[CFRG] DAE for HPKE, was Re: I-D Action: draft-irtf-cfrg-dnhpke-02.txt

[Dan Harkins <dharkins@lounge.org>]

   Hello,

   First of all, there's a new version of draft-irtf-cfrg-dnhpke out.
Please take a look.

   At IETF 116 I was told I could get IANA assigned values without
the draft becoming an RFC so I applied. I got KEM assignments for
compressed output but the experts are refusing to approve assignment
for DAE support because it's not IND-CCA2.

   So let me digress briefly....

   In [1], I noted that this requirement that "all AEADs must be
IND-CCA2 secure" appeared in -10 of the HPKE I-D without any real
discussion (it wasn't in -09 and there was no discussion on the
list) and that I was concerned that they were closing the door on
my proposal. But I was told in [2] by an author of HPKE, and the
guy who did the security analysis, that the door wasn't closed and
that adding new DAE ciphers which were not IND-CCA2 did not affect
the existing ciphers which were. There was even a pull request for
HPKE to clarify (see [3]) which I was under the impression allowed
for addition of new ciphers which were not IND-CCA2 since they were
not diluting existing security guarantees.

   But now I'm being told by the experts that there is an absolute
prohibition on using HPKE with a cipher which is not IND-CCA2. I
believe that is incorrect and certainly that was not part of the
RGLC approval of the HPKE I-D.

   I would like to hear what other people think and would like the
experts to be overruled and to approve assignment of the DAE ciphers
defined in draft-irtf-cfrg-dnhpke-02.

   thanks and regards,

   Dan.

[1] https://mailarchive.ietf.org/arch/msg/cfrg/dAhw4TluqDfzKvtatqXvXbW0GVY/
[2] https://mailarchive.ietf.org/arch/msg/cfrg/MOMY2a3srTUpgW2F_76kySv5IKw/
[3] https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/233

On 9/28/23 11:41 AM, internet-drafts@ietf.org wrote:
> Internet-Draft draft-irtf-cfrg-dnhpke-02.txt is now available. It is a work
> item of the Crypto Forum (CFRG) RG of the IRTF.
>
>     Title:   Deterministic Nonce-less Hybrid Public Key Encryption
>     Author:  Dan Harkins
>     Name:    draft-irtf-cfrg-dnhpke-02.txt
>     Pages:   38
>     Dates:   2023-09-28
>
> Abstract:
>
>     This document describes enhancements to the Hybrid Public Key
>     Encryption standard published by CFRG.  These include use of "compact
>     representation" of relevant public keys, support for key-wrapping,
>     and two ways to address the use of HPKE on lossy networks: a
>     determinstic, nonce-less AEAD scheme, and use of a rolling sequence
>     number with existing AEAD schemes.
>
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-dnhpke/
>
> There is also an HTMLized version available at:
> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-dnhpke-02
>
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-dnhpke-02
>
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius