Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
David Benjamin <davidben@chromium.org> Thu, 17 November 2022 15:04 UTC
Return-Path: <davidben@google.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495A5C14CF06 for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 07:04:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.247
X-Spam-Level:
X-Spam-Status: No, score=-9.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWbfnCLTw0Oj for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 07:04:50 -0800 (PST)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2833C1524C8 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 07:04:50 -0800 (PST)
Received: by mail-yb1-xb2e.google.com with SMTP id 63so2183525ybq.4 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 07:04:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MggSvBA4OWEb+Lqc7aVv+gzy8ar2tXILG21IZU12fLc=; b=Ke5CFcm7Ftr9GJbqOP5Z8iNwO/o562gdoq5LcC5NxhdKmvjXsndlQaBhBIWay+oita tVHGp6P9EKPCNC8KmMyTxbPljVA1+A+E7cDxKpcOfBo+J7JoI25KqOw414+r6v0+atcn cTSewCD3kIpGMyw9spql4ADYhJcHtwMFSXB9k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=MggSvBA4OWEb+Lqc7aVv+gzy8ar2tXILG21IZU12fLc=; b=I/ygFnBGIommLcamQTiDDuv5WcxBqE3sy2cU+thsgCtlg455KdP57+c1Yvt5yu2QDi OCaL7l9WVxu6EVgNv5wh2MWwvTmejHwG44BGC8SBVPMXQ+dYvWyQ2rVay+9BLEIYknSS 0lmWQj/1/BCeibjmXILtSJyEo3fFqm3e8eeVxrozlooNddVz2fTvhZy9D7dxToR6SLVH tQibX1Tmh91tClByD6sxE8NOneMi32g9NNY3Xgfp/d/kmMnYTmcHxsoEPiA+dVyPtDeF U67qLqgpgPwvO5n3aBICTsbg1CBsQU7K/vRSDrkF6f7aDyz/eHbhwxbEdMnbvzxcwAOO x+FA==
X-Gm-Message-State: ANoB5pkdUFks5IoYlBzWWsxlooo1fQESlb91acs2R0RGLYlzCQVBQW1k TEhdNAJ5qoWkEGYsabLAnOxlc/t4st0ChEKf6AuwQ2SCKQ==
X-Google-Smtp-Source: AA0mqf6RSDuzpR3usQTj1Nl4XIyraU7rSXFaeICVcdocujNBZ179h3OSXHMQKYHaZ9kohlMmND0L3w/78YDRY/UoD+0=
X-Received: by 2002:a25:244a:0:b0:6e8:d6c:5401 with SMTP id k71-20020a25244a000000b006e80d6c5401mr182817ybk.614.1668697489742; Thu, 17 Nov 2022 07:04:49 -0800 (PST)
MIME-Version: 1.0
References: <2268807e-e934-2061-608a-afd422934acb@cs.tcd.ie>
In-Reply-To: <2268807e-e934-2061-608a-afd422934acb@cs.tcd.ie>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 17 Nov 2022 10:04:33 -0500
Message-ID: <CAF8qwaCsHeTA6fmrZzLGnfk-NjXZ9qgYdw9KLHQ7OKfrfC5PdQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000001df71305edabe9cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Qij5R82l1ygWWi39s8mqw8DMbE0>
Subject: Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 15:04:55 -0000
Our implementation doesn't impose any particular limits on info. But this maybe points to a larger issue here. The resolution of https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/226 to recommend using info like an AEAD's aad parameter, which typically does not have tight limits. And, even independent of that advice, non-single-shot uses (like ECH) may well have non-trivial per-context additional authenticated data. For ECH in particular, should we ever stick PQ KEMs into ECH, the info field will become a lot larger. https://www.rfc-editor.org/rfc/rfc9180.html#section-8.1 Looks like the size issue comes from info being used as the IKM to LabeledExtract, which constructs a labeled_ikm by prepending a prefix. This means that, if your HKDF API requires contiguous IKMs, you need to make a copy of the info string. https://www.rfc-editor.org/rfc/rfc9180.html#section-5.1-9 https://www.rfc-editor.org/rfc/rfc9180.html#section-4-9 I would not expect most HKDF-Extract APIs to support discontiguous IKMs, as that's kinda weird for keying material. Then again, if we break the abstraction, it's just the body of an HMAC, which typically can be streamed, much less discontiguous. So we do't *actually* need to make a copy here. But breaking the abstraction here is not ideal because HPKE aims to abstract over KDFs. So if we want to rely on that, we might need to make a note to tweak the definition for future KDFs so they don't need to rely on the HMAC internals. On Wed, Nov 16, 2022 at 7:27 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > I filed an erratum [1] on RFC9180. It'd be good know what > other implementations support before we finalise/approve > that. > > The issues: > > - section 7.2.1 recommends a max of 64 octets for various > values, but appendix A.6.1 and other test vectors require > handling values that are 66 octets long > > - 64 octets is too short for the "info" parameter, as used > for ECH (where it needs to allow 8+len(ECHConfig) which > will be longer, and ECHConfig is extensible so we can't > be sure how long) > > One way to handle this might be to change the erratum so > it recommends supporting up to 128 octets for all values > except "info" where we might recommend supporting up to > 1024. > > So - would the above work for your HPKE implementation or > application using HPKE, or would you prefer some other > change? > > Thanks, > S. > > [1] https://www.rfc-editor.org/errata/eid7251 > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] RFC9180/HPKE erratum on recommended sizes Stephen Farrell
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… David Benjamin
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Benjamin Beurdouche
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… David Benjamin
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Ilari Liusvaara
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Colin Perkins
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Dan Harkins