IETF Logo Mail Archive

Re: [CFRG] HPKE test vector request - deterministic key gen that requires iteration

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sat, 16 July 2022 13:28 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57524C14F73B for <cfrg@ietfa.amsl.com>; Sat, 16 Jul 2022 06:28:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.009
X-Spam-Level:
X-Spam-Status: No, score=-2.009 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOYeVJw9NEDJ for <cfrg@ietfa.amsl.com>; Sat, 16 Jul 2022 06:28:12 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70105.outbound.protection.outlook.com [40.107.7.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ED2CC14F739 for <Cfrg@irtf.org>; Sat, 16 Jul 2022 06:28:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f1ousNoVkZzDitXBrM4H0Ub2TADjU/7hCps5+S2kvF9u9khKePA4GY3y2ft5orsXgkYID8mJ3KY4EcF1E5vZwc9kMAXYTONYe5zVS9JV+agO7dua+XOCV8LM+TzTAdOlmU+WDRMJ5d7E158B5uqeiRLSKSG9vqZjCGKop7kxjQbAgmQnayyfNzVmW8oA+OKP/NLkhaPekql7UJwLY4xC1AUxZyW4jeRQfkUBiCIsAUtZ3MfKZa+wWxjPy+VZa8tLT3PYLPWCr+9a10Jn/ofglGCYS/rC+qay6mTWf3CxKx6mScBiq8OKJPGuim/xk1UIsOqFP6cgW+Zg8g9kpAAhkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ds3eRBT/IlPr5M5ZNE+zCPDsndCpYIyvSQGgJuXLxkk=; b=XBWvHIPJ5O7nTMFL/I9acZsJEqd5H0TaQqti0hQVo62VuZ7B6kfJ9quHkR14ORfhNljNdDfkh5nFXH2Eg6F3ICOPSzvUhP0YX67HdDkjMEaUUoxDeJT6kM7dX/Qez9W0Lv2iiq5Z5/oZmzoR4zjRoKs4d9QhrIYUDKZZikr5LoAeGm+F0g91xErblxaSkoKIB/V4p2ytGB7qYy0Sl1PXrzUpeZCCj+NnVlVDXw5kQXEPB/cUF5Ye5AkB54dvzYdN59EKzwt/9Wb2m8OxSwVl5VJ5MKd4hHD27dBQ8H5zXa+GUg8eqUQoa0+YJYzk0Eu2aE2aWU5A36N2yqL+PTLtCA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ds3eRBT/IlPr5M5ZNE+zCPDsndCpYIyvSQGgJuXLxkk=; b=qRnrroz79xoXa3oQcTvO2/5HiOhynO0N6tjIIA9/7cPsxtK2nEDD4cC/8bQlBbEKhNyElz9+kIKvXfT1qKFpUaM6lYW8WosUAjsCp2x5m3nFIfQRBkwuNSv7/GjK+RWQ5DJNyVFx+a90+DhW2LPNs/m5T5zcMv4gbyMZ8VK+xrXsT5kUNnAiKIpM2kZdIqmPEQ/2HIEZxLIE6UqcyJdugnsf0MKfjHAy7hUyrqN7l/5U03K+IZzbZ+IVgYcZdzN3nqmXB03HKPzuJ41HYa8Tjhv4J4UPXOfwdF90GZ9nx/hakVYi+lC1x7lGOk5k2KYW9yjCWvXsd/9sNjOd5Cw35w==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB7PR02MB3644.eurprd02.prod.outlook.com (2603:10a6:5:5::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.14; Sat, 16 Jul 2022 13:28:06 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::8491:63e9:5e84:2d61]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::8491:63e9:5e84:2d61%6]) with mapi id 15.20.5438.020; Sat, 16 Jul 2022 13:28:05 +0000
Message-ID: <080bd87e-2944-a1a6-d06d-61972a9b2696@cs.tcd.ie>
Date: Sat, 16 Jul 2022 14:28:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "cfrg@irtf.org" <Cfrg@irtf.org>
References: <d12619ce-eb68-415e-9c3e-3e2ed37ef263@cs.tcd.ie> <YtKV/CNrIOIQ9LX/@LK-Perkele-VII2.locald>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <YtKV/CNrIOIQ9LX/@LK-Perkele-VII2.locald>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------gWfCGJmxay90sBOTMuPsayQs"
X-ClientProxiedBy: DU2PR04CA0013.eurprd04.prod.outlook.com (2603:10a6:10:3b::18) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d65547aa-a13f-4618-4f70-08da672f03e8
X-MS-TrafficTypeDiagnostic: DB7PR02MB3644:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: doi5yI6tY4TALHEfY6T1jZ3Y8pZ3FvcEDV+ne7exgXhkcWPyQHKcO4ekNVriJSMQJEVnn3C5EDWl020MIOLtzGVbyHJSlmkRz9dcOJ0LWXu4Aa6nOuSphVS2Mx99ETr80TF79GALZF2ltWLPI/ljeNA0BUMIaM0dHIL2AUF7ombDNcXwMkEbdlHd2v3Mv0oRkLmYbzNmiZ7LX+umQRxy2gvqZCl53sIe+XqVC7JKqpKx7fNJ8RqN1+HIeUjK50FXTHd73D936JBoP0pA/na1flTPGTdxid805i+/MJUO7/GztAB4k4R5MAd2I5hPi+M3DP7JieKOcgLQ9RyPlWsJxUQNH8MkMKDzTEfD7qchRmEquzd4Wf8hpdmGn4ZI33e+hotyS53stIOpTlyVxHzW8CD+FoM9Jxa0Zn0JqZrOGFTGa45Vxq2FQLwf0t/bgQVy4nqlf3P51n8pmXdTKZByyp3lTCPPlKJNN5QBEDpw2Dz0K28+YFJ829Y2SmY5xcFKBbPVMIhbcJLukOZ9Yo+u6BUvb7JsnvJgFiFcKuLV5DCF789mIlnHbnKDJY3LD4nPdbARTK4gQc3ngNajfuJ3+z1Yp6PmAlDwBOo9/oIp4tkFJvSAjeX3wLQ1dJLQfobGfA61ad55YUhBjhvc6HbhQpHEsvghyIfkoT8QZk6QqnxM5i6pwA/b/BalgUAfR7r7RvDZxq7VdAfXKRCShBkjUK8DYRMuFrz31UPP3MFnhBtEvWM109CZ2IF3fVe1knM2kQN0+TXNQtSBDAe+B6XsALgd386oQ3RC3QFG8OCOF/gsQHtqYEEh6//aUiZDAlUvvuWM0ejdA3o916K8s7fD6GaV4Gow+MKJzQAzWzY7Q/w=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(396003)(136003)(39860400002)(366004)(376002)(6512007)(235185007)(8676002)(53546011)(6486002)(6506007)(966005)(41300700001)(8936002)(5660300002)(44832011)(83380400001)(2906002)(33964004)(110136005)(86362001)(31696002)(478600001)(786003)(316002)(186003)(21480400003)(38100700002)(66476007)(36756003)(66946007)(31686004)(66556008)(2616005)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 0XYWR+VxEMajCDh2eRjAofzpRLHYVw9kJ5E2/RjUxgfjLYzU8t6uJBl46JpszMO2ZO3/YDDwpOE0xV+4mkZAxTwwwVxWPOu3Ps2bdLZ/M9Fg//+7qYMAiMmNHD7p4UY5MxxywGoIYY9bK3XvrBtKWCIVMOyZEA2Dr1ue9CccLdPoGp+HydHiqXqtobKynVhgtEip2lkuNMNv+iHbRs90GHfmF49ldMwsX2hvK7yatDn9kokqv3VIOQZRtwA8obNsF1t6gJ+AYJ+866DjUn2CGoWgzyFZSmwZ3tUgpdd3D346fn/Rai4LZuTProvQaTAnSt4kh6CkJz1Uk/t8DrWdFY9hpIli89HmA4/AQbOJdWAx9X8YMt+WuzvhOOt4/b9ZGPWljTuPxpBtGun6Lkl7tTCgy+amadg0wOZL8hnNL7TXekzvkCN75GnOvUbbPKRXi4PNzXpsCexpl/Gtw8wZDe2Y4zbPcXDgCzqgcxA3VntXCYjI2s6L8MeTLBblNebXr0UaJYF3BsqG4/i6Lc3PvBij8+caaGiOCstYVZ0Ky5k66asjPJBtIm35euJH5VrdHc6bbkKGnLJBHPVanFyWHWQ/gz8sXbIfwKhDH+gIJ8F2YsWrUjSv6YcwzQVANHHUfGzaqLjtQWLbvHjPmnnI5Aw+QLEavD/oT4lZVBVNGhCu92mPMvB71PJyE8WZBYsV6l2dn0YxpJV9zNfA0JUtXGMNUyxWuMPKzY7ESqPDW2t9ydfeN93hYSSpgJ64v1m05IwGVorsESQ3HJ4aeckLFcr5gziRuwMqtV6BTakp0LgGziIB2otn1u2blqSjR0R9CYm0k8tsitObxOPOeqG867HLOPUUYPLNQ/NCEZXdIUOHcR20YjNNo2YAXYnBntZmoDKjlv1Q5GbwFWKjLWnH81oK0esTOcakvRsMrH4hpKP0SeUNTbe3yB0phhIqmJQLYRgsBnWrx04fgZWYPzmj5n5isa0jb66clyQprJHI8naoaQig+LFiaEwU8ThORqIOnLNhXzc7wUtJPEAEdXGPRuPfD+JFdB9gUzEOEaCwf9JhTABBAjJEdzl24EourKK1jJik0cLBplUPqGXKfLSw2/zwCl/yzNAhGpwx8Dm2yX43IMrlOq0un+ZBIT0ouvm3EwZ5Uc9arT/CaSKGrI55sETG2+8GI2xzp9r+ka9gJKgnXU9O6M+mV3O0nOoD1+jbqeVu52E8r7fuZ9A0BqyVpxtmkz3e7kurwdf2nKzMyDluWewKiXEk3KrFWgMjA2Bg3IChUyeA+pjCh19pgofsVTjSIvUUFLQ/yUQefLBouDx1tGxpYuEHWe93f5MvRbh6vtEH94Kr6LNI3YS9CMRw5BtqK7z68REgPjsL1sqKu7lU8fKQEnPZ5PYP2Q2dH42KsF3q9dtBaBlQDZa1aa21TTzyYQRZfG5Tt9n0kIqQT3QT5gAVYKogGKA7Zw/Izr/AZMJF7m9yCIAw/A7A8E9NvJfk2EfMttKBNbMBbKCU4fZKS3/AUxGfDHX5S8OX3A7yEvNSgmrZKTXIF42JKGQUK5LKjp400f5h91TxMZOPL04gUhiwZ6QKTyygWJi6rWNkNDMdv+FdxwT5pvT62cKV0H7chlmDrUyOTb1VeftKDVxnXCxhS9MEhmcLZKDJc7Ah
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: d65547aa-a13f-4618-4f70-08da672f03e8
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Jul 2022 13:28:05.7557 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: cXqSfVOTy5MYk1Q6wjgp11eOmX8xIKUVAbre6LNLYNcZK6dI23TGmGaMbSQszlBC
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR02MB3644
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ujoW3nD-pmfVXbo89go66jkxrb0>
Subject: Re: [CFRG] HPKE test vector request - deterministic key gen that requires iteration
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2022 13:28:17 -0000

Hiya,

Thanks Ilari, that's great to get.

On 16/07/2022 11:42, Ilari Liusvaara wrote:
> On Sat, Jul 16, 2022 at 12:44:09AM +0100, Stephen Farrell wrote:
>>
>> Hiya,
>>
>> HPKE includes deterministic key generation based on an
>> initial key material (IKM) value. There's an iterative
>> DeriveKeyaPair scheme for NIST curves. [1]
>>
>> I recently added some tests using the test vectors from
>> RFC9180 but the deterministic key gen ones I found only
>> seem to exercise the code that doesn't need to iterate,
>> i.e., they succeed immediately with the counter at zero.
>>
>> Does anyone have a test vector with an IKM value that
>> requires iteration?
> 
> No idea if this is correct, 

Well, it works the same here! Mind you, I did have to fix
a really silly bug that was obvious once I ran the code,
which was my whole reason for asking:-)

> but with my implementation of HPKE, I get:
> 
> kemid:   P256
> ikm:     000000000000000000000000000000000000000000000000000000030138b5ec

I'm guessing from the above value you just searched for that.
If so, thanks again for saving me the work of doing that too!

> dkp_rpk: 55f64db8e620e8373551ae9e45e6802a985b027cd043d73dd0fec6de9e094367
> bytes0:  ffffffff213dbec7d0a4e48002a3abc2ae736d3de1e19755c65ee86fba8d7307
> bytes1:  02010edfe618aeb55ba93bae1521c4a1e83c3db89cd976cc459a822bd1034bb4
> 
> As note, the first candidate scalar it computes is:
> 
> 115792089213856954898469474048607274691333539784456088236989463005489886229255
> 
> Which exceeds the P-256 order:
> 
> 115792089210356248762697446949407573529996955224135760342422259061068512044369
> 
> (115792089213... > 115792089210...)
> 
> The second candidate is:
> 
>     906495204980253860296648081872579350626967427403362137130682426765428870068
> 

All those are calculated the same by my code.

And the encoded public key I get as a result is:

047d 0c87 ffd5 d145 54a7 51df a399 26a9
e30e 7c3c 6562 4f4b 5fb3 ad7a a4da c24a
d8f5 bed0 e86e b884 1ce4 892e 0fc3 87bb
dbfe 160d 589c 892d d4b1 464a c351 c56f
b6


> Which is in range so it is the result.
> 
> Finding P-256 vector causing two iterations would require massive
> effort. And finding P-384 and P-521 vectors causing iteration is just
> far beyond what can be done. And even single iterations with P-256 are
> 1 in ~4 billion events.

Yeah, not sure how to handle that kind of thing if one
has to deal with such unlikely events. But at least with
one p256 test vector the code's been tested so I guess
we only risk interop with p384 and p521 rather than there
being other bugs in untested code.

Cheers,
S.

> 
> 
> 
> 
> 
> -Ilari
> 
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email