Re: [CFRG] HPKE and Key Wrapping
Dan Harkins <dharkins@lounge.org> Tue, 31 May 2022 23:43 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC0AAC15790C for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 16:43:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.782
X-Spam-Level:
X-Spam-Status: No, score=-3.782 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OO9zWBOdOpUw for <cfrg@ietfa.amsl.com>; Tue, 31 May 2022 16:43:54 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1121C15AAFA for <cfrg@irtf.org>; Tue, 31 May 2022 16:43:53 -0700 (PDT)
Received: from kitty.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0RCR0ZP69TX5SJ@wwwlocal.goatley.com> for cfrg@irtf.org; Tue, 31 May 2022 18:43:53 -0500 (CDT)
Received: from [192.168.1.223] (kitty.dhcp.bergandi.net [10.0.42.19]) by kitty.bergandi.net (PMDF V6.8 #2433) with ESMTPSA id <0RCR0023QTX4U7@kitty.bergandi.net> for cfrg@irtf.org; Tue, 31 May 2022 16:43:53 -0700 (PDT)
Received: from customer.lsancax1.pop.starlinkisp.net ([98.97.58.83] EXTERNAL) (EHLO [192.168.1.223]) with TLS/SSL by kitty.bergandi.net ([10.0.42.19]) (PreciseMail V3.3); Tue, 31 May 2022 16:43:53 -0700
Date: Tue, 31 May 2022 16:43:51 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <CAHP81y9rkZ+swjR4DiTji786YtCCBt5Z1edY9LAJTmnZonisZA@mail.gmail.com>
To: Shay Gueron <shay.gueron@gmail.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Message-id: <4d389c70-ce13-c465-1db4-5a8c221fba20@lounge.org>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="Boundary_(ID_rMin/19Ejiz75afsAfvn9g)"
Content-language: en-US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.8.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=kitty.bergandi.net, send-ip=98.97.58.83)
X-PMAS-External-Auth: customer.lsancax1.pop.starlinkisp.net [98.97.58.83] (EHLO [192.168.1.223])
References: <HE1PR0701MB3050AFD941AABAB80D7EC31E891E9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <7c67e7a0-ddaa-4f2e-9a1e-91af4956c0f1@beta.fastmail.com> <4627F814-4AE0-4E13-ADA3-2C30AF258385@vigilsec.com> <YkWDnvnHyJOUu3ol@LK-Perkele-VII2.locald> <C0494995-0D2E-42BE-8D21-4BB23C4E8E19@gmail.com> <aff51f72-8a3c-3172-fc91-87fcf156b4ac@lounge.org> <BE3C3092-9C44-442F-AFC8-2415B9182894@ll.mit.edu> <CAHP81y9rkZ+swjR4DiTji786YtCCBt5Z1edY9LAJTmnZonisZA@mail.gmail.com>
X-PMAS-Software: PreciseMail V3.3 [220518a] (kitty.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nDEybiTu0_cqfsGp99SucRQ3nUU>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2022 23:43:57 -0000
On 5/31/22 10:15 AM, Shay Gueron wrote: > The thread was brought to my attention. > > I am not sure what other schemes were compared to AES-SIV, in a way > that the latter had advantage over them. It was compared to AES-KW: RFC 3394 and RFC 5649. The advantage of AES-SIV over AES-KW is efficiency, provable security, accepting associated data, and allowing for natural inputs instead of cramming everything into fixed-sized blocks. > However, I point out that that AES-GCM-SIV (RFC8452) handles inputs of > different lengths, AAD's, and one can choose to use it with a fixed > nonce (for wrapping keys). Yes it can. But AES-GCM-SIV MUST always be passed a nonce which is why it's not really thought of as a key wrapping scheme. Key wrapping schemes are deterministic and the security of the scheme is in the assumption that the data being wrapped-- the secret key-- provides the probabilistic contribution so no nonce is needed, not even a misuse-resistant one. AES-GCM-SIV is more of a bulk data encryption scheme that provides MRAE (compared to AES-GCM) than it is a key wrapping scheme. I think adding AES-GCM-SIV to HPKE is a good idea too, it's just not really addressing the keywrap use case, IMHO, while AES-SIV is. > I think Uri had commented about the key wrapping performance. Yes, AES-GCM-SIV can take advantage of the carryless multiply instruction that is used in many popular microprocessors. AES-SIV uses CMAC which is much less efficient. Both require two passes over the data (for MRAE purposes) though. Uri's other complaint about AES-SIV is that it takes a "doublewide" key. He seems to think that's a big drawback. The way I look at it, HKDF can generate 512-bits as easily as it can generate 256-bits, I just pass a different value for L, the crank gets turned and I take the single bitstring as the key for my cipher. The fact that it's doublewide is not really an issue-- I ask for "keylength" bits and I pass the result to the cipher along with my plaintext. But different strokes for different folks, this is an issue that has been brought up with AES-SIV. regards, Dan. > Regards, Shay > > On Tue, May 31, 2022 at 7:51 PM Blumenthal, Uri - 0553 - MITLL > <uri@ll.mit.edu> wrote: > > I support advancement of this draft, as I think that standardizing > a SIV mode is necessary for cryptographic protocols. > > Having said that, I prefer the way AES-GCM-SIV deals with keys to > what you’re doing, but that’s secondary. > > Thanks! > > -- > > V/R, > > Uri > > // > > /There are two ways to design a system. One is to make it so > simple there are obviously no deficiencies./ > > /The other is to make it so complex there are no obvious > deficiencies./ > > / - > C. A. R. Hoare/ > > *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Dan Harkins > <dharkins@lounge.org> > *Date: *Tuesday, May 31, 2022 at 12:43 > *To: *CFRG <cfrg@irtf.org> > *Subject: *Re: [CFRG] HPKE and Key Wrapping > > > Hi, > > I'd like to resurrect this thread. There seemed to be some > support for > adding an MRAE cipher to HPKE for key wrapping and also some > support for > AES-SIV being the cipher to add do to its advantages over other > key wrapping > schemes-- it accepts any length input without required padding out > to some > particular block size, and it accepts associated data. > > At the last IETF I asked for a consensus call on > draft-harkins-cfrg-dnhpke, > which proposes adding AES-SIV to the HKDF AEAD registry. If we > advanced that > draft we'd have the permanent and readily available specification > that is > required. Can we do that? Then all we'd need is the designated expert > to review and approve. > > I guess alternatively we could point to RFC 5297 as the > permanent and > readily available specification. Then all we'd need is a > designated expert. > Still, I'd like to see if there's support to advance my draft. > > regards, > > Dan. > > On 3/31/22 4:50 AM, Neil Madden wrote: > > On 31 Mar 2022, at 11:34, Ilari Liusvaara > <ilariliusvaara@welho.com> wrote: > > On Wed, Mar 30, 2022 at 04:15:44PM -0400, Russ Housley wrote: > > Martin: > > > On Tue, Mar 29, 2022, at 20:05, John Mattsson wrote: > > Would it make sense to standardize AES-KWP for > HPKE or do CFRG believe > that AES-SIV is the future of key wrapping? > Irrespectively I think the > CFRF should produce a good recommendation on > how to use HPKE for key > wrapping. > > > What is wrong with the existing HPKE cipher suites > for protecting > keying materials? That is, aside from not > carrying a NIST > approval stamp. > > > If you try to apply HPKE to the COSE or JOSE > structures, it just does > not quite fit. However, by using HPKE to deliver a > key-encryption key > (KEK) to the recipient, the structures fit. So, it > would be really > nice to use a Key-Wrap algorithm in HPKE to encrypt > the KEK. > > > Not sure about JOSE, but in COSE, the structures do fit > even for direct > encryption. COSE-HPKE does not use receipients itself, so > it can go into > cose_encrypt0, resulting in direct encryption. > > I’m not sure if this point is directly related to what is > being proposed here, but I think it is worth mentioning: > > JOSE and COSE allow sending the same message to multiple > recipients using key-wrapping. In the case of an authenticated > KEM (AKEM), this usage undermines the authenticity guarantees > due to the lack of Insider-Auth security (as per section 5.4 > of https://eprint.iacr.org/2020/1499.pdf) in HPKE AKEM. In > short, any recipient of the original message can simply take > the unwrapped content encryption key and use it to produce a > new message that appears to come from the original sender. > > This is why > https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 requires > a compactly-committing AEAD for symmetric content encryption > (DEM) and includes the AEAD tag in the KEM KDF computation to > ensure the KEM encapsulation for each recipient is bound to > the whole message. This current design was arrived at after > previous discussion on the CFRG list > (https://mailarchive.ietf.org/arch/msg/cfrg/iNoSj9g2cQ0JvDbHs4I70bfhrRc/) > and some offline discussions. > > (An alternative approach is to include the AEAD tag in > associated data of the key-wrapping process, which is another > advantage of SIV-AES over AES-KW - the latter not supporting > associated data). > > Kind regards, > > Neil > > > > _______________________________________________ > > CFRG mailing list > > CFRG@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > -- > > "The object of life is not to be on the side of the majority, but to > > escape finding oneself in the ranks of the insane." -- Marcus Aurelius > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins