Re: [CFRG] Questions for the group from the HPKE presentation
Dan Harkins <dharkins@lounge.org> Mon, 09 August 2021 08:36 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE203A095D for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 01:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fr0v8eSi-hZy for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 01:36:08 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85053A095C for <cfrg@irtf.org>; Mon, 9 Aug 2021 01:36:08 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QXK2BQ27D87Z6@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 09 Aug 2021 03:36:07 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QXK00CJZD4ETU@trixy.bergandi.net> for cfrg@irtf.org; Mon, 09 Aug 2021 01:33:51 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 09 Aug 2021 01:33:51 -0700
Date: Mon, 09 Aug 2021 01:36:05 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>, CFRG <cfrg@irtf.org>
Message-id: <82084a7a-eed6-a79e-9615-3da9d6645753@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_8NE/TWE8XSJLbqYPIpD1wA)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <CAFDDyk8yZegN6aWSZg=K7Wy+V2upq=GBuvGyQYowrRuehPDqYQ@mail.gmail.com> <CAL02cgTc34pSUOYqFiCKkfcobtj8y5=LashfsDNdabQ6g6P=gQ@mail.gmail.com> <2c0986bc-07c0-ed32-97b6-722fca39253e@lounge.org> <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [210807] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/bYnsO7wQm3Si2fdmjbFTnJuG7Tg>
Subject: Re: [CFRG] Questions for the group from the HPKE presentation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 08:36:14 -0000
But that won't work because even if an implementation is able to use a reordering window, the existing HPKE "construction" uses a nonce inside of the HPKE context that is unknowable to the user who is managing the reordering window. A reordering window is only useful when misorder is not tragic, and that is not the case with the current HPKE specification. Any change to use a reordering window would require a change to the API/construction such that it doesn't use an opaque sequence number/nonce. And that is exactly what I'm proposing. Dan. On 8/9/21 12:56 AM, Richard Barnes wrote: > W.r.t. (1), the obvious solution to me would be a reordering window > outside of the HPKE implementation. Even if the HPKE implementation > required in-order delivery, the application payloads containing HPKE > ciphertexts could have a sequence number indicating the order in which > they were produced, and the receiving application could use this to > ensure that they were fed to the HPKE implementation in order. > > --RLB > > > On Fri, Aug 6, 2021 at 1:56 PM Dan Harkins <dharkins@lounge.org > <mailto:dharkins@lounge.org>> wrote: > > > On 8/6/21 3:49 PM, Richard Barnes wrote: >> 1. I don't think this question is well-formed. HPKE isn't an API, >> it is a construction. In fact, the "API considerations" section >> of the HPKE spec is there precisely because there might be >> different APIs to an HPKE implementation. > > It may not be perfectly formed but its obvious what is being > asked. My answer > to it is that once you find out that your contexts are out of sync > it's too late. > I think it's more important to just be able to deal with > out-of-order and lost > packets. > > Yes, it's "a construction"...that hides a datum from the user > and makes the > construction fragile for some use cases. So I'd like to remove > that fragility for > those use cases. The easiest and least intrusive, to the > construction, way is > to just have Nn=0 for these new AEAD algorithms and not worry > about the nonce. > > One thing I failed to mention during my presentation is that > even if the > user adds a counter/nonce as AAD or a plaintext tweak (to hide > whether the same > thing is encrypted twice) and screws it up, the DAE security > guarantees > remain. SIV is the original misuse-resistant mode. > > Instead "resetting the nonce counter" we could do > somethinganalogous to what > IPsec does with a floating window that prevents replay but allows > out-of-order > delivery modulo some limit (really late packets will just get > dropped). But that > might require some changes to the API...err, the construction, so > we'd be back > to a reformed question #1. > >> Given all that, I would be in favor of no action here. There are >> several existing ways for an HPKE-based protocol to deal with >> out-of-order delivery. > > You mean like using deterministic authenticated encryption? If > not that, then what > exactly are you referring to? > >> 2. Personally, I don't have a use case for either of these. > > Well, will you admit that while these might not be your use > cases that they are > legitimate nonetheless? > > Serialization should have never used SEC uncompressed format. > There's no valid > reason to do that. I regret that I didn't bring this issue up > until it was > officially "too late". But that can be rectified pretty easily and > no one will force > you to use compact representation if you really don't want to. > > Dan. > >> On Fri, Aug 6, 2021 at 12:31 PM Nick Sullivan >> <nick=40cloudflare.com@dmarc.ietf.org >> <mailto:40cloudflare.com@dmarc.ietf.org>> wrote: >> >> Dear CFRG participants, >> >> At IETF 111, Dan Harkins made a presentation >> <https://datatracker.ietf.org/meeting/111/materials/slides-111-cfrg-new-kems-and-aeads-for-hpke-00> >> with two proposals: >> - a proposal to define new codepoints for HPKE representing >> new KEMs for compressed NIST points >> - a proposal to define new codepoints to support >> deterministic authenticated encryption schemes that don't use >> a nonce. This is in service of the use case of out-of-order >> delivery of ciphertexts. /In the discussion, it was noted >> thatHPKE uses a nonce to ensure that it never leaks whether >> the same plaintext was encrypted twice and that this proposal >> does not provide this security property./ >> >> Also during the discussion, an alternative proposal was made >> to solve the out-of-order use case: modify the API for HPKE >> to enable the user to reset the nonce counter. This API would >> enable out-of-order delivery of ciphertexts with existing >> HPKE AEADs. >> >> The chairs would like to ask the group a few questions: >> 1) Does the research group support adding an API to HPKE for >> resetting the nonce counter? >> 2) Is there interest in pursuing a work item to explore >> defining either of the following: >> - new codepoints for compressed curve points in HPKE? >> - new codepoints for deterministic authenticated >> encryption in HPKE (given the answer to (1) was no)? >> >> >> >> Regards, >> Nick (for the chairs) >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org <mailto:CFRG@irtf.org> >> https://www.irtf.org/mailman/listinfo/cfrg >> <https://www.irtf.org/mailman/listinfo/cfrg> >> > > -- > "The object of life is not to be on the side of the majority, but to > escape finding oneself in the ranks of the insane." -- Marcus Aurelius > -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] Questions for the group from the HPKE pres… Nick Sullivan
- Re: [CFRG] Questions for the group from the HPKE … Richard Barnes
- Re: [CFRG] Questions for the group from the HPKE … Christopher Patton
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Richard Barnes
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Christopher Wood
- Re: [CFRG] Questions for the group from the HPKE … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Questions for the group from the HPKE … Natanael
- Re: [CFRG] Questions for the group from the HPKE … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Martin Thomson
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins
- Re: [CFRG] Questions for the group from the HPKE … Martin Thomson
- [CFRG] Utility of nonce misuse resistance [was: Q… Loup Vaillant-David
- Re: [CFRG] Questions for the group from the HPKE … Dan Harkins