[Cfrg] comments on provable security of draft-irtf-cfrg-hpke

Benjamin Lipp <benjamin.lipp@inria.fr> Tue, 02 June 2020 20:51 UTC

Return-Path: <benjamin.lipp@inria.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52E423A0D32 for <cfrg@ietfa.amsl.com>; Tue, 2 Jun 2020 13:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htZ0GQ9PigOZ for <cfrg@ietfa.amsl.com>; Tue, 2 Jun 2020 13:51:17 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C35BB3A0AE5 for <cfrg@irtf.org>; Tue, 2 Jun 2020 13:51:16 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.73,465,1583190000"; d="scan'208";a="452622459"
Received: from 91-163-145-160.subs.proxad.net (HELO [192.168.0.18]) ([91.163.145.160]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 02 Jun 2020 22:51:14 +0200
To: cfrg@irtf.org, draft-irtf-cfrg-hpke@ietf.org
From: Benjamin Lipp <benjamin.lipp@inria.fr>
Autocrypt: addr=benjamin.lipp@inria.fr; keydata= mQINBFo7Z4IBEADWbHpkb/U4Fh8UKr0dgavnHkOu+HUFBDzfotm9EitfZxWnEFGeMw8b9VA5 qqVbm6ITNvnA6zLPC3FIO/JP2hdvaf2xxEINGpM5FaCpo+zH5KCGcHuuffzkYe7ieLP7/Kn6 Y6Jr0rMrryf+wT2r0hfaSSZaoL56rhxGj3GB73OBQsN9DgFuygGBtiDkzdsgJJWAavNeB6Vl 0EmEOt/BGs6wZKeMJNpCwWRgKPMMdFStRHy9Ky+3zaRvd8DiYOtGds85J0o2xw8mFXgkapxn mXuBlZlMxSSwhhhIskvv22MHa0601UvIl+dreYehbm3E4ukD4b1I8OuPKLxSWwD3R320e+7c 8ZW49Wej6aV3mh9xcUDeYekhujffWzgim4SHRCwVzSgG9tI8ITL8HP/5UCKk/Mgs8NZhMwZp Rj2I/l1RpkSzAPIS6fQbMNPirD3B4FYm5YZVyMvLWpKKv5SGvcmNOmGl+slrnaIkztRt/rGk dQOcUv0Mp7llthpOduJszPJTe4uT/mhWjbiX4gL9FZIeN5K17bg4SkCXme7AqZ2gdNxudxPA KthJf2cMZiyBcCEm/t1K91+5nNj/APLS7NtvZ6FvyE+Oa+k4kbk+dayNZa9Tef/yNrgGQn3y j308UgupQUaeJxFQbb3e2TshuOV9K3x924JVF8Zh8RAO1ruI5QARAQABtCZCZW5qYW1pbiBM aXBwIDxiZW5qYW1pbi5saXBwQGlucmlhLmZyPokCNQQTAQgAKQUCWjtnggkQdeVCWKRXWsYC GwMFCR4TOAAECwcJAwUVCAoCAwQWAAECAADsTRAAsNtcVmG+rBBIcxVkIW3/bNc09XD0az// rFMvWlZ0EE8utB+GuWZZ3xdiay/8t2OKTQPzCQYB4pD+099aYhlkzu/LFXRQCBsxmN3ImNjD cp+GCLZOifcrFlkm+jVgsPDGT6jvFL49fM4+g/XXuRvNrChw0xa2ye3fS0xrceOE+8w5R89O Rj4UwMFM/pKK/TcY/rF5Ji0IgTXgtLDXIkiaNUxxbUsuunNWykR9UmwWCcyrLbTOXJkjlCRz DfZisb4IkV9+ShwdvpsFJwge4m9veUhKiNEcae8enGY/unFqOxnzCoCfVTbA+ulpxS2J2jCd VmJwuR5QdaB4QESYCWJ+I4ZvxgPzmiINpTDAcDZXm2zODtY/altvVqREtpospWphiAcrivvz HxZD24O9khwWnqxb8onkIwf6qDE1quKdSLxSr/RVJV7ya2we7LaWbo84WrMnzQF6EWQn5ohK +nixyQHItsuuXkYfRXRgDeiASfFzZEQ8a1aBJhPdg86ricrRY7M3JurEJf/v92TRTUXD3nOy CG0W7q/XZiljeh+at8UZnaFZvSZutZELX/XKGsKKW3ttzJpAqHtisp37+2/1YZN8LOonpkVl Z/++m1JuqjM+gX+lt1qjd2tTik29iaJyNnCvfgugDss2aLMGXUOXogJkO91IEzC6A9k8Rci+ 35C5Ag0EWjtnggEQAL1fp7G5GusWcASxcmUHiDQ+ixyaMY35i1QO7fqLfHtQdbex/0/crzyj F1arwQlCkYO5K7IU3GrlJZL1OCDDY9P/jtFuztYVxlzhKk10+OXzod2LwJYFFbhBkgqQcJWu