IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

John Mattsson <john.mattsson@ericsson.com> Thu, 31 March 2022 11:23 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 469AC3A11B8 for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2022 04:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HfS6f-u3ssac for <cfrg@ietfa.amsl.com>; Thu, 31 Mar 2022 04:23:29 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20613.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::613]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 873883A11BD for <cfrg@irtf.org>; Thu, 31 Mar 2022 04:23:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TZpPAKAYZPNtfTAkhj+oz4oMyKRMa1Fbl2iRkHDMvU6YmH+pvLFiI0Bh/0bVZaB1LK1mso4ZqHpYNf3xNO2jq0p85wn4QjrUq8mur44QJ2P8DPMxQ4rZcqfE1to1DQuJe2U1hgeTDZ447EzSMG6K+eEIKkzuUvaTK/rvOPaNPTypfng/Sg5V/QNUg2BrP2rBIjP4QTA4RwhaxHFo0H/pnGUq9j+uNN9FKbfJbusdiJbpaYk7nPVYtTj8kxXLgiEq8xj+IwMjxc86zohe2SHxgp6u/V9UNqlv8qubbaPS6YDlv6d2x0JBYkTphdWujY1ENU7Qn6aHyyVc5bZNy3uFzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N3YRcGbi1gX42cHm0NwFgerLWh6pIpioS8psdiopAhg=; b=OlQeLhabiwtc6HYdGDaw+OTvoSHVL3gC1wVgG0XkkhMDAS5Ok+aN4cPwbfcTldeJzitgMij08zuL4oV9Cz5HOFFXBn+3mLBR1hYXh4RhXxE814Y+FhF0SmeMfXNays7wwpzbgREe+oxjuBnYppmx81jOIp37+JypQsqz6ZntksupNTZ+jUglPVI8cYPg2njs9X9kFMalHnzGygYizz7+zN1D+d2Hn8Mn7C+0odyEE413VJtO20JAoL3kNcpuzF6WCMultJhxz7oAhgK8VP47P5lE6wptIxtUlJ29UtNS+bKREhVnh7JLzpFgeTgChbzGGxjptBRJv3d4jtcHqE7ipg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N3YRcGbi1gX42cHm0NwFgerLWh6pIpioS8psdiopAhg=; b=nT+G0a+A0fqwpVeFaRbf4bgeVZVMoC9AIzR2gfkG80g0GzuOHoDuh4kMw6P0zSlAidsTW77CtgI0FFECtSVGIvmQp/YPHArXOTcdZVTY4vP9/XhBpmKFmRiIGuMBQD7I/RLsoUFzZdKJD2L6s1LQC1YiFzlfSapd6r699hDPQuU=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by HE1PR0702MB3738.eurprd07.prod.outlook.com (2603:10a6:7:8d::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.21; Thu, 31 Mar 2022 11:23:20 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.5123.021; Thu, 31 Mar 2022 11:23:19 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYRCD9/8QeXFCaAUyCD94F7Va7HKzXzr6CgAA7ZQCAACZIaoAAUNEAgADORwCAAAgyFA==
Date: Thu, 31 Mar 2022 11:23:19 +0000
Message-ID: <HE1PR0701MB3050556EB337BF572A146E5789E19@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <20220330102724.C64F260BA2@jupiter.mumble.net> <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <F4AABC95-650A-4C9D-A1E9-06F2E7E5D5DA@heapingbits.net> <HE1PR0701MB305062B2908E620E135BC472891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <57c7950c-e7e8-42bb-9bd9-883b86a555b8@beta.fastmail.com> <YkWFXOD+ITYGwTV4@LK-Perkele-VII2.locald>
In-Reply-To: <YkWFXOD+ITYGwTV4@LK-Perkele-VII2.locald>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0f19e6c7-7d26-4a25-8926-08da1308dc1c
x-ms-traffictypediagnostic: HE1PR0702MB3738:EE_
