From nobody Mon Aug 31 10:26:46 2020 Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A6603A1772 for ; Mon, 31 Aug 2020 10:26:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4DXvGrdG43Uw for ; Mon, 31 Aug 2020 10:26:42 -0700 (PDT) Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 900B93A0C20 for ; Mon, 31 Aug 2020 10:26:23 -0700 (PDT) Received: by mail-qt1-x836.google.com with SMTP id n18so5343621qtw.0 for ; Mon, 31 Aug 2020 10:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lBnXqjZOy9decV4nYNWt874xZTBRW1U+i1qNOi6qmO0=; b=q9IgxWETvj0+ePNcB/3FOZQVZPQNxHJXG8bMGu7pZa6K06gyuJeM6s43l9fnUGpTE1 BLdAAEscu//8O5zfzg72ILAbN/FiXl5m42I6yUgk6oFyYFc1X8xqQLiwu5TPMt5E+bMt DQSZac73/5KWpfppetBK0a09dd4TM2RdgN5Zk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lBnXqjZOy9decV4nYNWt874xZTBRW1U+i1qNOi6qmO0=; b=nsx1gJvxGj9Kt39Tv9mHJ6KonvQKpjtKDeBqDeUV+jKQItSwPwVjhG+NaLTS9yLkaJ dnrNR4W3IsWElu4CzbANEgn/urwPI+mjl8AWxyjhV+cSb0DftfIl2CGo5AhINZz27o7B /RrsVpDvMrbccl03EF8aq2xXOE4VcKO0itoNoZ2Mn8IHgJlzhYWmq7VcXPFspwZ8xSpM k92vzuwQHSHnjt9Eg1QK11Cn0Uqgu2mXt/cRDRHTGFuuF7ZF0sds59wckFFEeOIBoNka 5SQnkZGPAGJAhoCgi+vypOYg6d/0s44+eCI4PcM74vlWI7K2jglMBjjp1+S9KUwrccfV HjcA== X-Gm-Message-State: AOAM5309ZLMUQCFTQ+UCLdKz9xvvnvQ2fFYlf6TxbQ0qvPzV58OqMC57 RNTeqEY/FUWroqzGL0pePnGHRuvySxmXASA3TO+Hag== X-Google-Smtp-Source: ABdhPJxUBMX7BpqG7k7U0VWxWLKcTGthaBLFjZ4L7TFoRyT3YmUtBOjb7z18ZuLU4lxLGkmIrGCqWVBcODMsSGJueN8= X-Received: by 2002:ac8:4889:: with SMTP id i9mr2355895qtq.353.1598894782599; Mon, 31 Aug 2020 10:26:22 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Christopher Patton Date: Mon, 31 Aug 2020 10:26:11 -0700 Message-ID: To: Joseph Salowey Cc: "Stanislav V. Smyshlyaev" , CFRG , cfrg-chairs@ietf.org Content-Type: multipart/alternative; boundary="0000000000008cf85805ae2fb362" Archived-At: Subject: Re: [Cfrg] Second RGLC on draft-irtf-cfrg-hpke X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2020 17:26:44 -0000 --0000000000008cf85805ae2fb362 Content-Type: text/plain; charset="UTF-8" I support publication. Below are some minor editorial things that might be worth addressing if there's time to do so. Best, Chris P. Abstract "for any combination of" -> "for several combinations of" Section 4 "random(Nsk)" is used but "random()" isn't defined yet. "not passed as parameter" -> "not passed as a parameter" Section 5 "the holder of the private key corresponding to `pkR`" -> "the holder of `skR`" In various places, e.g., 'KeySchedule()' in Section 5.1, value "" is used as the salt for KDF extraction. I'm wondering if implementations might misinterpret this. I read "" as 'the empty string', but the correct interpretation might be 'nil', i.e., 'None' in Python or 'NULL' in C. The HKDF spec defines the salt as follows: 'optional salt value (a non-secret random value); if not provided, it is set to a string of HashLen zeros.' I think the intention is to interpret "" as 'nil', i.e., no salt, but the empty string is certainly a valid salt for HKDF, since the extraction function is well-defined on this input. A 0-length salt might not be safe choice in terms of security, however. Section 5.2 I think the HPKE uses the term "nonce" incorrectly, since it's not a "Number that's used ONCE". In fact, it's used every time the "Seal()" or "Open()" operation is run. What's called a "nonce" here is usually called the "initialization vector" elsewhere: in TLS 1.3 for example, the "nonce" is the initialization vector XORed with a sequence number. On Mon, Aug 31, 2020 at 9:14 AM Joseph Salowey wrote: > > > On Sun, Aug 16, 2020 at 1:51 AM Stanislav V. Smyshlyaev > wrote: > >> Dear CFRG participants, >> >> This message starts a second 2-week RGLC on "Hybrid Public Key >> Encryption" (draft-irtf-cfrg-hpke-05), that will end on August 31st. See >> https://datatracker.ietf.org/doc/draft-irtf-cfrg-hpke/ for the latest >> version of the draft. >> >> We are having the second RGLC because we didn't have much feedback >> during the first RGLC and because we have obtained two new Crypto Panel >> reviews: >> >> https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppnBQQSlEkE/ >> https://mailarchive.ietf.org/arch/msg/cfrg/7zhOHPFkCyZC00xLZnsEBT3o6ZU/ >> >> Please send your comments, as well as expression of support to publish as >> an RFC (or possible reasons for not doing so) in reply to this message or >> directly to CFRG chairs. >> >> > [Joe] I have reviewed this draft and I believe it is ready for > publication. > > > >> Regards, >> Stanislav, Nick and Alexey >> _______________________________________________ >> Cfrg mailing list >> Cfrg@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > --0000000000008cf85805ae2fb362 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I support publication. Below are some minor editorial thin= gs that might be worth
addressing if there's time to do so. =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0

Best,
Chris P.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0
Abstract =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
"for any co= mbination of" -> "for several combinations of"
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0
Section 4 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0
"random(Nsk)" is used but "random()" isn't d= efined yet. =C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
"not passed= as parameter" -> "not passed as a parameter"
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0
Section 5 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0
"the holder of the private key corresponding to `pkR`" -&g= t; "the holder of `skR`"
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0In various places, e.g., 'KeySchedule()' in Section 5.1, value &q= uot;" is used as the
salt for KDF extraction. I'm wondering if = implementations might misinterpret =C2=A0 =C2=A0
this. I read "&quo= t; as 'the empty string', but the correct interpretation might be = =C2=A0
'nil', i.e., 'None' in Python or 'NULL' i= n C. The HKDF spec defines the salt as
follows: 'optional salt valu= e (a non-secret random value); if not provided, it =C2=A0
is set to a st= ring of HashLen zeros.' I think the intention is to interpret "&qu= ot; =C2=A0
as 'nil', i.e., no salt, but the empty string is cert= ainly a valid salt for
HKDF, since the extraction function is well-defin= ed on this input. A 0-length
salt might not be safe choice in terms of s= ecurity, however.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
Section 5.2 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0
I think the HPKE uses the term "nonce&q= uot; incorrectly, since it's not a "Number
that's used ONCE= ". In fact, it's used every time the "Seal()" or "O= pen()"
operation is run. What's called a "nonce" here= is usually called the
"initialization vector" elsewhere: in T= LS 1.3 for example, the "nonce" is the
initialization vector X= ORed with a sequence number. =C2=A0 =C2=A0
On Mon, Aug 31, 2020 at 9:14 AM = Joseph Salowey <joe@salowey.net&g= t; wrote:


On Sun, Aug 16, 2020 at 1:51 AM Stanislav V= . Smyshlyaev <smy= shsv@gmail.com> wrote:
Dear CFRG participants,

This message = starts a=C2=A0second=C2=A02-week=C2=A0RGLC=C2=A0o= n "Hybrid Public Key Encryption" (draft-irtf-cfrg-hpke-05), that will end on August 31st. See https://datatracker.iet= f.org/doc/draft-irtf-cfrg-hpke/=C2=A0for the latest version of the draf= t.

We are having the=C2=A0second=C2=A0RGLC because we d= idn't have much feedback during the first RGLC and because we have obta= ined two new Crypto Panel reviews:=C2=A0
https://mailarchive.ietf.org/arch/msg/crypto-panel/Ol1Mm8JUpmgapgq8ppn= BQQSlEkE/

Please send= your comments, as well as expression of support to publish as an RFC (or p= ossible reasons for not doing so) in reply to this message or directly to C= FRG chairs.=C2=A0

[Joe] I have reviewed this draft and I believe it is ready for = publication.=C2=A0

=C2=A0
Regards,<= /div>
Stanislav, Nick and Alexey
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg
--0000000000008cf85805ae2fb362--