[CFRG] Fixing the multi-shot API of HPKE
Dan Harkins <dharkins@lounge.org> Fri, 12 February 2021 23:29 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD0AB3A10D8 for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2021 15:29:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRCVRisztrHA for <cfrg@ietfa.amsl.com>; Fri, 12 Feb 2021 15:29:23 -0800 (PST)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D0003A10D7 for <cfrg@irtf.org>; Fri, 12 Feb 2021 15:29:23 -0800 (PST)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QOF0AY95VWYA6@wwwlocal.goatley.com> for cfrg@irtf.org; Fri, 12 Feb 2021 17:29:22 -0600 (CST)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QOF00AIQVVAGM@trixy.bergandi.net> for cfrg@irtf.org; Fri, 12 Feb 2021 15:28:23 -0800 (PST)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Fri, 12 Feb 2021 15:28:23 -0800
Date: Fri, 12 Feb 2021 15:29:21 -0800
From: Dan Harkins <dharkins@lounge.org>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-id: <c089c88b-c5f6-f228-31a3-fb4e97a436c8@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
X-PMAS-Software: PreciseMail V3.3 [210212b] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/tkK13DYNgWj6D6q7H_JEDwWkA7w>
Subject: [CFRG] Fixing the multi-shot API of HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 23:29:25 -0000
Hello again, The HPKE spec defines a single shot API for doing things like key-wrapping. You pass in the recipient's public key and some plaintext and get back a ciphertext. And that's it. One and done. There is also (what I'll call for lack of a better word) a multi-shot API. The idea here is that there's a single asymmetric crypto operation involving the recipient's pubic key to derive some state that resides in an opaque HPKE context and then multiple calls to encrypt distinct plaintexts. The state created includes a base nonce and a sequence number (initialized to zero). Each call to another encryption (decryption) increments the sequence number which is xor'd with the base nonce and passed to the AEAD algorithm. The HPKE APIs take a plaintext, and AAD, and produce a ciphertext, and vice versa. This multi-shot API is fine if your world is Guaranteed In Order Delivery of Packets but that's not the world we all live in. As such, it'll only be a matter of time before the sender and receiver are out of sync. The HPKE draft alludes to this problem this way: "It is up to the application to ensure that encryptions and decryptions are done in the proper sequence, so that encryption and decryption nonces align." Well that's a pain! One of the nice things about HPKE is that one doesn't need to worry about the nitty gritty of crypto state management anymore, it's all hidden. The API is nice and clean-- pass in a plaintext and get a ciphertext, pass in a ciphertext and get a plaintext. If there was an AEAD mode that did not require a nonce it could be used in HPKE's multi-shot API without need for the application to manage state and guarantee the parties stay in sync. Thankfully there is such an AEAD mode: AES-SIV (RFC 5297). When I brought this up earlier (and also on github) in the context of misuse resistance the response was, there's an export-only API that will give you a secret and you can go do any AEAD mode you feel like, including AES-SIV, issue closed. While that is technically true, it applies equally to the AEAD functions that HPKE already defines-- you can export a secret and do AES-GCM-256 outside of HPKE while managing the necessary state yourself. Yet HPKE defines AEAD functions whose state resides in an opaque context so there is obviously value in having that functionality. I just want to get that value-- a clean, multi-shot API where I don't need to worry about managing state or guaranteeing people remain in sync-- for people who don't live in the world of Guaranteed In Order Delivery of Packets. So I'd like to ask the group whether they see value in having a nonce-less AEAD mode in HPKE. If so I'll be happy to resurrect the text changes I proposed and will be happy to contribute test vectors from my HPKE implementation which already does AES-SIV. One issue is that there are different security properties for a deterministic authenticated encryption scheme than for a probabilistic scheme. This is discussed in [1] and the security considerations would have to mention this. But I don't see that as a formidable problem. regards, Dan. [1] Rogaway and Shrimpton, "Deterministic Authenticated Encryption", EUROCRYPT, 2006 -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius
- [CFRG] Fixing the multi-shot API of HPKE Dan Harkins
- Re: [CFRG] Fixing the multi-shot API of HPKE Karthikeyan Bhargavan
- Re: [CFRG] Fixing the multi-shot API of HPKE Dan Harkins
- Re: [CFRG] Fixing the multi-shot API of HPKE Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Fixing the multi-shot API of HPKE Richard Barnes
- Re: [CFRG] Fixing the multi-shot API of HPKE Dan Harkins
- Re: [CFRG] Fixing the multi-shot API of HPKE Richard Barnes