IETF Logo Mail Archive

Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt

Christopher Wood <christopherwood07@gmail.com> Mon, 28 January 2019 22:40 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4B91130EE9 for <cfrg@ietfa.amsl.com>; Mon, 28 Jan 2019 14:40:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNfdtxo1hD0B for <cfrg@ietfa.amsl.com>; Mon, 28 Jan 2019 14:40:31 -0800 (PST)
Received: from mail-yw1-xc31.google.com (mail-yw1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753BD130EE4 for <cfrg@irtf.org>; Mon, 28 Jan 2019 14:40:31 -0800 (PST)
Received: by mail-yw1-xc31.google.com with SMTP id x2so7422275ywc.9 for <cfrg@irtf.org>; Mon, 28 Jan 2019 14:40:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2ouSZPwtAakYrYBo8BFsaZxcLqqsXA/Uzm7p9bo+5N8=; b=DdqjRgAbBo+Hqe9v2L0kQWg3/aWpurX+b+vDAfSY0iBpMSje5/2mv8s8E6OMZnOqUB XTZ2f8ZMiyVUGpUfkGJ/jUnYR/NZJePOvBH3ouCIur3Ys4JVXCRrq2uc3qBIrit/4/Vp /MEBTdvimtuHtJg23T8vXwG4Oys2aEe+DsVGlAHYWWrIVj7Bj6VsCKT7aAIr7PGy+uMG pEO2WfiDGzEPi/+GOcs6c5aA1/oN6ixEfENGrfoHICcfwRnw90Jx4kqrBF9/O7WuqDdS kOrVMQGSwb1cCnVU2GZlhccqSNpaDOLXHi/xG+bb7muVUfMmZ6Ydjbz7rSvWrdMgij2O SEug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2ouSZPwtAakYrYBo8BFsaZxcLqqsXA/Uzm7p9bo+5N8=; b=k+eBQ2obg6M8OuvGkCCmhmlymdP+WWeLpr7QskOdjcefS4b20ueO6DMSerMY4ZdHel rJ0qZSxxXHeuMccAt+PEJFSD32djfb+ZPJCeUov2vwqrGm0+8Hcc3EDWY+P1pp526c0W 2VaasTfPNZ0Fnm8Svs1qhJPbVBcs+Beuq6wed2LFkRGGyX6H3qcMZegH/Hp8e9L3tCqk JsiNVJcxFXOGjvdIrJNhXDbR3actmgT0DvQrHSyDgDymv2GFXMFEVXkESWPiVgLzVJwx V/U9vyjLv9XfzWyFZxx17CEZyLrk1Ze/OgCev5CxHOrIDpK8i4Qp2WkgzPSP1QXBJHLO NQUw==
X-Gm-Message-State: AJcUukdNSQ6U4Jr1pQba/lpWt4z88tJA89oXI5SHzVzo0oX/c4yY1tdK VuKIRm5x1O87r21CIk5ir1S1LdG/UZgLxxzbgZs=
X-Google-Smtp-Source: ALg8bN4+lpbLuh37woTxvv2tOuzDCxo1f9z9vJ+FVa2OAxbJSlgWXf0kIcBkZkytih1vZGe+0XMSqAUBAbvJy5ur44A=
X-Received: by 2002:a0d:c0c1:: with SMTP id b184mr23073012ywd.263.1548715230492; Mon, 28 Jan 2019 14:40:30 -0800 (PST)
MIME-Version: 1.0
References: <4989B595-D57C-4D40-8B68-AB0AF8804AD3@wire.com> <CAO8oSX=KeW_yc8w4v+0E7GGZ1Hp0JNL8x3C5b-Jq=0YKv8XoDQ@mail.gmail.com> <20190128213642.GA2741@LK-Perkele-VII>
In-Reply-To: <20190128213642.GA2741@LK-Perkele-VII>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Mon, 28 Jan 2019 14:39:59 -0800
Message-ID: <CAO8oSXkqYw09w8VT1RoiAo+73V3LCp0osCBFLVheDtt=sA0rYw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Zz-7YxpKp61AuBbudklVb2ryvKg>
Subject: Re: [Cfrg] Fwd: New Version Notification for draft-barnes-cfrg-hpke-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2019 22:40:33 -0000

On Mon, Jan 28, 2019 at 1:37 PM Ilari Liusvaara
<ilariliusvaara@welho.com> wrote:
>
>
> On Mon, Jan 28, 2019 at 09:51:51AM -0800, Christopher Wood wrote:
> > On Mon, Jan 28, 2019 at 7:17 AM Raphael Robert
> > <raphael=40wire.com@dmarc.ietf.org> wrote:
> > >
> > > Hey Richard,
> > >
> > > The proposal seems rather generic to me and I like the channel
> > > binding to the responder's public key.
> >
> > +1
> >
> > Thanks for posting this draft, Richard! It should suit the ESNI use
> > case quite well. In particular, servers could advertise HPKE
> > ciphersuites and key shares, instead of the TLS ciphersuites and
> > keyshares currently used, and invoke Encrypt() with "esni" or a
> > similar info string for key derivation.
>
> How is the binding to main key exchange done (I just remember there
> were some nontrivial issues there)?
>
> That is, the ESNI ciphertexts must be bound to the client hello those
> are in, as otherwise cutting and pasting breaks security.

The CH would be passed in as additional data, as it is in the current draft.

>
> > With regards to the questions raised in Appendix A, I am in favor of
> > generalizing this to work with any KEM, especially given the rationale
> > Raphael lists below. The streaming variant is tricky, though, as we
> > would ideally not want to turn this into a full protocol. In any case,
> > this is a great -00, and something I think the RG should work on.
>
> Yes, streaming is tricky. In fact, true stream-mode AE (byte
> granularity, reliable in-order) is impossible.
>
> The best approximations are datagram mode AE (datagram granularity,
> not reliable) or sequential packet mode (datagram granularity, reliable
> in-order) AE. To make things worse, there are protocols that need mode
> equivalent to sequential packet mode, and protocols that absolutely
> can not use mode equivalent to sequential packet mode.
>
> > > A few comments:
> > >
> > >  - The points brought up in Appendix A are important. In particular,
> > > I think it would be worthwhile investigating if a general KEM
> > > mechanism wouldn't be the better choice, potentially paving the way
> > > for PQ primitives.
>
> Yes, I think that PQ support is important in any modern protocol (unless
> one takes quantum skeptic view). And there are very few DH-compatible
> PQC primitives, and the ones that exist are umm... exciting and slow.

:-)

> However, I do not think any generic KEM would do, as many of those have
> too high failure rate, and failures leak information about the private
> key (so called reaction attack).
>
> However, there is subclass of KEMs that are IND-CCA secure. Those could
> be used (the cost of IND-CCA is higher runtime and larger messages than
> generic IND-CPA KEMs).

If generalized to work KEMs, could we not restrict the algorithm to
those KEMs we deem appropriate via ciphersuites?

>
>
> Few other comments:
>
> - Decryption references function "Decrypt()", which I do not see
>   defined anywhere. I suppose it should be "SetupR()"?
>
> - I would expect encryption to pack pkE inside ciphertext, as that
>   is per-message and required to decrypt.
>
> - Only one-byte ciphersuite identifier? That seems quite small.

It could probably be expanded to two bytes.

Best,
Chris

>
>
> -Ilari
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email