Re: [CFRG] Questions for the group from the HPKE presentation

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Mon, 09 August 2021 14:46 UTC

Return-Path: <prvs=7855fd815a=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C588E3A161C for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 07:46:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yqf98eAxebOt for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 07:46:43 -0700 (PDT)
Received: from llmx2.ll.mit.edu (llmx2.ll.mit.edu [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4775A3A161A for <cfrg@irtf.org>; Mon, 9 Aug 2021 07:46:42 -0700 (PDT)
Received: from LLE2K16-HYBRD01.mitll.ad.local (LLE2K16-HYBRD01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id 179Eka1i029848 for <cfrg@irtf.org>; Mon, 9 Aug 2021 10:46:36 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=hvXDoTWTOAz3clClUxjVPtZKLiheQWYQddmldoNBlYhSc/tLVpzsFrFESskXJ15p6tGwYEwR53AQapSuYqQ0thlcf8xlAVFWUaiqSSkezkXRmQYWb/5bG5VAiqbqXHNHJGUWl6ipxRfvvolGW9HWlrgpEfpLtI+3CGrPf37BM4oCqABnG23EmlxUWA6otyhQxcV9KaktVG4xHhn05+wbJrIMgtH/2Lu4l+73tUuKTcMZXdvSZplpoEaE4JOfswBPYvaNLO7GQSsY/mfUiUplGoZnpobgtRORrYSNVOFKlQhfPY7fBB/I5ZYH2MmSJLt4HFRI+xbWS1aB2ibpHix0vQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MjPZZGlWVlnxGUDpu2ZhuXps3hA58ACXjP1MpWl0PfU=; b=HmY0/4s/jk6a3818frpHJ/7UDSKZc8Q/jmvr553CBKdCQ4AEg2Fli+F5sRnKPqwws1aFkvEX8/xBQFSj6p1S0bp/RvU37uOdQFfpp+HKfzfHSzyih6KbOVVPfzwFoq0327jvaGL7dhTdPcLzRIGaDgBxBcQ3c7dz+qFcipZ/tVRjTwT2slctn0kQreUqqnZOuhdHkxs8ChYEsP+GrEls80Ax3X9aM2MAPZgCZgPYYZykdBszaC2QC2ntGwXdko03UFHHP16KgBxzhL/CYs7fxqQkCvXmDBQqOE8bKhLLbHZJ1rafjTbl9Fln97+Gy3IiPhA6szPLeLyqMXU0JD8J1A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Questions for the group from the HPKE presentation
Thread-Index: AQHXixLh2qEdD2N5vEmne0UE/y5Dw6tnFHGAgAASv4CAA6q6gIAAZ+2AgAAKswA=
Date: Mon, 9 Aug 2021 14:46:33 +0000
Message-ID: <747276B5-678B-4983-82FB-B36BF9B5C7CB@ll.mit.edu>
References: <a582bedb-35ce-41ba-ba9b-2dd1c074b248@www.fastmail.com>
In-Reply-To: <a582bedb-35ce-41ba-ba9b-2dd1c074b248@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=ll.mit.edu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 993c1ae3-bf0f-4d4e-e7e6-08d95b447b38
x-ms-traffictypediagnostic: CY1P110MB0150:
