Re: [CFRG] Questions for the group from the HPKE presentation

Martin Thomson <mt@lowentropy.net> Tue, 10 August 2021 01:04 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39BA3A2048 for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 18:04:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=lx1ErtgB; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=UikesJy2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0KkiaCdZowl for <cfrg@ietfa.amsl.com>; Mon, 9 Aug 2021 18:03:56 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3B103A2047 for <cfrg@irtf.org>; Mon, 9 Aug 2021 18:03:56 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id B39E95C013E for <cfrg@irtf.org>; Mon, 9 Aug 2021 21:03:55 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute5.internal (MEProxy); Mon, 09 Aug 2021 21:03:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=oXs1UJ6lwThzyxmYNnScafOs2jupX2a U+27/jjUc1yE=; b=lx1ErtgBv3SKH+QpeP/zHKRYFG8tEMNDIAe6mzSdTHVG52u 1el0fce/2HEPdIIy061vSgX0Ss9MzkRlg/lfmaS9L9G3EubzUglIsEnjD5Obu82b MxRP4sTLRi9PZUva/0oM0jd7WpDODA9QLY/MBVUm9nGmZYK5vvWD88oxj27cDZAl UZFWbw22az6O/WxCaqSqLLxsWaOFYDsnovJzPOIiJX4lIKciMbxYlcQStGEgCJKU dkU9TS1NaAoNHo9i62GeVwYDV447pf1hWx34fLGOiH+opvVLjgRTiXzWWt4iPI72 bA/WEGiR3wfYtbMBNXJH1Pcuh3TwUjD30ZsXEUg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=oXs1UJ 6lwThzyxmYNnScafOs2jupX2aU+27/jjUc1yE=; b=UikesJy2QzCxQ6YDMVvejl AnbokqX9gjddkr3gXtn4zUCNkl9PIzCQg/xpK05M8nB8eTN7xkLRzRBoOUhLMTGB Y2FSHoYXbsyGp/P1R9gdGpRd4F/KgXR/Y4/baPnUqNdKVrb3mRIMpap1n1CcTURu 0hDPGWQPgoOYHuEotcjff7xjtuGQVBa/fyej/flhHUiNmRRtq3zy51vFlGGxj9vJ UBuXHjnboo+/h4nxJQLaXKASyd/FFpZNpxCv/nsFKKYZlre+gHjbUhlA7C75UA0K 82/hRodMFnPHEuSVmlVYWEvWQ9Uz0Iurtv1tlcwRTJwxm+LjJ7aWg2HIlNpTIlVQ ==
X-ME-Sender: <xms:e9ARYTzU3iKYnA59eZqRSjc11qt9236wZIUHXciYxkyGmM3dT-WZSw> <xme:e9ARYbRh1ALAl7whtQrzJyQeBquWtuLXreoSJz0nhdmz05U7aMntGYDUqVAXrUqPM -BEUaGgOUMKZTxnjN0>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrjeekgdegudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnhepkeetueeikedtkeelfeekve fhkeffvedvvefgkefgleeugfdvjeejgeffieegtdejnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:e9ARYdWphSXJpCy2dKXOMbO1-6es20NcbqmlGUjEKa69j9F7nW10Qw> <xmx:e9ARYdgZvpsjwvx1xdKSVr5X12hAm_kEvqVWUbnpJGe2hITx8U4ddw> <xmx:e9ARYVDVjHpBoJW4Ne_NyJfP5gsTd6HswNzDcrmRaLlhdBADQgPr_g> <xmx:e9ARYYMKh2H0iR9fsHYBEjppL9ThaPTRuZvnOKnMKhLj0S_PwnngwQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3C70B3C0449; Mon, 9 Aug 2021 21:03:55 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-552-g2afffd2709-fm-20210805.001-g2afffd27
Mime-Version: 1.0
Message-Id: <2774e9db-a21f-4d1e-a059-450bb54b7f29@www.fastmail.com>
In-Reply-To: <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com>
References: <CAFDDyk8yZegN6aWSZg=K7Wy+V2upq=GBuvGyQYowrRuehPDqYQ@mail.gmail.com> <CAL02cgTc34pSUOYqFiCKkfcobtj8y5=LashfsDNdabQ6g6P=gQ@mail.gmail.com> <2c0986bc-07c0-ed32-97b6-722fca39253e@lounge.org> <CAL02cgSoi=fHi296DYb17DsDNMphNSOKxeWqzTuH5XyQeJSXhw@mail.gmail.com>
Date: Tue, 10 Aug 2021 11:03:36 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/k1Qs264vngcfIgYAGK2StslR6XE>
Subject: Re: [CFRG] Questions for the group from the HPKE presentation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2021 01:04:03 -0000

On Mon, Aug 9, 2021, at 17:56, Richard Barnes wrote:
> W.r.t. (1), the obvious solution to me would be a reordering window 
> outside of the HPKE implementation.  

That doesn't work if there are gaps that never get filled.

I don't see a problem with defining something new (Windowed-HPKE, say) that allows for a) an explicit counter, b) more flexible anti-replay and c) tolerance of gaps.  This is what we do in DTLS relative to TLS, which has nearly identical properties at the record layer as this.

The authors/editors of HPKE are justifiably defending the ability of HPKE to progress.  Please, let it proceed to publication.  Let this work proceed independently.  (The technique isn't exactly novel, so it's not like this would be CFRG work either.  Take it to SECDISPATCH.)

Interestingly, none of that approach would depend on use of nonce-misuse resistant modes.