IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 31 March 2022 11:42 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45DC03A11C3 for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2022 04:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FsfKeRThXIpp for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2022 04:42:34 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57B763A0BC5 for <cfrg@irtf.org>; Thu, 31 Mar 2022 04:42:33 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 61926226D8 for <cfrg@irtf.org>; Thu, 31 Mar 2022 14:42:31 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id Hd2HEHhTCnHC for <cfrg@irtf.org>; Thu, 31 Mar 2022 14:42:31 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 2DE2E72 for <cfrg@irtf.org>; Thu, 31 Mar 2022 14:42:30 +0300 (EEST)
Date: Thu, 31 Mar 2022 14:42:30 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <YkWTppED2k7HLqKl@LK-Perkele-VII2.locald>
References: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <20220330102724.C64F260BA2@jupiter.mumble.net> <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <F4AABC95-650A-4C9D-A1E9-06F2E7E5D5DA@heapingbits.net> <HE1PR0701MB305062B2908E620E135BC472891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <57c7950c-e7e8-42bb-9bd9-883b86a555b8@beta.fastmail.com> <YkWFXOD+ITYGwTV4@LK-Perkele-VII2.locald> <HE1PR0701MB3050556EB337BF572A146E5789E19@HE1PR0701MB3050.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <HE1PR0701MB3050556EB337BF572A146E5789E19@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/U2sRXqNoQtUQuS-HWXf6PAOBwes>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 11:42:36 -0000

On Thu, Mar 31, 2022 at 11:23:19AM +0000, John Mattsson wrote:
> Martin and Ilari wrote:
> 
> >> HPKE has a PSK input too.  Are you forgetting that option?  Given
> >> the setting, that is the more relevant mode to consider.
> >
> >Wouldn't that still result in key/nonce collision, which breaks any
> >current cipher HPKE can use, in case random bits get reused with the
> >same PSK and recipient key?
> 
> I don’t know why a PSK would be relevant? My use case would be to
> use a public key to encrypt another key, in this case using
> ECIES/HPKE.

Oh, and then there are auth and authpsk modes too...

IIRC, the inputs that affect the symmetric encryption key and nonce
are:

- Randomness
- Recipient public key
- PSK (if present)
- Authentication key (if present)

If all these collide, then symmetric keys collide, and that makes all
the ciphers currently in HPKE break.

Fixing this would require adding a new MRAE cipher.

> >However, I expect that virtually invariably if random bits get reused,
> >those random bits are very weak anyway. Which would let attacker decrypt
> >the message anyway (unless PSK is also used).
> 
> That is a good point. The current HPKE will always be reliant on
> random bits. Using HPKE in way that is not dependant on random
> bits would require to make skX an input to the algorithm. I.e.
> doing Static-Static Diffie-Hellman (NIKE) instead of Ephemeral-Static,
> but where the recipient would not need to have pkX beforehand.

I think one would need MRAE cipher too, as otherwise the symmetric
encryption keys and nonces could get reused, which breaks current
ciphers.



-Ilari

v2.23.0 | Report a Bug | By Email