JvrI2CjiRxm4vLyxmBaZJsYmn82AeGr5YdRwnyIGeJK3anNiWdlDFg4he5R7vBUIXfF0uvJu Hz58GjC1wAwMkJKWzIUZnl3ID2am7AwhMRG4xVODnujdpRVlYT1wvgA9dNJIV3uMYWkjRg7t wdKux0jPEmQN8/XG3MZhbKLmB5lW47LSnYDBQjd3X4l5BEgFIFEoAndQ8CJcQIuRPpko6OZy IFFYxITTpRAex5ERSjShE+YKOvPXJciPq20JltvTh5Wp710ie+7xjSvNLha7EmP+BJiwghIp 2OeT7P4F4MNy+ZsjMPUyxpXjJlFVb9tfoye/8bnlcokG6SeYnrAaw43XheZHI+dHA2GY9CL9 apS8zDdqqxXHc4D5yfzmPXnI0FjCvGQczi2LoVKKUctrADloiuNobDjF9SF+ly5RhslCJBIW heeSzju5zcDY+e0TW/1W9Au9I3QRjoGCBXhkr0eRclr50I8fre5u/KPRKx5wV9PLBAc+WXDB 1PjX7KCLAiflX6zQDZj5blDDgiHkffkmCpE44MopfFOCKTTuX23FABEBAAGJAjUEGAEIACkF Alo7Z4IJEHXlQlikV1rGAhsMBQkeEzgABAsHCQMFFQgKAgMEFgABAgAA/XsP/3TZLPn9I08b LVqsBewNqEwfmdi3Ix4vtvPJp6gQt1u+U9bm3ZUpTwgJxFsABJRGfRFiyckTLj8o/EHPHjpr pURAtC5HEd1tejwCY1iFyOTGEoyZHkljnm3Ju2IwS1bq7LGlxI7ysP53KHrvYBQqKPzbAB5a cvIdQWYzhbROjSt9O9Ex6G6TFhOEdIYKH4BmnJ8aPiSt8c3dAlN7VZLj+VHCq84m56M3QQQK jlbFlj5BshgWdz9IRg2cJEJfH5mAtPyVhxxCCzqnQEetjE2sX/IbbtOj1u48y5VovuIx5vQi XdlEbmKjpftHfpD78WVr6r+sIOsMfSRQlDAQGIGO0qxOZkSOnFnD5iZ8nWVBgY3DkRhmylse wJpxJj9jEysVTTzgF/ulacm+nwal58FAuvVDd2pTirLgi/b0X2UW3OF11ZH/Vr5gpF2CbPs0 ArHAte1n1HHXZu9w3vrHA4vAB1YIj1EBGIiIrcO4AVQAb3Lgj3ypV1uX1hPtwF0aErSg329q mTRXmwthPGBkk9JFz+QlkoGYeQ/0cOSgXtIToQo+WeroaiD9Y5JukiuDipTo/yMdtb4wM8Cf LfIXE2v7qSBAM/DIdpLyA2u1aqfSF1L9RGbzG1G17cRHzFof4eF7V+CQAhzOw6CDt3QmN4vP Z7nqz6pmy+3V9aPWEIi/qmFb
Message-ID: <d626303d-a671-140a-0445-209407d30974@inria.fr>
Date: Tue, 2 Jun 2020 22:51:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PuAyqr_wFqouFcGfSoKQMIQ1ajc>
Subject: [Cfrg] comments on provable security of draft-irtf-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 20:51:19 -0000

Dear CFRG,

I have carefully reviewed the HPKE draft, mostly from a provable
security point-of-view. All issues I raised to the authors have been
fixed in collaboration with them before the RGLC. I think the document
is ready to go as soon as the pending (minor and editorial) comments
have been addressed.

A write-up of a mechanized computational analysis (game-based security
proof) done with CryptoVerif is available at [1], however it is outdated
since the changes made to the draft with this pull request [2]; this
pull request mainly added a KDF to DHKEM and labels to all Extract
calls. Proofs for the current version of DHKEM are available at [3]
(without write-up yet). This analysis is ongoing to further refine the
security notions and update the proofs accordingly.

Best regards,
Benjamin

[1] https://eprint.iacr.org/2020/243
[2] https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/50
[3] https://github.com/blipp/hpke-analysis-material