Re: [CFRG] HPKE and AEAD Authentication Tag Length

Dan Harkins <dharkins@lounge.org> Tue, 24 August 2021 02:17 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A56453A08C5 for <cfrg@ietfa.amsl.com>; Mon, 23 Aug 2021 19:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M150RHvJzJRx for <cfrg@ietfa.amsl.com>; Mon, 23 Aug 2021 19:17:19 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A91413A08C0 for <cfrg@irtf.org>; Mon, 23 Aug 2021 19:17:19 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QYB0MD3XNOU4Z@wwwlocal.goatley.com> for cfrg@irtf.org; Mon, 23 Aug 2021 21:17:18 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QYB00H39NJ2RP@trixy.bergandi.net> for cfrg@irtf.org; Mon, 23 Aug 2021 19:13:50 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Mon, 23 Aug 2021 19:13:50 -0700
Date: Mon, 23 Aug 2021 19:17:16 -0700
From: Dan Harkins <dharkins@lounge.org>
In-reply-to: <14bb1ce1-9ee5-4a3a-a637-f1d8f448c08e@www.fastmail.com>
To: cfrg@irtf.org
Message-id: <6ac98f17-9885-7189-914a-6d25a2c6dd89@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset=utf-8; format=flowed
Content-language: en-US
Content-transfer-encoding: 8BIT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <CAOgPGoBK9Lq0D+ufJRYowXPcKJuT8gf81ZpJ0=RZzG8-f0=fpQ@mail.gmail.com> <14bb1ce1-9ee5-4a3a-a637-f1d8f448c08e@www.fastmail.com>
X-PMAS-Software: PreciseMail V3.3 [210823] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/t71_-_UW_tbp0DStE_X7rgU3zxc>
Subject: Re: [CFRG] HPKE and AEAD Authentication Tag Length
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2021 02:17:25 -0000


On 8/23/21 6:23 PM, Martin Thomson wrote:
> Curiously, the length of the tag is not in contention for any of these AEADs.  It's only if we take on something like CCM or OCB that it becomes relevant.

   Actually HPKE's reference for GCM is SP800-38d which says "this 
Recommendation
does not preclude short tags entirely, because knowledgeable security 
professionals
should be able to manage the risks in connection with [a targeted 
forgery attack
described in Appendix B]." Which seems to be exactly the opposite 
approach of HPKE.
HPKE assumes that its users are not knowledgeable security professionals and
therefore must not have tools that could be misused (like control of a 
sequence
number, or deciding on the length of a tag).

   I'm not sure this requires a change though as it seems to fall into 
the "that
which is not permitted is forbidden (for your own good!)" ethos of HPKE.

   Dan.

> On Tue, Aug 24, 2021, at 04:52, Joseph Salowey wrote:
>> In working on a Java HPKE implementation I found that specification
>> does not specify anything about the authentication tag length for the
>> AEAD cipher.  I opened issue #283
>> <https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/238> and proposed
>> PR 239 <https://github.com/cfrg/draft-irtf-cfrg-hpke/pull/239> to
>> address this.
>>
>> Cheers,
>>
>> Joe
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius