[CFRG] Questions for the group from the HPKE presentation

Nick Sullivan <nick@cloudflare.com> Fri, 06 August 2021 22:31 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 927643A1B49 for <cfrg@ietfa.amsl.com>; Fri, 6 Aug 2021 15:31:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 0Xoy8KOx4q_x for <cfrg@ietfa.amsl.com>; Fri, 6 Aug 2021 15:30:58 -0700 (PDT)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDFC63A1B48 for <cfrg@irtf.org>; Fri, 6 Aug 2021 15:30:57 -0700 (PDT)
Received: by mail-vs1-xe2c.google.com with SMTP id d20so3521004vso.8 for <cfrg@irtf.org>; Fri, 06 Aug 2021 15:30:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=qE9xPSL7Td5lP1EU9V5h0Xa+l7kAiFoX+IVRJRByh7I=; b=S/ArnG3D6ejceH1sg6VThXlTMhzOmqgh55L1Jjkj0zpMLWreBMGxwHZfoLzmcFqnWV g0++9ujobArjzQe2GjqlHW30A55c9GGNUTKhoS10QJeGmSi4LZF5xXzYwbqbIRtwqI3/ h1cElRvnUqtearbaGYc/8oxAQDByWAqSwxzzU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qE9xPSL7Td5lP1EU9V5h0Xa+l7kAiFoX+IVRJRByh7I=; b=agZP21TvpSyPjJVfDHwcAI9zFSEI6+QqgTH+TViUhP6m+EPeI3l85EAj3Zb0XKBEiL +z1gmM7ImWEKtD5pOHBFu2JAt5BWovI/5NW0xIaClYte+lkbSPwsh9ArrGlr3Dnk7GXH oZselhTKFBhvDetjBsSvy5TuLw43OGhUqNZPcFtx80RQ0HqHi+RbzRE4MiY6W/zhJMlp Zd2GNOSP20rIXqZMdtv22RpP5ASY+Z44Oz9fWEd61oPh0f/7ajfBBLugu2knAab0zCyd BGGp7Z9zh/gJTOUnCumY8QN2xsTpIvo+RwsU4Gcgjz68RaBsC1ptTLslTe+mCPDECQl9 9JcQ==
X-Gm-Message-State: AOAM533qb4qGlkRsiBCA5wX2CeoZDrGtZCvB1fAx9OhZV5T4IF778Z1d E8WpXZPIa6J8HO+8Ehe+ZBh/5xNUOE72DRQg1R7OOFSnu51Qjw==
X-Google-Smtp-Source: ABdhPJxSciX5nOqc55L2ndeMe5D3znuF98fqyGd3BjWAjYsf1iWunoisOKWngafETRd3bgm/Veen7uo2EFcENz93yJ4=
X-Received: by 2002:a67:c58c:: with SMTP id h12mr9416150vsk.28.1628289054586; Fri, 06 Aug 2021 15:30:54 -0700 (PDT)
MIME-Version: 1.0
From: Nick Sullivan <nick@cloudflare.com>
Date: Fri, 6 Aug 2021 18:30:38 -0400
Message-ID: <CAFDDyk8yZegN6aWSZg=K7Wy+V2upq=GBuvGyQYowrRuehPDqYQ@mail.gmail.com>
To: cfrg@irtf.org, Dan Harkins <dharkins@lounge.org>
Content-Type: multipart/alternative; boundary="000000000000b0e12405c8eb96f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rFCIkGE-inbQecdKy_mbSU3wzD8>
Subject: [CFRG] Questions for the group from the HPKE presentation
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Aug 2021 22:31:03 -0000

Dear CFRG participants,

At IETF 111, Dan Harkins made a presentation
with two proposals:
- a proposal to define new codepoints for HPKE representing new KEMs for
compressed NIST points
- a proposal to define new codepoints to support deterministic
authenticated encryption schemes that don't use a nonce. This is in service
of the use case of out-of-order delivery of ciphertexts. *In the
discussion, it was noted that HPKE uses a nonce to ensure that it never
leaks whether the same plaintext was encrypted twice and that this proposal
does not provide this security property.*

Also during the discussion, an alternative proposal was made to solve the
out-of-order use case: modify the API for HPKE to enable the user to reset
the nonce counter. This API would enable out-of-order delivery of
ciphertexts with existing HPKE AEADs.

The chairs would like to ask the group a few questions:
1) Does the research group support adding an API to HPKE for resetting the
nonce counter?
2) Is there interest in pursuing a work item to explore defining either of
the following:
- new codepoints for compressed curve points in HPKE?
- new codepoints for deterministic authenticated encryption in HPKE (given the
answer to (1) was no)?

Nick (for the chairs)