Re: [CFRG] Questions for the group from the HPKE presentation

Dan Harkins <dharkins@lounge.org> Mon, 09 August 2021 16:57 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7B233A0AD8 for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 09:57:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24gD4333xIMm for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 09:57:25 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06DFD3A0AD6 for <cfrg@irtf.org>; Mon, 9 Aug 2021 09:57:24 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QXL2BQC20FOZ6@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 09 Aug 2021 11:57:24 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QXL00CVS0BV4E@trixy.bergandi.net> for cfrg@irtf.org; Mon, 09 Aug 2021 09:55:07 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 09 Aug 2021 09:55:07 -0700
Date: Mon, 09 Aug 2021 09:57:23 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <a582bedb-35ce-41ba-ba9b-2dd1c074b248@www.fastmail.com>
To: cfrg@irtf.org
Message-id: <79037424-99f4-8f82-15cb-cdb3e339338a@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <CAFDDyk8yZegN6aWSZg=K7Wy+V2upq=GBuvGyQYowrRuehPDqYQ@mail.gmail.com> <CAL02cgTc34pSUOYqFiCKkfcobtj8y5=LashfsDNdabQ6g6P=gQ@mail.gmail.com> <2c0986bc-07c0-ed32-97b6-722fca39253e@lounge.org> <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com> <a582bedb-35ce-41ba-ba9b-2dd1c074b248@www.fastmail.com>
X-PMAS-Software: PreciseMail V3.3 [210809] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Rrv_nIuu1J4CpfDES6TmWgX0WZI>
Subject: Re: [CFRG] Questions for the group from the HPKE presentation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 16:57:31 -0000


On 8/9/21 7:08 AM, Christopher Wood wrote:
> For what it's worth, I agree with Richard here. As I understand the situation, this is solvable by the application or wrapper protocol. TLS 1.3, for example, assumes the same sort of reliable, in-order delivery to keep per-record nonces in sync, and that seems to work just fine: https://datatracker.ietf.org/doc/html/rfc8446#section-5.3.
>
> To answer the questions from the original post:
>
> 1) No (as per above), but also because adding this type of API seems really unsafe for AEADs that cannot survive nonce reuse.

   But SIV *can* survive nonce reuse. It is the original misuse-resistant
AEAD mode. The existing AEAD modes cannot survive nonce reuse and they would
be unchanged in my proposal.

   Dan.

> 2) Registering new compressed point format KEMs seems fine -- that's why we have the registry! I don't think we should add DAE ciphersuites given how they impact the security posture of HPKE. This seems to have the effect of making different application decisions regarding the AEAD yield different security outcomes, which I would claim is a regression.
>
> Best,
> Chris
>
> On Mon, Aug 9, 2021, at 12:56 AM, Richard Barnes wrote:
>> W.r.t. (1), the obvious solution to me would be a reordering window
>> outside of the HPKE implementation.  Even if the HPKE implementation
>> required in-order delivery, the application payloads containing HPKE
>> ciphertexts could have a sequence number indicating the order in which
>> they were produced, and the receiving application could use this to
>> ensure that they were fed to the HPKE implementation in order.
>>
>> --RLB
>>
>>
>> On Fri, Aug 6, 2021 at 1:56 PM Dan Harkins <dharkins@lounge.org> wrote:
>>> On 8/6/21 3:49 PM, Richard Barnes wrote:
>>>> 1. I don't think this question is well-formed.  HPKE isn't an API, it is a construction.  In fact, the "API considerations" section of the HPKE spec is there precisely because there might be different APIs to an HPKE implementation.
>>>   
>>>    It may not be perfectly formed but its obvious what is being asked. My answer
>>> to it is that once you find out that your contexts are out of sync it's too late.
>>> I think it's more important to just be able to deal with out-of-order and lost
>>> packets.
>>>
>>>    Yes, it's "a construction"...that hides a datum from the user and makes the
>>> construction fragile for some use cases. So I'd like to remove that fragility for
>>> those use cases. The easiest and least intrusive, to the construction, way is
>>> to just have Nn=0 for these new AEAD algorithms and not worry about the nonce.
>>>
>>>    One thing I failed to mention during my presentation is that even if the
>>> user adds a counter/nonce as AAD or a plaintext tweak (to hide whether the same
>>> thing is encrypted twice) and screws it up, the DAE security guarantees
>>> remain. SIV is the original misuse-resistant mode.
>>>
>>>    Instead "resetting the nonce counter" we could do something analogous to what
>>> IPsec does with a floating window that prevents replay but allows out-of-order
>>> delivery modulo some limit (really late packets will just get dropped). But that
>>> might require some changes to the API...err, the construction, so we'd be back
>>> to a reformed question #1.
>>>
>>>> Given all that, I would be in favor of no action here.  There are several existing ways for an HPKE-based protocol to deal with out-of-order delivery.
>>>   
>>>    You mean like using deterministic authenticated encryption? If not that, then what
>>> exactly are you referring to?
>>>    
>>>> 2. Personally, I don't have a use case for either of these.
>>>   
>>>    Well, will you admit that while these might not be your use cases that they are
>>> legitimate nonetheless?
>>>
>>>    Serialization should have never used SEC uncompressed format. There's no valid
>>> reason to do that. I regret that I didn't bring this issue up until it was
>>> officially "too late". But that can be rectified pretty easily and no one will force
>>> you to use compact representation if you really don't want to.
>>>
>>>    Dan.
>>>
>>>> On Fri, Aug 6, 2021 at 12:31 PM Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org> wrote:
>>>>> Dear CFRG participants,
>>>>>
>>>>> At IETF 111, Dan Harkins made a presentation <https://datatracker.ietf.org/meeting/111/materials/slides-111-cfrg-new-kems-and-aeads-for-hpke-00> with two proposals:
>>>>> - a proposal to define new codepoints for HPKE representing new KEMs for compressed NIST points
>>>>> - a proposal to define new codepoints to support deterministic authenticated encryption schemes that don't use a nonce. This is in service of the use case of out-of-order delivery of ciphertexts. *In the discussion, it was noted that HPKE uses a nonce to ensure that it never leaks whether the same plaintext was encrypted twice and that this proposal does not provide this security property.*
>>>>>
>>>>> Also during the discussion, an alternative proposal was made to solve the out-of-order use case: modify the API for HPKE to enable the user to reset the nonce counter. This API would enable out-of-order delivery of ciphertexts with existing HPKE AEADs.
>>>>>
>>>>> The chairs would like to ask the group a few questions:
>>>>> 1) Does the research group support adding an API to HPKE for resetting the nonce counter?
>>>>> 2) Is there interest in pursuing a work item to explore defining either of the following:
>>>>> - new codepoints for compressed curve points in HPKE?
>>>>> - new codepoints for deterministic authenticated encryption in HPKE (given the answer to (1) was no)?
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Nick (for the chairs)
>>>>> _______________________________________________
>>>>> CFRG mailing list
>>>>> CFRG@irtf.org
>>>>> https://www.irtf.org/mailman/listinfo/cfrg
>>> -- 
>>> "The object of life is not to be on the side of the majority, but to
>>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius