Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke
Dan Brown <danibrown@blackberry.com> Fri, 26 April 2019 16:57 UTC
Return-Path: <danibrown@blackberry.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECCBC12021F for <cfrg@ietfa.amsl.com>; Fri, 26 Apr 2019 09:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLBMtlqNJxjU for <cfrg@ietfa.amsl.com>; Fri, 26 Apr 2019 09:57:33 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E24D41201D6 for <cfrg@irtf.org>; Fri, 26 Apr 2019 09:57:31 -0700 (PDT)
Received: from xct106cnc.rim.net ([10.65.161.206]) by mhs211cnc.rim.net with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Apr 2019 12:57:24 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT106CNC.rim.net ([fe80::d824:6c98:60dc:3918%16]) with mapi id 14.03.0415.000; Fri, 26 Apr 2019 12:57:24 -0400
From: Dan Brown <danibrown@blackberry.com>
To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Adoption call for draft-barnes-cfrg-hpke
Thread-Index: AQHU/AdYoCx6qRbbHkW7ypFcKyh/6qZOk6gw
Date: Fri, 26 Apr 2019 16:57:23 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF501DCE015@XMB116CNC.rim.net>
References: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
In-Reply-To: <C7DA46E8-EBE9-4F4F-A621-23A089C59598@inf.ethz.ch>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0038_01D4FC2F.96DE23B0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/TFY4DpEfNcdTu18e8xkK8gJWy4U>
Subject: Re: [Cfrg] Adoption call for draft-barnes-cfrg-hpke
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 16:57:36 -0000
> -----Original Message (abbreviated) ----- > From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Paterson Kenneth > Sent: Friday, April 26, 2019 4:09 AM > This email starts a 2-week adoption call for: > > Hybrid Public Key Encryption > > Please give your views on whether this document should be adopted as a CFRG > draft, and if so, whether you'd be willing to help work on it/review it. I think it item should be adopted, with changes, though I'm not sure how much I will be able to work on it or review it. Minor comments: The word "hybrid" now has 3 distinct meanings in crypto, two of them nearly opposite. The older meaning refers a system, with security relying on both components of the hybrid, i.e. weakest link. This is what HPKE means: both ECDH and AES-GCM must be secure, for example. A newer, nearly opposite, meaning is defense-in-depth, redundancy, strongest-link, etc., for example ECC+PQC. (A third meaning refers to a type of security proof.) Based on its title, this document could be expected to be a how-to on combining ECC+PQC+RSA+... (Arguably, the older meaning of "hybrid" should have precedence, and the newer meaning is infringing, etc.) I recommend changing "hybrid" to something else, but suffer from writer's block for an alternative (sorry). A well-known downside of ECIES (and any PKE) is the lack of forward secrecy (on the recipient side). In the olden times of ECC versus RSA, a real risk was somebody drop-in replacing RSA by ECIES, even when some type of forward-secure ECDH was possible. The famous example TLS 1.3 of requiring (EC)DHE should now minimize this risk. Nonetheless, a PKE document is better if it (somehow?) recommends the reader to use forward security if possible. (Maybe current draft does this well enough already.) Perhaps differences in HPKE from ECIES standards (i.e. algorithm, security, efficiency) - especially if those ECIES standards were implemented - should be documented (in an tedious appendix or table)? Also what about a comparison to other types of ECPKE: Cramer--Shoup encryption, NaCL's crypto_box, even ECC-in-CMS EnvelopedData, etc? An updated link of SEC1 v2 for is http://www.secg.org/sec1-v2.pdf (Sorry that PDF metadata title is version 1.9.) The ECIES in SEC1 v2 is rather outdated in its symmetric component (i.e. AEAD part). It uses a menu of KDF, XOR/AES/DES CTR/CBC, HMAC/CMAC, and then some concatenation of 2 extra info inputs. (Perhaps, one day a new version SEC1 will correct/modernize this, though CFRG may not care.) The ANSI X9.63-2011 standard used the extended KDF output as XOR key stream, and then an "Approved MAC", which allows HMAC, but also allows updates via other X9 documents, mainly the registry, (pointing to NIST MACs). There was an aim that the intersection of the ECIES versions defined IEEE 1363a, SEC1 and X9.63 was non-empty. Not sure if HPKE wants to aim for similar backwards interop.
- [Cfrg] Adoption call for draft-barnes-cfrg-hpke Paterson Kenneth
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Stanislav V. Smyshlyaev
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Stephen Farrell
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Richard Barnes
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Benjamin Beurdouche
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Scott Arciszewski
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Dan Brown
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Mehmet Adalier
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Russ Housley
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… denis bider
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… John Mattsson
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Christopher Wood
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Richard Barnes
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Richard Barnes
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Paul Lambert
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… mcgrew
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Marek Jankowski
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Jim Schaad
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Hugo Krawczyk
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Dan Brown
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Hugo Krawczyk
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Natanael
- Re: [Cfrg] Adoption call for draft-barnes-cfrg-hp… Alexey Melnikov