Re: [CFRG] HPKE and Key Wrapping
Dan Harkins <dharkins@lounge.org> Wed, 30 March 2022 20:42 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5462D3A1012 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 13:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.81
X-Spam-Level:
X-Spam-Status: No, score=-1.81 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsqBQ4-_W1bH for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 13:42:04 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8868F3A1004 for <cfrg@irtf.org>; Wed, 30 Mar 2022 13:42:04 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0R9K14OJMS63C7@wwwlocal.goatley.com> for cfrg@irtf.org; Wed, 30 Mar 2022 15:42:04 -0500 (CDT)
Received: from [10.74.74.210] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0R9K0076JS61UG@kitty.bergandi.net> for cfrg@irtf.org; Wed, 30 Mar 2022 13:42:03 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO [10.74.74.210]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Wed, 30 Mar 2022 13:42:03 -0700
Date: Wed, 30 Mar 2022 13:42:00 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
To: John Mattsson <john.mattsson@ericsson.com>, IRTF CFRG <cfrg@irtf.org>
Message-id: <6614055c-d327-b2de-9f1f-ad38d53bf71d@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_3D5xyeuuE4oVvAD3Iu7mJg)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO [10.74.74.210])
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <35bac2f1-b647-4802-def8-9fee5d49d75e@lounge.org> <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
X-PMAS-Software: PreciseMail V3.3 [220325] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/mmFaJUfjXe0kEVpFyv2CAlGjahg>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 20:42:10 -0000
Hi John, On 3/30/22 1:51 AM, John Mattsson wrote: > > How does AES-SIV (RFC 5297) compare with AES-GCM-SIV (RFC 8452)? Do we > need both algorithms in the future? Does AES-GCM-SIV with a fixed > nonce provide the same properties as nonce-less AES-SIV or is there a > difference? Your current draft only specifies a nonce-less AEAD, but I > would not be surprised if somebody in the future wants to also add a > nonce misuse-resistant AEAD to HPKE. Feels like it would be good with > some CFRG discussion on this, so we add the right AEADs to HPKE. I > don't have enough knowledge of these two SIV algorithms to have an > opinion at this point in time. > Well one difference is that AES-SIV can take a nonce (probabilistic mode) or not (deterministic mode). If no nonce is provided you get DAE security as described in the Rogaway and Shrimpton paper. If a nonce is provided you can get semantic security provided it is never used twice. It does provide misuse protection, though, in the event it is. With AES-GCM-SIV, you have to pass a nonce, it doesn't have a deterministic mode, and it provides the same guarantees under the same nonce use/misuse as AES-SIV. Another difference is the key. AES-SIV uses a "doublewide" key (for AES with a 128 bit key you pass AES-SIV a 256-bit key, AES with 256 uses a 512 bit key) while AES-GCM-SIV uses just a single "normal" sized key. Some people seem to think this is a problem with AES-SIV but KDFs can churn out keys of any length and a call to get a 256-bit key is as easy as a call to get a 512-bit key. Both of them are two pass modes (in order to achieve misuse resistance) but AES-GCM-SIV is probably faster than AES-SIV due to the fact that it uses a polynomial authenticator that can take advantage of the hardware support for carryless multiply while AES-SIV uses CMAC which is considerably slower. But that advantage would really only be seen on the wire and that is not the use case here. This is userland/key exchange, not kernel-level packet encryption. Yes, my draft does not discuss passing a nonce to AES-SIV in HPKE but it would be possible to do such a thing because AES-SIV takes a vector of AAD and the nonce can be one component of that vector-- AES-SIV doesn't require a distinct input for a nonce. Since I'm trying to deal with using HPKE in lossy networks, I don't really want to have to deal with a nonce unless I have to and if I do, then I really need to export the sequence number (as indicated in my draft) and in that case the need for a DAE cipher is not really there and I might as well just use AES-GCM in that case. > >if you want to use HPKE for key wrapping you don't even need a key wrapping > > >cipher mode, just do AES-GCM in the "one shot" HPKE variant. Wouldn't that work? > > Stated goals for key wrapping has been to try to avoid external state > and reliance on RNGs. Single-shot HPKE (with AES-GCM) seems similar to > using AES-GCM with a random nonce for key wrap. The difference is > which layer a trusted RNG is needed. When using single-shot HPKE (with > AES-GCM), an RNG controlling attacker that has knowledge of one of the > keys can compromise all other keys. I would be much more comfortable > with using a nonce-less or nonce misuse-resistant mode like AES-KWP, > AES-SIV, or AES-GCM-SIV when using HPKE for key wrapping. > The "single shot" HPKE call would not require a random nonce. It will just use the base nonce that gets generated as part of the HPKE key schedule (since the first and only shot will XOR a sequence number of zero onto that base nonce). So a trusted RNG is needed, yes, but that's necessary to achieve the security guarantees of HPKE in the first place (see section 9.7.5 of RFC 9180), there are no additional requirements placed on a RNG to do "single shot" key wrapping. That said, yes I agree: a nonce-less and misuse-resistant mode would be better. A DAE mode can achieve semantic security when the plaintext carries a (random) key-- the exact use case here-- so the principal complaint of DAE goes away. regards, Dan. > Cheers, > > John > > *From: *Dan Harkins <dharkins@lounge.org> > *Date: *Tuesday, 29 March 2022 at 17:29 > *To: *John Mattsson <john.mattsson@ericsson.com>, IRTF CFRG > <cfrg@irtf.org> > *Subject: *Re: [CFRG] HPKE and Key Wrapping > > > Hi John, > > There is a very nice critique of AES-KW (which is also defined in > the X9.102 > draft as well as the RFCs you mention) in Appendix A of the Rogaway > and Shrimpton > paper that defined SIV. To sum: > > "[O]ur conclusion is that none of the X9.102 algorithms are > mature. Most > severely, none has been proven secure—and, prior to this paper, there > was not even a clear target for a security proof. Each scheme has > multiple > problems from among the following: a restricted message space; an > inability > to handle an associated header; a restricted header space; > ciphertext > lengths that grow with the header length (even though the header > is only > authenticated); a large number of blockcipher calls; mysterious > aspects of > the construction (eg, the byte-reversals or xoring-in counters); > and use > of cryptographic primitives beyond a blockcipher. For a modern > encryption > scheme one might reasonably hope for a formally defined and > provably achieved > security goal, an aesthetic construction coming out of an > enunciated paradigm, > message headers being supported and the message space and header > space being > large and natural sets, message expansion of some fixed value, > one or two > blockcipher calls per block, and further efficiency > characteristics (like > being able to cheaply handle static headers)." > > It's also worth noting that AES-KW suffers from the same issue that > was brought > up when I mentioned using AES-SIV in HPKE: it is stateless and > deterministic and > therefore it is not really possible to achieve indistinguishability of > ciphertexts > under an adaptive chosen ciphertext attack, which is what HPKE is > supposed to > provide. > > You're right that AES-SIV is not approved by NIST. I discussed this > with NIST > a decade ago and there is an effective catch-22 in which NIST doesn't > want to > spend cycles analyzing and approving a cipher mode that is not > specified in any > standards and standards bodies are loath to specify cipher modes that > have not > been NIST approved. AES-SIV was formally submitted to NIST but no > action has > been taken, yet I persist (in trying to get NIST to approve AES-SIV). > > So while I think that AES-SIV is an improvement over AES-KW for the > purposes > of key wrapping (it's faster, and it's provably secure) if you want to > use HPKE > for key wrapping you don't even need a key wrapping cipher mode, just > do AES-GCM > in the "one shot" HPKE variant. Wouldn't that work? > > regards, > > Dan. > > On 3/29/22 2:05 AM, John Mattsson wrote: > > Hi, > > Dan Harkins draft and presentation made me think about HPKE and > key wrapping. > > https://datatracker.ietf.org/doc/html/draft-harkins-cfrg-dnhpke-01 > > AES-SIV could be used for this, but the algorithms currently > approved by NIST for key wrapping are AES-KW and AES-KWP. > > https://datatracker.ietf.org/doc/html/rfc3394 > > https://datatracker.ietf.org/doc/html/rfc5649 > > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf > > For asymmetric key wrapping. AES-KWP is often used with RSA-OAEP > (which NIST calls KTS-OAEP: Key-Transport Using RSA-OAEP in SP > 800-56Br2). > > https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br2.pdf > > https://cloud.google.com/kms/docs/key-wrapping > <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-106ef86c5fe35cef&q=1&e=62784b61-59e7-42e7-a0f2-18e13e958a75&u=https%3A%2F%2Fcloud.google.com%2Fkms%2Fdocs%2Fkey-wrapping> > > https://microsoft.github.io/CCF/release/1.x/js/ccf-app/interfaces/global.rsaoaepaeskwpparams.html > > I think HPKE is the future of asymmetric encryption including > asymmetric key wrapping. > > Would it make sense to standardize AES-KWP for HPKE or do CFRG > believe that AES-SIV is the future of key wrapping? Irrespectively > I think the CFRF should produce a good recommendation on how to > use HPKE for key wrapping. > > Cheers, > > John > > > > _______________________________________________ > > CFRG mailing list > > CFRG@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg <https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-40f7d10cf9eb7c69&q=1&e=62784b61-59e7-42e7-a0f2-18e13e958a75&u=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg> > > > > -- > "The object of life is not to be on the side of the majority, but to > escape finding oneself in the ranks of the insane." -- Marcus Aurelius -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins