Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
David Benjamin <davidben@chromium.org> Thu, 17 November 2022 17:15 UTC
Return-Path: <davidben@google.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4382C14CEEB for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 09:15:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.246
X-Spam-Level:
X-Spam-Status: No, score=-9.246 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7MY-OtRH2Q4 for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 09:15:24 -0800 (PST)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6903FC14CEE7 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 09:15:24 -0800 (PST)
Received: by mail-yb1-xb33.google.com with SMTP id c15so2656131ybf.1 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 09:15:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qmR2lyaniwgK/tlCxEMtI+Qu50fAFOTEPD9Fx5X4f8I=; b=HqZF3YOsZ83u9FIhzlur2HNow/FOSL4Xdzz8WduymZAIwp68bxa4eT7RRWu354g8mh 7V7KJ/2NjtQmWk6Fj1nTzIW9Tpo+ukGFtO8mSAu1i9vp/ETk0LlRCJe1idUE8KIWRDsc f/msrAXyvaKGD8DKZI/pDyjPwbhyLmI2qSWcE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qmR2lyaniwgK/tlCxEMtI+Qu50fAFOTEPD9Fx5X4f8I=; b=A/mBIDIOe9KncRqOpDkfHmF8zMsUk3PD8nuJWTox2bu8LpluG4Ejgt2iLvfYp6OVrb XkqWY/Gxbn35j0Mb/6Tcw+T4iUF65Uqe6/tolMXDGfpa9n/D9gyVIxtpdEYCxwX77JGj zkXW2SrVZGZssb3m97ZuQLKE0xZr+0BxFF59WuBJJvQ/c/mUhHS1KUA+s3E/vPjxiaD1 s4q31lc0dT/LUGDLkuHfBbVZ9ZFuJKgRCWBwt6fXl+HEfu2HxTV0XwM3aG1wLYb5jk2X UmTXmOuSsPbuQLVjiCCuo5qhCsu4o3jThzbZkSkEmGldo7qQarRtb90ZnGPBihA67PFD ZWxQ==
X-Gm-Message-State: ANoB5pnXuDbrHjuuLeSfCMKU/wnupfRszX1zMkeQ8VkN92htAfl579g2 dQgawNyzgS/azWgGdjzfB1wQo1o1ArU6sY7mEOUg
X-Google-Smtp-Source: AA0mqf404ycuVffURJn4E/0WHVoZWKUlu11wwRf+3KnnChdnErk638LSU6Fo0dfMlPtiL6+wsjtJ9d0/glejLyvD/Hw=
X-Received: by 2002:a25:d284:0:b0:6dd:f51d:b6c with SMTP id j126-20020a25d284000000b006ddf51d0b6cmr3022236ybg.279.1668705323347; Thu, 17 Nov 2022 09:15:23 -0800 (PST)
MIME-Version: 1.0
References: <2268807e-e934-2061-608a-afd422934acb@cs.tcd.ie> <CAF8qwaCsHeTA6fmrZzLGnfk-NjXZ9qgYdw9KLHQ7OKfrfC5PdQ@mail.gmail.com> <CA+LxFugzLbL7N2bJr6Oo=TrhwWTjMfDYvGPxjCktjpkzb4cg2w@mail.gmail.com>
In-Reply-To: <CA+LxFugzLbL7N2bJr6Oo=TrhwWTjMfDYvGPxjCktjpkzb4cg2w@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 17 Nov 2022 12:15:06 -0500
Message-ID: <CAF8qwaABdxNv2CocJPY2RnxuJ7xQsqSWFBfUBXnhdO6f9pAw-g@mail.gmail.com>
To: Benjamin Beurdouche <ietf@beurdouche.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000009136d05edadbc0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/lKDGbriBaVC163-CK-XEIT7NxVg>
Subject: Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 17:15:28 -0000
Right, the limits section notes some (very large) formal limits which seem to have been computed that way. Those limits are large enough to not matter. :-) https://www.rfc-editor.org/rfc/rfc9180.html#name-input-length-restrictions The issue is the smaller, additional limit discussed in the section. Because of how HPKE was constructed, it is a little tricky to use the "info" parameter without making a copy of it. But that means, even if the primitive theoretically accepts a lot of data, you wouldn't want to pass something *too* large into it. (For some nebulous notion of "too large".) The immediate issue is the chosen limit (64) is very tight, and inconsistent with uses of HPKE. But I think there is a bigger issue here because we said "info" is to be used like an AEAD aad. You typically do not need to make a copy of aad to run the AEAD. On Thu, Nov 17, 2022 at 12:01 PM Benjamin Beurdouche <ietf@beurdouche.com> wrote: > You might find this useful... formal bounds for all those