Re: [Cfrg] hpke which HKDF to use for eae_prk?

Richard Barnes <rlb@ipv.sx> Thu, 20 August 2020 18:42 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 944F23A080C for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEaLkFRxLmos for <cfrg@ietfa.amsl.com>; Thu, 20 Aug 2020 11:42:31 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C21D3A07A9 for <Cfrg@irtf.org>; Thu, 20 Aug 2020 11:42:31 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id p4so2447076qkf.0 for <Cfrg@irtf.org>; Thu, 20 Aug 2020 11:42:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cpPnBgyIXdAQNLonJCVyD2TMtoGfhInTR/un1eIiG+8=; b=CrXc0FuhwogmwK3NxnOf7wylMi7Zpzv8eauv0TAw+qmbkp/K3iWlRF/s7lkmOWMS5S WgC+RcqpPW8MEQGIcAiqBQrhSEDmPYOJ8hOe5EDDNOcxVq7dcYh8iK2Te9PpKYMe3Tlv deY0onoRoJa5GtojgM1/GSjl2t+HRwqKfqAIfei0ZfGWpS9/lDneFYJ9e6dOq14pNx2Y p3g5BZ2/8oonlRN4/rLLx1FjY8rHl1T7V4yRJ3a4lUxCS9S5rslBLl66A4SmGsEW0bfZ FsvCgNPg8j7L4k6YJ8rOgtXkgk4WEQ/ePUMiil35qtWIdRUE8KMFzNrlUER0o4rDy7aS 5DXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cpPnBgyIXdAQNLonJCVyD2TMtoGfhInTR/un1eIiG+8=; b=C3FlltyJUfcpRu+3W6j0IqYvhF7+MNVH4qlbAIhkH5XvQIP0b4wjiv1CGnF/GKapxJ mUSIwVLDC2+LpFLEys66nZFTDbhCr9QaDHi11VM+swqPw/VzPZgMuUhPHINOkD3Obatt lHgiAWtlM/FjzVpkBLlHCk6ZrnTAgbFNdacTPVs2E6Sj0xqO9ZkvuCsEnGINBzCxIx1N RYvgqm2Uk1l1i7syNwQLOlDHXyXNtJ/4m5uC727pBM5pE0rTanmLNfvyEKqs0tFr4BMp bLot5rxIv48SJ+sO92g80pTV1N3Mj44TNKd5axgAmgFPBXJdvS2OC70ldct8935fzsIx 3vYg==
X-Gm-Message-State: AOAM5302BMxCB09LNc2tWM+8f6KiXBiFoKfkbWXFi91X0eqnZWqBBBwA Q3l1QBgmsJ8CoV7vvT3er6uSNNWG1cZw6ac/ZcdcCJAZG9fhTx5q
X-Google-Smtp-Source: ABdhPJz1CtCUi+FSFYRbNQBrxei2cSo7QwgnM7aJ+mMu5O2ijqzCFYSEwucyLGgnzMW1SCcWnELbzTx3rZgqZbKSdvM=
X-Received: by 2002:a37:8287:: with SMTP id e129mr3621611qkd.132.1597948949768; Thu, 20 Aug 2020 11:42:29 -0700 (PDT)
MIME-Version: 1.0
References: <5b60132e-945c-a769-1679-93e0070b1343@cs.tcd.ie>
In-Reply-To: <5b60132e-945c-a769-1679-93e0070b1343@cs.tcd.ie>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 20 Aug 2020 14:42:09 -0400
Message-ID: <CAL02cgQ1t6crqWno5=iYGjHutX6JqWYVd4Pk7U=wt9zAbz44RQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000008546de05ad537b63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/S8De3qcXIDE-tMfLuUrEGgyxjuk>
Subject: Re: [Cfrg] hpke which HKDF to use for eae_prk?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 18:42:33 -0000

I think the spec is right here.  The DHKEM instances are defined with a
curve and a KEM, so assuming your descriptor "x25519,hkdf-sha512,aesgcm128"
is meant to be "KEM,KDF,AEAD", it's either incomplete or it represents a
DHKEM instance that isn't defined in the document.  In the schemes in the
document, the KDF in DHKEM is matched to the size of the curve, so x25519
goes with SHA-256.

The current test vectors wouldn't catch this misunderstanding, though, so
maybe it would be worth adding a case.


On Thu, Aug 20, 2020 at 2:10 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> I also have a 2nd interop issue: when calculating
> the eae_prk value my code uses the HKDF from the HPKE
> ciphersuite. So if I'm using x25519,hkdf-sha512,aesgcm128
> in the base mode, then my eae_prk value is 64 octets
> long.
>
> In contrast, the test vectors use the HKDF that is
> associated with the KEM and so in the above case the
> eae_prk value is only 32 octets.
>
> I don't think there's a real security difference here,
> in which case I'd argue that using the HPKE ciphersuite
> is more natural and easily understood (IOW, I prefer my
> code:-).
>
> Either way, we should clarify this and maybe again also
> include that intermediate value in the test vectors.
>
> Cheers,
> S.
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>