Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-06.txt

Christopher Wood <caw@heapingbits.net> Wed, 28 October 2020 23:22 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068F13A0ADC for <cfrg@ietfa.amsl.com>; Wed, 28 Oct 2020 16:22:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=2iQBABiF; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=a3qzv8sI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tB-nCHO-NfpV for <cfrg@ietfa.amsl.com>; Wed, 28 Oct 2020 16:22:17 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E5F63A0AD5 for <cfrg@irtf.org>; Wed, 28 Oct 2020 16:22:17 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 3B8AEA2E for <cfrg@irtf.org>; Wed, 28 Oct 2020 19:22:16 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute4.internal (MEProxy); Wed, 28 Oct 2020 19:22:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=5KNyr8QHeau9nrqegCJ5lPG509KQkfU NWEKV7od9ars=; b=2iQBABiFhi5UKgIAb3fmfptMmrR7LtVdmjGRbO0CPschdbW 4XUu/4xxYloqwY/xkoy2Ao2lQLHlnJ0AJZ+UjKKFuq8I6Fsu3392KL1JTdESwTgU mQ0baVNtPTsSdwPq9T2kKOj7S4MIt0V7cS+jBDZtecRHMzognCr8fqQ5pIw0XrVM ni68zoscv1ngXvCy7seOkHlwBV9XFc5wCbjZ2n9EUPV/QIQS3QtBQd5xUJqTtH9c lIYNPSAZ7gTpnLX+ZmBo+WYTbTbcdDDfldRFLzdyq2D6AlalBBhrKe10ZYjpn/HH VAWGLOWyVNQxAsqcdcluwgDb4mrkvNwn01apoqg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=5KNyr8 QHeau9nrqegCJ5lPG509KQkfUNWEKV7od9ars=; b=a3qzv8sIerBt3IJn1opQDq D6v1fmX/YrMIvJ1/xoIEfl7RU0+5gYJHM/k/5CGXrJ67gJxgK90wPXNtCQK0s9nB S0yHwgDDRmPCGMkax8XRrb2CbZkpElVevTr37Qc+h5vlrsU65RA1i4W+bt8fNlac 2kq7WSkbP/vyM7C5xHyfbd/u+crq2U/fleo48eKZ/Y6rC3pvXrt11IiOWBemqH1l B7Cs4IRhLv5xkW1gd2BXjD98MgPUeSZdKmg7JxGCFzDpOFXyxLsbtxJa9avhVBMR qXWdDW8bXUh2X70DLQCHCRMQArSg2uwlWRNP/pRgT/ZhqIv5vwdEkpTDvo/VO3Ug ==
X-ME-Sender: <xms:Jv2ZX_DmU6ig2UW7gVxoONuRvujrtSNwJhTy8sAla6b5IsIRexSbLQ> <xme:Jv2ZX1gQa1rZvdYTvYWkKhGNW449aPc38USFwdKJBqqSxe-AF8pOR8gV3-utKwR1i H21A4Kp-T7ruoTxtlA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrledvgdefjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecufghrlhcuvffnffculddqhedmnecujfgurhepofgfgg fkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghr ucghohhougdfuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrth htvghrnhepfedttefftddvueegtdefhfegvddtieejieeugeevtdetgedtheffvefffeev feeinecuffhomhgrihhnpehivghtfhdrohhrghdpohhuthhlohhokhdrtghomhdpihhrth hfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhho mheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:Jv2ZX6ldxQgpMUoTWeKaBxzE3c1iMDUH5Mmvq68l1m-WUM4R4WBXDA> <xmx:Jv2ZXxwj3ji74tJQ3oA44U4QkZCI_FVfMIWwM4SiTrvcw8R7rO0UKg> <xmx:Jv2ZX0TfM6zu9NEgzNutkpXeGe0Ur1kpBz-K7MuC1xVE31pVYAOkXQ> <xmx:J_2ZX7c_QMwAZAK_SWBhU1kUIPQBMmoiN4kht7SM8t4UTMy6hUhyqg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id AF1A83C00A1; Wed, 28 Oct 2020 19:22:14 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-529-g69105b1-fm-20201021.003-g69105b13
Mime-Version: 1.0
Message-Id: <7eac427e-3746-4ebf-aea7-f2bdf2fec26c@www.fastmail.com>
In-Reply-To: <CAG2Zi214vikhdR4wa=0M6Yiyw0NTeHygKqTtwT_h=r1OR+WthQ@mail.gmail.com>
References: <CAGiyFdejssUBrs3wmQL7QVKS_YkAr4aoOjow9wOgPHfcsPv+UA@mail.gmail.com> <SJ0PR09MB684891C13A558A4E53E9DD84F3190@SJ0PR09MB6848.namprd09.prod.outlook.com> <CAG2Zi214vikhdR4wa=0M6Yiyw0NTeHygKqTtwT_h=r1OR+WthQ@mail.gmail.com>
Date: Wed, 28 Oct 2020 16:21:54 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dVRs0ySyZuSFER-PD50I78svZQM>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 23:22:19 -0000

On Mon, Oct 26, 2020, at 10:04 AM, Christopher Patton wrote:
> Hi all,
> 
> I agree that we shouldn't discourage adoption of alternatives to HKDF. 
> However, I don't think the spec does so: it merely requires adherence 
> to the Extract-then-Expand API. There should be ways to securely "wrap" 
> alternatives into Extract-then-Expand API providers, perhaps at the 
> cost of CPU cycles. (E.g., how Noise uses Blake2b as pointed out above.)

+1.

The two-step Extract-then-Expand split does not rule out other KDFs and allows best use of HKDF out of the box. Consequently, I don't think the HPKE specification should change at this point.

Best,
Chris

> 
> Best,
> Chris P.
> 
> On Mon, Oct 26, 2020 at 9:49 AM Dang, Quynh H. (Fed) 
> <quynh.dang=40nist.gov@dmarc.ietf.org> wrote:
> > Hi all,
> > 
> > I agree with JPA here.
> > 
> > A sponge-construction hash function can be a good KDF such as a KMAC or SHAKE128 (or 256) (m, d) for any fixed application-specific value d where m is input and d is the length of the output. 
> > 
> > Regards,
> > Quynh. 
> > *From:* Cfrg <cfrg-bounces@irtf.org> on behalf of Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
> > *Sent:* Monday, October 26, 2020 10:08 AM
> > *To:* cfrg@ietf.org <cfrg@ietf.org>
> > *Subject:* [Cfrg] I-D Action: draft-irtf-cfrg-hpke-06.txt 
> >  
> > 
> > Hi! 
> > 
> > quick comments on the new draft, as solicited by the chairs (thanks for reminding me of this!):
> > 
> > as commented in my review, and as discussed more recently with Ben Lipp, I just find that directly defining the KDR in terms extract/expand internal operations will prevent the adoption of other KDFs than HKDF. The construction could be defined in terms of a generic KDF block and retain its security properties (KeySchedule() might have to be adapted).
> > 
> > Otherwise no objection :)
> > 
> > Cheers,
> > 
> > JP
> > 
> > --
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the Crypto Forum RG of the IRTF.
> > 
> >         Title           : Hybrid Public Key Encryption
> >         Authors         : Richard L. Barnes
> >                           Karthik Bhargavan
> >                           Benjamin Lipp
> >                           Christopher A. Wood
> > Filename        : draft-irtf-cfrg-hpke-06.txt
> > Pages           : 87
> > Date            : 2020-10-23
> > 
> > Abstract:
> >    This document describes a scheme for hybrid public-key encryption
> >    (HPKE).  This scheme provides authenticated public key encryption of
> >    arbitrary-sized plaintexts for a recipient public key.  HPKE works
> >    for any combination of an asymmetric key encapsulation mechanism
> >    (KEM), key derivation function (KDF), and authenticated encryption
> >    with additional data (AEAD) encryption function.  We provide
> >    instantiations of the scheme using widely-used and efficient
> >    primitives, such as Elliptic Curve Diffie-Hellman key agreement,
> >    HKDF, and SHA2.
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-irtf-cfrg-hpke%2F&data=04%7C01%7Cquynh.dang%40nist.gov%7Ce8fead0f0a784fa9b1a308d879b8cefd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637393181948562903%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IVt0ZuwFRX95wPmtB0d9yNbLbRCdhyfuU8PnPz3JWo4%3D&reserved=0>
> > 
> > There is also an HTML version available at:
> > https://www.ietf.org/archive/id/draft-irtf-cfrg-hpke-06.html <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-irtf-cfrg-hpke-06.html&data=04%7C01%7Cquynh.dang%40nist.gov%7Ce8fead0f0a784fa9b1a308d879b8cefd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637393181948562903%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3pki68T7PGEpMxgXD3LzaPB25xF1yvAejVqP6uiCjeA%3D&reserved=0>
> > 
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-hpke-06 <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-irtf-cfrg-hpke-06&data=04%7C01%7Cquynh.dang%40nist.gov%7Ce8fead0f0a784fa9b1a308d879b8cefd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637393181948572867%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vaTyIy8uEMj5P2HXHy%2BiWbcsisToYr1GzilZmiuQnu4%3D&reserved=0>
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2F&data=04%7C01%7Cquynh.dang%40nist.gov%7Ce8fead0f0a784fa9b1a308d879b8cefd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637393181948582821%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=12%2FJbuGen2vw8OnF9UHebilkVHSK2cfkG7EuFzuqw8U%3D&reserved=0>.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/ <https://gcc02.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ietf.org%2Finternet-drafts%2F&data=04%7C01%7Cquynh.dang%40nist.gov%7Ce8fead0f0a784fa9b1a308d879b8cefd%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C1%7C637393181948582821%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=h0TzBJysx%2B6Tahqpqtakc1007jTWpWi97DUWEqnfO4Y%3D&reserved=0>
> > 
> > 
> > [Cfrg] I-D Action: draft-irtf-cfrg-hpke-06.txt  internet-drafts
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>