x-microsoft-antispam-prvs: <CY1P110MB01503C6EEB2FC934EA4D76FE90F69@CY1P110MB0150.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Bg4xVA/o6H2uygqr1DZ18y+uj29J6f/or1kl3annl63c4K2B7wjXabvfwJxMEmwoeNeHO3IqDPkJHj6Xc0rwXIULsEnhgrXeQ7A556UqpPSgvNkdQQmjg+9yrxMoVnsxcrUv4RxYtaiPCHl9fU83afVPlednmmmnFdz64GyWP8JF1/AbwqzadnqJsjaiXnujL/wIvbyOBc0dwk1lOUaE2qjoBLWgDBbx4HyLyCkv9USbIkid4AmpARjBNqN2JbS7yrg9Wwfc8uI7bB5rwvuW5OtNs0NIhO+WlkAF103xq4WjGjUdkILOlUb/7dK0X9Wikx70jF3161MbHg5HHMLK8JqecDJxmSw3eQA0MV2sLmyATuvwW2dNOETbs1mMoBeJI+M0hmlkN21daE9hN/folQbWZda6v9wXElngH7ke21yMeIylwfybqz32b/K4TAo+Prbx4rDB4ibtec1RjnVl/K8xg1HbarY7r6kNNmmmv4IesnYMAIv/hHqZPFMVSLrOC4ZpFhHu4yPDXWlceqNtXym97JqUui1++AtNivCJ7m9FHQcRragykT7/dhKXOewMN+sGoDmDa1d0urX9Zen9F0ni19ARSYrE89EHoNqrE37Kf3ZDul6iRdsVIw4vT8IY+04PWps8nOYqX7PEn/kaRLkVkfky4QbH831Z3g0DBxRfjL9LsFPQbpq/bgQN+Ul1wb0kwcTNLPZTHt3ap7r+dWZM+lUMlMDYCAmaWft+sLs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY1P110MB0677.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(366004)(396003)(39850400004)(346002)(66946007)(76116006)(26005)(83380400001)(186003)(66446008)(64756008)(66616009)(66556008)(75432002)(2616005)(66476007)(86362001)(99936003)(33656002)(2906002)(38070700005)(122000001)(6916009)(6506007)(5660300002)(8676002)(6486002)(8936002)(53546011)(6512007)(71200400001)(316002)(478600001)(966005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jLw9uhFnDIItM7Vv8kD9AADaxK/WJXv9X/3f9+KJ1kvljT/y4N/toUaRMkKobr42AyUmjPsr9zw+B2vLHXhp7r7KkvibJ8B9hOeqxkcZY6y+8J2y1gAduKOv5pcJk/RFj2wn3WR/09/fRjpKYy3bJJun6i/vrAJ4Eva95lzwpjxHvzRZhNpwethr5oIbr10bvGKqTIBCkh2+hjsfcUnv0rKQu740WYAq7mLUfPXgTM/OxM5J6tffUCv0S+jTA4ApPvOZUdLxplOAt3k7kF5ABr7k7bo1R/9zWnowz4oFnGOnjLp3yks9IFXm7hf9kZqWCH24fxTj0GjA6E7maMuwOULXCt5T0M1zX60XbKioF4NVDVonePXS7QXWDrxV5eBGwFG91LSjzBmtA+ttYxNTQ5JjPLv1MGps7vg722Xr5C/AcBV5ctfgL94gTfg74UNpIVbWaKrkesx58KxKdm9kwOA3gAKw+rQEpZy6gNG7nNfZrhsFjm3XyJE2XkzBSsLAIJ6mEQYgZHeWLr5x29Tub4n8aQc5oULDT9U2nJVfiyME/tmTGuaWSauk9YSkBIKuRq+g60lT94H+WV/Gd6i5A91CcWDxMpR+ojX4NFgiKo4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; boundary="Apple-Mail-1F71E61B-99AE-4EE2-A9C7-686D96D9A0FA"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY1P110MB0677.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 993c1ae3-bf0f-4d4e-e7e6-08d95b447b38
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2021 14:46:33.2416 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1P110MB0150
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-09_05:2021-08-06, 2021-08-09 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2103310000 definitions=main-2108090109
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/g8Jk83cOxJTMFejpycBktyP3g7E>
Subject: Re: [CFRG] Questions for the group from the HPKE presentation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 14:46:50 -0000

Semi-related. Am I the only one who became rather antagonistic to AEAD modes that can't survive nonce reuse/misuse?

I'd like to see only nonce misuse-resistant AEAD as we move forward.

Regards,
Uri

> On Aug 9, 2021, at 10:09, Christopher Wood <caw@heapingbits.net> wrote:
> 
> For what it's worth, I agree with Richard here. As I understand the situation, this is solvable by the application or wrapper protocol. TLS 1.3, for example, assumes the same sort of reliable, in-order delivery to keep per-record nonces in sync, and that seems to work just fine: https://datatracker.ietf.org/doc/html/rfc8446#section-5.3.
> 
> To answer the questions from the original post:
> 
> 1) No (as per above), but also because adding this type of API seems really unsafe for AEADs that cannot survive nonce reuse.
> 2) Registering new compressed point format KEMs seems fine -- that's why we have the registry! I don't think we should add DAE ciphersuites given how they impact the security posture of HPKE. This seems to have the effect of making different application decisions regarding the AEAD yield different security outcomes, which I would claim is a regression.
> 
> Best,
> Chris
> 
>> On Mon, Aug 9, 2021, at 12:56 AM, Richard Barnes wrote:
>> W.r.t. (1), the obvious solution to me would be a reordering window 
>> outside of the HPKE implementation.  Even if the HPKE implementation 
>> required in-order delivery, the application payloads containing HPKE 
>> ciphertexts could have a sequence number indicating the order in which 
>> they were produced, and the receiving application could use this to 
>> ensure that they were fed to the HPKE implementation in order.
>> 
>> --RLB
>> 
>> 
>>> On Fri, Aug 6, 2021 at 1:56 PM Dan Harkins <dharkins@lounge.org> wrote:
>>> 
>>> On 8/6/21 3:49 PM, Richard Barnes wrote:
>>>> 1. I don't think this question is well-formed.  HPKE isn't an API, it is a construction.  In fact, the "API considerations" section of the HPKE spec is there precisely because there might be different APIs to an HPKE implementation.  
>>> 
>>>  It may not be perfectly formed but its obvious what is being asked. My answer
>>> to it is that once you find out that your contexts are out of sync it's too late.
>>> I think it's more important to just be able to deal with out-of-order and lost
>>> packets.
>>> 
>>>  Yes, it's "a construction"...that hides a datum from the user and makes the
>>> construction fragile for some use cases. So I'd like to remove that fragility for
>>> those use cases. The easiest and least intrusive, to the construction, way is
>>> to just have Nn=0 for these new AEAD algorithms and not worry about the nonce.
>>> 
>>>  One thing I failed to mention during my presentation is that even if the
>>> user adds a counter/nonce as AAD or a plaintext tweak (to hide whether the same 
>>> thing is encrypted twice) and screws it up, the DAE security guarantees
>>> remain. SIV is the original misuse-resistant mode. 
>>> 
>>>  Instead "resetting the nonce counter" we could do something analogous to what
>>> IPsec does with a floating window that prevents replay but allows out-of-order
>>> delivery modulo some limit (really late packets will just get dropped). But that
>>> might require some changes to the API...err, the construction, so we'd be back
>>> to a reformed question #1.
>>> 
>>>> Given all that, I would be in favor of no action here.  There are several existing ways for an HPKE-based protocol to deal with out-of-order delivery.
>>> 
>>>  You mean like using deterministic authenticated encryption? If not that, then what
>>> exactly are you referring to? 
>>> 
>>>> 2. Personally, I don't have a use case for either of these.
>>> 
>>>  Well, will you admit that while these might not be your use cases that they are
>>> legitimate nonetheless?
>>> 
>>>  Serialization should have never used SEC uncompressed format. There's no valid
>>> reason to do that. I regret that I didn't bring this issue up until it was
>>> officially "too late". But that can be rectified pretty easily and no one will force
>>> you to use compact representation if you really don't want to. 
>>> 
>>>  Dan.
>>> 
>>>> On Fri, Aug 6, 2021 at 12:31 PM Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org> wrote:
>>>>> Dear CFRG participants, 
>>>>> 
>>>>> At IETF 111, Dan Harkins made a presentation <https://datatracker.ietf.org/meeting/111/materials/slides-111-cfrg-new-kems-and-aeads-for-hpke-00> with two proposals:
>>>>> - a proposal to define new codepoints for HPKE representing new KEMs for compressed NIST points
>>>>> - a proposal to define new codepoints to support deterministic authenticated encryption schemes that don't use a nonce. This is in service of the use case of out-of-order delivery of ciphertexts. *In the discussion, it was noted that HPKE uses a nonce to ensure that it never leaks whether the same plaintext was encrypted twice and that this proposal does not provide this security property.*
>>>>> 
>>>>> Also during the discussion, an alternative proposal was made to solve the out-of-order use case: modify the API for HPKE to enable the user to reset the nonce counter. This API would enable out-of-order delivery of ciphertexts with existing HPKE AEADs.
>>>>> 
>>>>> The chairs would like to ask the group a few questions:
>>>>> 1) Does the research group support adding an API to HPKE for resetting the nonce counter?
>>>>> 2) Is there interest in pursuing a work item to explore defining either of the following:
>>>>> - new codepoints for compressed curve points in HPKE?
>>>>> - new codepoints for deterministic authenticated encryption in HPKE (given the answer to (1) was no)?
>>>>> 
>>>>> 
>>>>> 
>>>>> Regards,
>>>>> Nick (for the chairs)
>>>>> _______________________________________________
>>>>> CFRG mailing list
>>>>> CFRG@irtf.org
>>>>> https://www.irtf.org/mailman/listinfo/cfrg
>>> 
>>> -- 
>>> "The object of life is not to be on the side of the majority, but to
>>> escape finding oneself in the ranks of the insane." -- Marcus Aurelius 
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>> 
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg