinfo/cfrg >>> -- >>> "The object of life is not to be on the side of the majority, but to >>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius >>> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt internet-drafts
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Dan Harkins
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Benjamin Lipp
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Dan Harkins
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Benjamin Lipp
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Christopher Wood
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Dan Harkins
- Re: [CFRG] I-D Action: draft-irtf-cfrg-hpke-10.txt Franziskus Kiefer