HPKE inputs can > be found here: > > https://github.com/hacl-star/hacl-star/blob/main/specs/Spec.Agile.HPKE.fsti#L330 > > ... of course it is a weird formula which depends on which hash algorithm > [a] is used. > An audit of this would be welcome btw. > > B. > > Le jeu. 17 nov. 2022 à 16:05, David Benjamin <davidben@chromium.org> a > écrit : > >> Our implementation doesn't impose any particular limits on info. But this >> maybe points to a larger issue here. The resolution of >> https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/226 to recommend >> using info like an AEAD's aad parameter, which typically does not have >> tight limits. And, even independent of that advice, non-single-shot uses >> (like ECH) may well have non-trivial per-context additional authenticated >> data. For ECH in particular, should we ever stick PQ KEMs into ECH, the >> info field will become a lot larger. >> https://www.rfc-editor.org/rfc/rfc9180.html#section-8.1 >> >> Looks like the size issue comes from info being used as the IKM to >> LabeledExtract, which constructs a labeled_ikm by prepending a prefix. This >> means that, if your HKDF API requires contiguous IKMs, you need to make a >> copy of the info string. >> https://www.rfc-editor.org/rfc/rfc9180.html#section-5.1-9 >> https://www.rfc-editor.org/rfc/rfc9180.html#section-4-9 >> >> I would not expect most HKDF-Extract APIs to support discontiguous IKMs, >> as that's kinda weird for keying material. Then again, if we break the >> abstraction, it's just the body of an HMAC, which typically can be >> streamed, much less discontiguous. So we do't *actually* need to make a >> copy here. But breaking the abstraction here is not ideal because HPKE aims >> to abstract over KDFs. So if we want to rely on that, we might need to make >> a note to tweak the definition for future KDFs so they don't need to rely >> on the HMAC internals. >> >> >> On Wed, Nov 16, 2022 at 7:27 PM Stephen Farrell < >> stephen.farrell@cs.tcd.ie> wrote: >> >>> >>> Hiya, >>> >>> I filed an erratum [1] on RFC9180. It'd be good know what >>> other implementations support before we finalise/approve >>> that. >>> >>> The issues: >>> >>> - section 7.2.1 recommends a max of 64 octets for various >>> values, but appendix A.6.1 and other test vectors require >>> handling values that are 66 octets long >>> >>> - 64 octets is too short for the "info" parameter, as used >>> for ECH (where it needs to allow 8+len(ECHConfig) which >>> will be longer, and ECHConfig is extensible so we can't >>> be sure how long) >>> >>> One way to handle this might be to change the erratum so >>> it recommends supporting up to 128 octets for all values >>> except "info" where we might recommend supporting up to >>> 1024. >>> >>> So - would the above work for your HPKE implementation or >>> application using HPKE, or would you prefer some other >>> change? >>> >>> Thanks, >>> S. >>> >>> [1] https://www.rfc-editor.org/errata/eid7251 >>> _______________________________________________ >>> CFRG mailing list >>> CFRG@irtf.org >>> https://www.irtf.org/mailman/listinfo/cfrg >>> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> >
- [CFRG] RFC9180/HPKE erratum on recommended sizes Stephen Farrell
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… David Benjamin
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Benjamin Beurdouche
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… David Benjamin
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Ilari Liusvaara
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Colin Perkins
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Dan Harkins