IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

Dan Harkins <dharkins@lounge.org> Tue, 31 May 2022 23:43 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC0AAC15790C for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 16:43:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.782
X-Spam-Level:
X-Spam-Status: No, score=-3.782 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO9zWBOdOpUw for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 16:43:54 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1121C15AAFA for <cfrg@irtf.org>; Tue, 31 May 2022 16:43:53 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0RCR0ZP69TX5SJ@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 31 May 2022 18:43:53 -0500 (CDT)
Received: from [192.168.1.223] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0RCR0023QTX4U7@kitty.bergandi.net> for cfrg@irtf.org; Tue, 31 May 2022 16:43:53 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.58.83] EXTERNAL) (EHLO [192.168.1.223]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Tue, 31 May 2022 16:43:53 -0700
Date: Tue, 31 May 2022 16:43:51 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAHP81y9rkZ+swjR4DiTji786YtCCBt5Z1edY9LAJTmnZonisZA@mail.gmail.com>
To: Shay Gueron <shay.gueron@gmail.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Message-id: <4d389c70-ce13-c465-1db4-5a8c221fba20@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_rMin/19Ejiz75afsAfvn9g)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.58.83)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.58.83] (EHLO [192.168.1.223])
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <4627F814-4AE0-4E13-ADA3-2C30AF258385@vigilsec.com> <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald> <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com> <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org> <BE3C3092-9C44-442F-AFC8-2415B9182894@ll.mit.edu> <CAHP81y9rkZ+swjR4DiTji786YtCCBt5Z1edY9LAJTmnZonisZA@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [220518a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nDEybiTu0_cqfsGp99SucRQ3nUU>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 23:43:57 -0000


On 5/31/22 10:15 AM, Shay Gueron wrote:
> The thread was brought to my attention.
>
> I am not sure what other schemes were compared to AES-SIV, in a way 
> that the latter had advantage over them.

   It was compared to AES-KW: RFC 3394 and RFC 5649. The advantage of 
AES-SIV over AES-KW
is efficiency, provable security, accepting associated data, and 
allowing for natural
inputs instead of cramming everything into fixed-sized blocks.

> However, I point out that that AES-GCM-SIV (RFC8452) handles inputs of 
> different lengths, AAD's, and one can choose to use it with a fixed 
> nonce (for wrapping keys).

   Yes it can. But AES-GCM-SIV MUST always be passed a nonce which is 
why it's not really
thought of as a key wrapping scheme. Key wrapping schemes are 
deterministic and the
security of  the scheme is in the assumption that the data being 
wrapped-- the secret
key-- provides the probabilistic contribution so no nonce is needed, not 
even a
misuse-resistant one.

   AES-GCM-SIV is more of a bulk data encryption scheme that provides 
MRAE (compared to
AES-GCM) than it is a key wrapping scheme.

   I think adding AES-GCM-SIV to HPKE is a good idea too, it's just not 
really addressing
the keywrap use case, IMHO, while AES-SIV is.

> I think Uri had commented about the key wrapping performance.

   Yes, AES-GCM-SIV can take advantage of the carryless multiply 
instruction that is
used in many popular microprocessors. AES-SIV uses CMAC which is much 
less efficient.
Both require two passes over the data (for MRAE purposes) though.

   Uri's other complaint about AES-SIV is that it takes a "doublewide" 
key. He seems to
think that's a big drawback. The way I look at it, HKDF can generate 
512-bits as easily
as it can generate 256-bits, I just pass a different value for L, the 
crank gets turned
and I take the single bitstring as the key for my cipher. The fact that 
it's doublewide
is not really an issue-- I ask for "keylength" bits and I pass the 
result to the cipher
along with my plaintext. But different strokes for different folks, this 
is an issue
that has been brought up with AES-SIV.

   regards,

   Dan.

> Regards, Shay
>
> On Tue, May 31, 2022 at 7:51 PM Blumenthal, Uri - 0553 - MITLL 
> <uri@ll.mit.edu> wrote:
>
>     I support advancement of this draft, as I think that standardizing
>     a SIV mode is necessary for cryptographic protocols.
>
>     Having said that, I prefer the way AES-GCM-SIV deals with keys to
>     what you’re doing, but that’s secondary.
>
>     Thanks!
>
>     --
>
>     V/R,
>
>     Uri
>
>     //
>
>     /There are two ways to design a system. One is to make it so
>     simple there are obviously no deficiencies./
>
>     /The other is to make it so complex there are no obvious
>     deficiencies./
>
>     /                                                                                                                   -
>     C. A. R. Hoare/
>
>     *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins
>     <dharkins@lounge.org>
>     *Date: *Tuesday, May 31, 2022 at 12:43
>     *To: *CFRG <cfrg@irtf.org>
>     *Subject: *Re: [CFRG] HPKE and Key Wrapping
>
>
>     Hi,
>
>       I'd like to resurrect this thread. There seemed to be some
>     support for
>     adding an MRAE cipher to HPKE for key wrapping and also some
>     support for
>     AES-SIV being the cipher to add do to its advantages over other
>     key wrapping
>     schemes-- it accepts any length input without required padding out
>     to some
>     particular block size, and it accepts associated data.
>
>       At the last IETF I asked for a consensus call on
>     draft-harkins-cfrg-dnhpke,
>     which proposes adding AES-SIV to the HKDF AEAD registry. If we
>     advanced that
>     draft we'd have the permanent and readily available specification
>     that is
>     required. Can we do that? Then all we'd need is the designated expert
>     to review and approve.
>
>       I guess alternatively we could point to RFC 5297 as the
>     permanent and
>     readily available specification. Then all we'd need is a
>     designated expert.
>     Still, I'd like to see if there's support to advance my draft.
>
>       regards,
>
>       Dan.
>
>     On 3/31/22 4:50 AM, Neil Madden wrote:
>
>             On 31 Mar 2022, at 11:34, Ilari Liusvaara
>             <ilariliusvaara@welho.com> wrote:
>
>             On Wed, Mar 30, 2022 at 04:15:44PM -0400, Russ Housley wrote:
>
>                 Martin:
>
>
>                     On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote:
>
>                         Would it make sense to standardize AES-KWP for
>                         HPKE or do CFRG believe
>                         that AES-SIV is the future of key wrapping?
>                         Irrespectively I think the
>                         CFRF should produce a good recommendation on
>                         how to use HPKE for key
>                         wrapping.
>
>
>                     What is wrong with the existing HPKE cipher suites
>                     for protecting
>                     keying materials?  That is, aside from not
>                     carrying a NIST
>                     approval stamp.
>
>
>                 If you try to apply HPKE to the COSE or JOSE
>                 structures, it just does
>                 not quite fit.  However, by using HPKE to deliver a
>                 key-encryption key
>                 (KEK) to the recipient, the structures fit.  So, it
>                 would be really
>                 nice to use a Key-Wrap algorithm in HPKE to encrypt
>                 the KEK.
>
>
>             Not sure about JOSE, but in COSE, the structures do fit
>             even for direct
>             encryption. COSE-HPKE does not use receipients itself, so
>             it can go into
>             cose_encrypt0, resulting in direct encryption.
>
>         I’m not sure if this point is directly related to what is
>         being proposed here, but I think it is worth mentioning:
>
>         JOSE and COSE allow sending the same message to multiple
>         recipients using key-wrapping. In the case of an authenticated
>         KEM (AKEM), this usage undermines the authenticity guarantees
>         due to the lack of Insider-Auth security (as per section 5.4
>         of https://eprint.iacr.org/2020/1499.pdf) in HPKE AKEM. In
>         short, any recipient of the original message can simply take
>         the unwrapped content encryption key and use it to produce a
>         new message that appears to come from the original sender.
>
>         This is why
>         https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 requires
>         a compactly-committing AEAD for symmetric content encryption
>         (DEM) and includes the AEAD tag in the KEM KDF computation to
>         ensure the KEM encapsulation for each recipient is bound to
>         the whole message. This current design was arrived at after
>         previous discussion on the CFRG list
>         (https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/)
>         and some offline discussions.
>
>         (An alternative approach is to include the AEAD tag in
>         associated data of the key-wrapping process, which is another
>         advantage of SIV-AES over AES-KW - the latter not supporting
>         associated data).
>
>         Kind regards,
>
>         Neil
>
>
>
>         _______________________________________________
>
>         CFRG mailing list
>
>         CFRG@irtf.org
>
>         https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
>     -- 
>
>     "The object of life is not to be on the side of the majority, but to
>
>     escape finding oneself in the ranks of the insane." -- Marcus Aurelius
>
>     _______________________________________________
>     CFRG mailing list
>     CFRG@irtf.org
>     https://www.irtf.org/mailman/listinfo/cfrg
>

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

v2.23.0 | Report a Bug | By Email