x-microsoft-antispam-prvs: <HE1PR0702MB3738E3DC4B47976D39E9C6C389E19@HE1PR0702MB3738.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TpuH/+4dDbYFxLuaD7qQB9l4mCTNKQnYz05fSyh5gPSMS0c59Ff9aI1ZRXWGfWNhi/JzAs28Nvzdbs2GMgL2rO6RLFECVu52l5VlME0rLoogIY9SVM5kCHKKSt/5b/84SlJmQ62ppmrfePwQHVE7kVCTN28vQQj5el7zGKK233x3/5s0ZjIOBqpRsIdv5BnuQaYqRdBM0AYTznP4ZDQYwajQukgsR8z2Sz7hBheGofjnFDu/8lE+6Rb2277NgOnmlanh6ozpwS64L0Y1r7KS94gQVowNtpRwhbHfbPlBAqv09BXmlj1XBj0/wT+jm2C9ETvw17nPKJT1uvcUbyfMti7+7skxSn89/jdHsZL+2XjSU3Hq1JZCPLH0PlReIma3Kc74EZhCGQl2F6v9gQsPw4Z5UoUZC+gsqP9KEBQhtGoevcUrjQ69DWU9QbLsmWBW6692CosZYf+TUI6Lt5LiNUmrF1kijqUmyMOK41FALSPJEPkKlbyXupLgHrPTRu9LX1DItYkWITOKg3lUVNO3yVwn/IaYvHwC3YiMD0qkgymX+gZu75nO8aHOzAYkX58mo+9y8Uy7/KI6xPMNu23csMe5UAfjn47b/zZ+xMuvrWw20ECnCahKFcB6RPz1AXBtVnOupUgInPRtuB4u12HXJcRhfumptoxhqo0/LKetKlPJshVZp+Jh1cQkNSYLBuysFMTLZV4IREY2Zen0vngMD+xF25hz0768vw4wiQGla6Ffu74AwyzlaMMjxr2UNMj4ONrgjRv83lzaTZbBa6mZ9g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(86362001)(52536014)(83380400001)(2906002)(110136005)(7696005)(33656002)(66476007)(6506007)(71200400001)(66556008)(66446008)(64756008)(66946007)(76116006)(91956017)(122000001)(8676002)(316002)(53546011)(166002)(5660300002)(82960400001)(9686003)(966005)(508600001)(186003)(38070700005)(38100700002)(8936002)(44832011)(26005)(55016003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tWSfgImqQxQYVgx9Bgi4nDE7u52G9iDRv7QfPJ0R2JyDGWtcf9rwZrIPEThgl5E7tf9PM3D5Y9wRxaOTVjMapK8iZfx/1BMf4TmfOT6c1epuZdhQSqda25d2atUvAGfcwKFrkf9PoYgdMT5wT3zYX5n619vz0WxG+msRgrWnVztw5E/nth5sepS6u3o/687McnZGpQX4TY7FOqT2OlmHPAKiCNETmR9nn6UwtHHbV0Kaga1yAmgP02DIDCxBnF0vVKXWGWEwS5pdxEVzRjSod2uAklTg+u6cE00l04Y0O5z7N/fYtKgwGjAjeXJHuDQbu8mEYH7lLKwiQlMwwgMGNjM2u3bIolpWh3au1LVwLeRonWMb1c+prjPQOV9u9IPMLGbdvyEAapk2CPaijg8R8hOD67ZsdPw6E4gK2F0hTVDmkxGjuRuXh72F02+7gzy6dcqHjxNMKs0lvGb0yz4qVkHQWxZ0iVkVY+hy5JxtzCTKA59T3S0HOD4KjdD05fdS6sJhzi1mgy9t5TxOfz4O+1fsZ6z46DtZfwrKUhZDChKak9YYh/pBb5XCF+Az30ekVGSkqpIg67qIVYSyh4z+2aDypzVncS/guzEZQFFUURhLI5S/4Xp46o4c7yhq+NdEHrefkeGiz8r42vw4eDglhx4u0XNasrNDymBCgBqsZGDsAw4S3WE2Cci1ulkaD7VImRTfRwCJXkNgp1RK+gZNOoSNEwEKzq91Td4nIKcWsekKnAYv1XczAe070f2M+nDZexUVVLdHQC1QL1zUKlhIl1hCU3riNlN+ErhW4rLJhlCPaCBKiGiSNGBs8Xe8etZ4BMzPAigHGTUZcWB3IIjX9kmiEpBIVHfSDqPM6Z3nNUf5dMd5x1MBmTxbxKZ+4XvG7WZ9zqhBJzTiuiDTRlMd0DBWqkCnKWO/B6qso5cHLrXlF3soiRuXVln9QLJ03sy3wjVzHmb0EefpJoqallogKA2CBL3SKT1zZRNbPGIBDpMPYb/tmc1V+WkW4sf2x5BVEFWcQxjZK937VAlBjkMnzkNGrc6afPRd9dqSavWY5JOiT3keBHxNm0vbHRElGvU6yFyy8sJbShT7H3dfJrA1igLkSWK6oIlpW2+rb5GuURok7C6kkQiCyk7wvxAlTvGY55WFqfcT2FTbVt9FvnWmuqYKzmnCB73Mc+qhrAwBI7Vgv0+hyyT6uEwxJlMP4oEzpCPIo0DREuQcrkrIyHIXIotRHK/+Je7ReDPaVhWh7VYJ8xO3CVVsOBfTv9UEdF+8/N/YBQ8A8mv+LgUD42GNzCD3Mi/6tqkBhplFaIKN4ob47ce0KllDEwJOpiNMel2qJXossf06U4n7fMT+SFs50OIl27LfujOfdMPtg/hFcC89lDCtHNLyHogO74i81mro/Yxs4dQI2bJP3ZhE+smmj9sHwJ4PIwpWPprGwDgZOc9lCtbvHFQirF3bwFv55WgIpyV2hmreoRJoo1+rOVMKjMPMczLKqv4wEvYAmVuGciTLymTT7tR7cl18yAHfyhdiZVkIbiL06d56hrs+U0W0bHGwfuF1enMkRAS3NRyNe/A2gaWuH5uAd+Y7O1M+MVSqfZzjw1IYgM+ed2hb5StnaUM7YX8ORTXKb3L4kKpG+FogGR91gXOFCjPgJiJyPMTxLayUwRk5p6cMpEQ+LzehOefC9hhQUsC7Rql1vIdFDC6F+sPUeOU+N26MQT3Ibol0Ubgm/4B9obFXMMaz46ufkHq6qtri7SZtqAniE3R4jpE7xo44XJjxRORx4iGecxXe
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050556EB337BF572A146E5789E19HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f19e6c7-7d26-4a25-8926-08da1308dc1c
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Mar 2022 11:23:19.5651 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xyaqU8Z27fORNsNE1pxXNruIxGvl1DmN9b/r84lvDFqcNZImAM5mCtXG5BSdDp6lVY5CxZlca+iNfLQE96HOC4GP1bJW9pdeSb/9fqI31d4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3738
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/gWPEUTwFjiWD2dfCkbDDyPX7eXc>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2022 11:23:34 -0000

Martin and Ilari wrote:

>> HPKE has a PSK input too.  Are you forgetting that option?  Given
>> the setting, that is the more relevant mode to consider.
>
>Wouldn't that still result in key/nonce collision, which breaks any
>current cipher HPKE can use, in case random bits get reused with the
>same PSK and recipient key?

I don’t know why a PSK would be relevant? My use case would be to use a public key to encrypt another key, in this case using ECIES/HPKE.

>However, I expect that virtually invariably if random bits get reused,
>those random bits are very weak anyway. Which would let attacker decrypt
>the message anyway (unless PSK is also used).

That is a good point. The current HPKE will always be reliant on random bits. Using HPKE in way that is not dependant on random bits would require to make skX an input to the algorithm. I.e. doing Static-Static Diffie-Hellman (NIKE) instead of Ephemeral-Static, but where the recipient would not need to have pkX beforehand.


From: CFRG <cfrg-bounces@irtf.org> on behalf of Ilari Liusvaara <ilariliusvaara@welho.com>
Date: Thursday, 31 March 2022 at 12:42
To: cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [CFRG] HPKE and Key Wrapping
On Thu, Mar 31, 2022 at 09:23:14AM +1100, Martin Thomson wrote:
> On Thu, Mar 31, 2022, at 04:53, John Mattsson wrote:
> > - The input to single-shot HPKE used for key wrap would be
> >
> > ct = HPKE-single-shot-encrypt(pkR, random bits, aad, pt)
> > pt = HPKE-single-shot-decrypt(skR, aad, ct)
> >
> > where “random bits” are used in GenerateKeyPair().
>
> I agree that this would not be secure if the attacker was even able
> to cause the same randomness to be used twice.
>
> HPKE has a PSK input too.  Are you forgetting that option?  Given
> the setting, that is the more relevant mode to consider.

Wouldn't that still result in key/nonce collision, which breaks any
current cipher HPKE can use, in case random bits get reused with the
same PSK and recipient key?

However, I expect that virtually invariably if random bits get reused,
those random bits are very weak anyway. Which would let attacker decrypt
the message anyway (unless PSK is also used).



-Ilari

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=971901ec-a598-4ea4-afd9-3b94ad573de0&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg

v2.23.0 | Report a Bug | By Email