Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 09 December 2019 20:30 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6136B12018B for <cfrg@ietfa.amsl.com>; Mon, 9 Dec 2019 12:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_1OjBKBlC0Z for <cfrg@ietfa.amsl.com>; Mon, 9 Dec 2019 12:30:33 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B0AE1201E0 for <cfrg@irtf.org>; Mon, 9 Dec 2019 12:30:32 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9E5F3BDCF; Mon, 9 Dec 2019 20:30:29 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pX0xNJlgKUI; Mon, 9 Dec 2019 20:30:26 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id AF1DFBE24; Mon, 9 Dec 2019 20:30:26 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1575923426; bh=KfjFGRyTo7XWZh9vwRFDwrStYZaDBzxEv5OuxZm3Ewo=; h=Subject:To:References:From:Date:In-Reply-To:From; b=pRkvwlkQ+AKAqv3QvXNAjaAHogWp2YTzhV5Z9m0twdvv3M9cgj6Vmt9BLBIEZnTDb fepOcdjSZ2oozuF2NgWkqvqL0KQGjk2FC3Flk/os3z1JtB5bxbaDh4o8TN1TtPQV4s htkHc5Y2xnX1IKR6UZjnZtZM634yvwp1P8z72RuA=
To: Michael Scott <mike.scott@miracl.com>, "cfrg@irtf.org" <cfrg@irtf.org>
References: <PU1PR01MB194785846F2111C524EC27D9A84C0@PU1PR01MB1947.apcprd01.prod.exchangelabs.com> <CAL02cgRZwDX+Oo_sQ4T8QcuR+7LH=aw-4h43KjCgmfABQ5DJmQ@mail.gmail.com> <PU1PR01MB19473B071CC97F419EF35C11A8420@PU1PR01MB1947.apcprd01.prod.exchangelabs.com> <CAEseHRqA4J79K7d_SAWwTgQxUhZr87aam1RCWBnTsTOXu_H4jQ@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <16f7ce61-48ba-2c33-cd68-7f56916e2366@cs.tcd.ie>
Date: Mon, 09 Dec 2019 20:30:24 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1
MIME-Version: 1.0
In-Reply-To: <CAEseHRqA4J79K7d_SAWwTgQxUhZr87aam1RCWBnTsTOXu_H4jQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="EYBMQIHD0M1fFEINTKYq4ydICv38X86mK"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/S86si2zZ9JXtyqeEZ7XW6iVyqSE>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 20:30:36 -0000
Hiya, On 04/12/2019 11:29, Michael Scott wrote: > Hello, > > We have implemented an experimental version of HPKE, working from the > latest draft (in the C++ language only for now) > > https://github.com/miracl/core > > Our experimental API supports all 4 modes of operation, but currently only > for AES-GCM and the curves X25519 and P521. > > Some feed-back: It would be a good idea to explicitly warn the reader that > the X25519/X448 keys are actually in little-endian format, whereas for > P256/521 they are big-endian. > > The Npk sizes given for the KEMS for curves P256 and P521 appear to be for > a compressed form of the points. In the test vectors uncompressed public > keys are used. Yep, I'd suggest changing to use uncompressed form and changing the Npk, Nenc sizes accordingly. (To 65 for p256 and 133 for p521 if I got it right.) Anyway, my code [1] does that and it matches the test vectors. BTW, if we did stick with the compressed form, then 33 would seem more useful than 32 for p256/Npk, but sticking with uncompressed is likely better as that's what TLS does, so maybe code supporting uncompressed will be easier to find. > The first test vector provided (for mode 3) appears out-of-order. > > Other than that a well written and easy to follow draft. Not sure I'd agree with "easily" but I suspect your better familiarity with the underlying crypto and your own miracl code helped. FWIW though, even a relative ignoramus like me thrashing about with OpenSSL managed to get it working:-) Cheers, S. [1] https://github.com/sftcd/happykey > > > Mike > > On Wed, Dec 4, 2019 at 1:17 AM Nasrul Zikri <nasrulzikri@outlook.com> wrote: > >> >> Hello Richard, >> >> Thanks for looking at my use-case. I have been working recently on a quick >> implementation of FFDH so I would be interested to see how this perform in >> HPKE. If I can test this first and then request code points later that is >> good enough. If you can find a way to re-use TLS cipher suite code points >> (like Stephen say) that is good also because this defines >> ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), ffdhe6144(0x0103), >> ffdhe8192(0x0104), ffdhe_private_use(0x01FC..0x01FF). >> >> I think there are improvements that can be made for generating custom >> group for better security and speed. Using custom group help defend against >> an powerful adversary who would put a lot of work into breaking a fixed >> group, so I disagree that they are "even worse idea", but I realise there >> will be difficulties in negotiate parameters for custom group so I don't >> want to delay your draft. >> >> Tk, >> Nasrul >> >> >> ------------------------------ >> *From:* Richard Barnes <rlb@ipv.sx> >> *Sent:* Thursday, November 28, 2019 04:02 >> *To:* Nasrul Zikri <nasrulzikri@outlook.com> >> *Cc:* cfrg@irtf.org <cfrg@irtf.org> >> *Subject:* Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt >> >> Hi Nasrul, >> >> Thanks for taking a look at this draft. Personally, I am disinclined to >> define FFDH schemes, unless there are other folks in the RG who think they >> would be useful. That said, the registry policy on group IDs is >> Specification Required, so you can get code points if you have a >> specification; it doesn't have to be in this doc.. AFAIK, there should be >> no technical barrier to doing FFDH. >> >> As far as custom parameters, I think the only reasonable way to >> accommodate them here would be to reserve some space in the registry for >> private, vendor-specific use. But this seems like an even worse idea than >> FFDH, so again, I'm inclined to do nothing here. >> >> If other folks are interested in these cases, please speak up. >> >> --Richard >> >> >> On Wed, Nov 20, 2019 at 1:32 AM Nasrul Zikri <nasrulzikri@outlook.com> >> wrote: >> >> On your draft of Hybrid Public Key Encryption. >> >> The draft appears to be for any DH KEM, but I note, however that the >> examples and test vectors it gives are only for the elliptic curves >> P-256, Curve25519, P-521, Curve448. >> >> Would it be possible to define the algorithm identifiers and test >> vectors for some FFDH groups as well as the elliptic curve? Or is there >> some important reason why only ECDH methods are suitable? >> >> If FFDH groups are indeed correct for use in the draft, it would appear >> that the table in section 8.1 could be extended to allocate identifiers >> for at least the parameter ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, >> ffdhe8192 as stated in RFC 7919, and perhaps the MODP groups as stated >> in RFC 3526 and RFC 5114. >> >> I would also like there to be a way of specifying the use of a custom >> finite field for when the use of a defined elliptic curve or finite >> field is not enough. I realise that stating a method for transporting >> the parameters {p,q,g} is outside the scope of this draft, but could a >> value for custom groups or private use be stated in this table also? >> >> Tk, >> Nasrul >> >> >> >>> Hey all, >>> >>> Happy IETF 106 deadline day! >>> >>> The authors feel that this version of HPKE is substantially complete. >> All >>> of the functional parts are there, as well as test vectors to facilitate >>> interop. And I think we've got some formal proofs on the way. Please >> take >>> a look and speak up if you see any gaps. >>> >>> Thanks, >>> --Richard >>> >>> On Mon, Nov 4, 2019 at 3:47 PM <internet-drafts@ietf.org>; wrote: >>> >>>> >>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>> directories. >>>> This draft is a work item of the Crypto Forum RG of the IRTF. >>>> >>>> Title : Hybrid Public Key Encryption >>>> Authors : Richard L. Barnes >>>> Karthik Bhargavan >>>> Filename : draft-irtf-cfrg-hpke-02.txt >>>> Pages : 45 >>>> Date : 2019-11-04 >>>> >>>> Abstract: >>>> This document describes a scheme for hybrid public-key encryption >>>> (HPKE). This scheme provides authenticated public key encryption of >>>> arbitrary-sized plaintexts for a recipient public key. HPKE works >>>> for any combination of an asymmetric key encapsulation mechanism >>>> (KEM), key derivation function (KDF), and authenticated encryption >>>> with additional data (AEAD) encryption function... We provide >>>> instantiations of the scheme using widely-used and efficient >>>> primitives. >>>> >>>> >>>> The IETF datatracker status page for this draft is: >>>> https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ >>>> >>>> There are also htmlized versions available at: >>>> https://tools.ietf.org/html/draft-irtf-cfrg-hpke-02 >>>> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-hpke-02 >>>> >>>> A diff from the previous version is available at: >>>> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hpke-02 >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >>>> submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> _______________________________________________ >>>> Cfrg mailing list >>>> Cfrg@irtf.org >>>> https://www.irtf.org/mailman/listinfo/cfrg >> >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Richard Barnes
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Nasrul Zikri
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Richard Barnes
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Nasrul Zikri
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Michael Scott
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Benjamin Kaduk
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Ilari Liusvaara
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Michael Scott
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt Stephen Farrell