IETF Logo Mail Archive

Re: [CFRG] HPKE and Key Wrapping

John Mattsson <john.mattsson@ericsson.com> Wed, 30 March 2022 11:46 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8219F3A1011 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 04:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.113
X-Spam-Level:
X-Spam-Status: No, score=-0.113 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRsPybo5Zw6O for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 04:46:15 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03on062d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0a::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711713A0FFF for <cfrg@irtf.org>; Wed, 30 Mar 2022 04:46:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JlZDyHa12gZjeDBumDM2sl/IIzq8Lp2WsDkHujPsmC8TmBiuBI10qbucLaUhXycwoPDTuwvUBEklRh7BXE99J11owXEiaxV2+bRMeXNdnhDDFeOZAYaJVKY4XPIKdg8UlTE1misRT90+M75DqmZ52/SISbL+KHUiQlYj433ZfoXjkczdC26cfymgW8W4SaLA27FcGQMBgC+iCEyL339dw/6ltqghCdCzTBSZ/GJVvfxsxbhy7LQpsYUrt4Xc/kiKxHCdUYXeV5qHtfMKT6rJQ39XZ6VA3lTvKPQWPpwuUIYtK7Qg8SSbuU8iHmd0FbdIj9Kfzuilm9OxNfhH95K41g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i+kPNf+A8tJUD/5/lcz1V7fVxDeekSXNK1HRVuFP020=; b=PQaKj78M0l4y46BBcK89pZ/cz2Ixgt8qwUwmjDpW4zjgXD6El9KeiuGcWbGKjrKe9iPPUjHaJ9H1qN6TcVXlghMu12iHM3JW5itHVQmlPk4bDJgeJ35BFoJTXVfL/QOw24X0A7pYNgplwANyFaJqww7f4Oyr9vUPxUDvRc73lv+D/kIUtuaK2VqXKbloHE2VNEMpadX7kHi4x8/a0hTy61nOLQnvr6r3Ut/SqDlOsU9slK5iwQWI9LL0qGngU43JLe3kShYsPBKNaEB2J7J7J0hLRLf9nqQ8TasMBDpBBoKlEZj+9HigGk7GlsQUIUHzSbZexOSORZVulIBTmnQodA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i+kPNf+A8tJUD/5/lcz1V7fVxDeekSXNK1HRVuFP020=; b=jGy4cuPLuebDo/28W9IDuf3gpOfCcugI3N4m+Zod6FQUJV6WEFVU6vsw3r9lLtdFaBTRezplphvB4h532I48Rk6a8o+LgRuYTCggNFD/3ic8CGwKeFn6EzSEEvOpLkWhP1VkCTg1k6FZXvrePGFjRiXQPHXCspyjK4t9eJ/XqlM=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB7PR07MB5321.eurprd07.prod.outlook.com (2603:10a6:10:68::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.19; Wed, 30 Mar 2022 11:46:11 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.5123.019; Wed, 30 Mar 2022 11:46:10 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
CC: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYRCD9/8QeXFCaAUyCD94F7Va7HKzXzr6C
Date: Wed, 30 Mar 2022 11:46:10 +0000
Message-ID: <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> (john.mattsson=40ericsson.com@dmarc.ietf.org) <20220330102724.C64F260BA2@jupiter.mumble.net>
In-Reply-To: <20220330102724.C64F260BA2@jupiter.mumble.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 422cc0a5-a88c-41ca-adaa-08da1242e299
x-ms-traffictypediagnostic: DB7PR07MB5321:EE_
x-microsoft-antispam-prvs: <DB7PR07MB53211BE16810CBC0AF6C6D2D891F9@DB7PR07MB5321.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aSQKTmh29sgIJ5YDoHtNq8/5c4KV7Kh1R7QL1Tnky0JCoN9x1bTIElDGbJsTOX9F8w+QO75l+FVdvQdYL+uMirCNBu45RtHFBYjcMYeHgD8y0A67xH54SCX0uW0q6qSrYLo6WpWkDnSOQLgGgO3hvhEZVSH3jRcA1t7LNUfuDxM04ebI0atC5QIQzfPDUl/jAzgQe+TPtUfDnFaBAigFiPCcNSzXqOIe/yAyCGr4kMhA2iElKe3GlJomYJJLYTQy8heETvr0BdA6FK/ffLeWd8DgFKtI0gF7S4joLPEPct+bU1IaF6OJvI/fBLblrUXV+w2YALLSsS8frb+hLZFjrQ8Jt3+VweLSDAETOhsrb/d/sy42Fo6xvtSK2Sg8ZrdvkIzgKiZAc8O+WR+yZVjH9l5VsHh02unkZZ3wl5477PPOEozZYKeb6xRBJ6z2shOwUaoxhID+VWPHSfxVoW6Kj5SIXvdhEFEQw+ohEHArgSfmZGsa0pkbEE5RMeA5eGmsuJh1iYTTFfRuFR4tbFoH5mybzSAw6mNx+3/pcr/Ki9vurB91nX6pSMN5jWiT7g74vq9B+k/ca2kwCf59heWvAuxxyIMPI6icDyb6zk+PZuflY4CIaAiQlMhD80gjbEXKt2jMYZDcrT43NHrwYG5h6GnIvu9N461rylt8WG+DrXXAXxp+Ck5x3gIu4OgmHmNfla/KAGWksVCDJrpR1gmS5QdiT2iKhDZg4OnlnldWKJ5v8ugzDF/vMfjMSzdDaCd4HGN3eU9TZRVSJRAu7Ee8xFjIv1xMEmC2HHyEBheM2f7Kl1+Ltal+iMEjK9Wg+Jl9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8936002)(6506007)(5660300002)(38100700002)(966005)(316002)(33656002)(7696005)(53546011)(66556008)(66476007)(64756008)(508600001)(38070700005)(44832011)(9686003)(2906002)(54906003)(66446008)(4326008)(8676002)(55016003)(122000001)(91956017)(86362001)(76116006)(26005)(166002)(71200400001)(186003)(83380400001)(21615005)(66946007)(82960400001)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6gVL1+F1cp9H0+Q+4UYzTlcpN64akdl9gY2iBhCGDazpzsEO+/9mFEqXXd9FTdmM9cMrt9z/Fl9OugFRmBik+dTPDD2xgSk79upile7UDD9lupGoUbCkcPsDwO8XF/PHidZjOv4Vsg8Ke2pbV0OjfIujNk+MLpc1xhMVpc9S1Xx/Z6zntWSYctrGK0xhw60nUCPCvszCrLQ2nQdAblM5M+A0aR9qWn93The/lH9cfdAtH2CUlCFC6iTMQX7zW3o+WuF4gAL79iUhEHUT+Wje8B8itm1p54JMImZGRG8dme9VPpNshDJJ2S4sNquZC4b8mJ9GJ0kqIiQD/vRejST5f7vkDCAF4QQJhCdFNMVC5988lkgaDZB1di+BPB1o2oCQapa7JmpxNAj+Vy0JitVx7LvuaQKYTJHTzzL7ZVtvJqkAYW+LqAgzsj1Iv/OmNbvnUJYVMWHPfvEMr2LUnGTUajVqarobfUx3oEPIaVxUXXyQyg9o++UwBIrAM9DR6pQWkdy2AokcOpNMYeul447ItxXnTSIrq3PKejeTG4HNbM4/mmCao3ikFeSKIGfLliK/+ZHQhstBbcDMttA4/rednforxo6CNkevmO+3OENFi8mSt7xQutcGheGD8RAB9+m40zU4H+1KBnbUG6tSwiJk494fwAnicyBBTZi488+vEmaELAH8LF1JXwOiWMH2462LA/CQZT0PjVpm7IWnJRWyh1GAh22eCpLuwK2fdKZFpsNB2ELFfzMo5AAXyg0LfBcqkRGznxW6hj4KRXUo/qDjDK5MhSsqLk08b7RlrfQywwtm7cYgOqiMX+LPQdtpe5g5L1pzU9oJW/xoZdIMeZm0kTU4uvO07fugUleOVRvvKo4ZhrhQpgV8ZyqFKMUtvuDUK6Wk7tvVPGfzv4eH239jbu4YQ59oQMVw0SbtUbqZM68IoLq94rfmqkWH7HK2AVjSQndwsldHZnolX5CCGt+7dRw8cBWQ1dqVtiDBuVDq7/vWIn3UytAYn40BOsVXCGHWZq8+cIYzHsXdmMoNKZXL159TLYbQhZq3w6Uicqbtng1Zqi5bM8XZ+MxWa0+cjL4HiVPKB/WKfJUnr/ppbz2Pd4O6Jc/FAdUwcAgaUDt5DFPAnoHS9Rch0CLDDqYoNJX92J52ltAnzW3s6ojyCmrw8vYf3jRi5BJ7d3YkRi2X+XTC889EwNt0wcQc1DZr29caXVSWzKAYzXEl6S+TezdcD/oL3EydpEbHoH7wiTjxY+e0nW8rJ0KhSkFs4Ik1CQV/I/UBB2ezUIJUJPZ8WwxgVeaa1z3WHsp/btOAJQ+EncKOyp0j26Hb4Z4MLFyX+1Fl4U67xfD1RRNFZEhbS5fZPSZySDBSww1AQXv603nk5/shcSPVuN5DfXrD9XfETaC2VYitrvTCoE57D0B46Z3cJK4/5xFx90CVSA7c2gxu2ah15/WYtUjCkWjBLbIIiVp0uJh6f4uhu/mtVycwfVQVVhUyZzXtfnw0nasNPv616yYeqsVvJ7zXMtLrZjtAdF8qWz/enJxc/7MiNBI2lh+EbGYFtdxJlLzxzQS7WPGedkxUJGfqS0TWDjJYFSAtRpwIO+pD7HR8IL7k4FVUUlWyQMp8NJ7wWzrz5oVELqNe6Q/TD6HZw+7ssHaL8mp/VyHw3fk/Sw6YvEnI2FXsy4jFI/Buv+XvUtzALJxYaf3VcYxqRkA/mrhlFCTGlMBTDZxQW0gCMAWTK69xhUGcrfclRLpvBDk15WPc7avxHG3K0jCtMg8kgM7Sqi72vula7++b
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30507A04EBAF0D19FC481DD9891F9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 422cc0a5-a88c-41ca-adaa-08da1242e299
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 11:46:10.1616 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v48S+hyYbv9d+dAND0up7YRD+xyngO2g9o1+/f1Vph4CWd9tahh3kumpyrZvQuiE+6jkcdPC+LCdJ9QCa13vsm80LCUwF7zM7pzGb8qae2g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5321
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vEy8ZD8xWFstLt5bqCfmotnHgNg>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 11:46:21 -0000

Thanks Taylor!

Then it seems to me that AES-256-SIV and AES-512-SIV are the AES-based modes that should be added to HPKE to enable key wrapping security independent of the RNG. These are exactly the two AEADs suggested by draft-harkins-cfrg-dnhpke-01. Key wrapping mechanisms have in the past aimed to provide security even in the case of compromised RNG but it would be interesting to hear if someone think that property is needed in this case.

Cheers,
John

From: Taylor R Campbell <campbell@mumble.net> on behalf of Taylor R Campbell <campbell+cfrg@mumble.net>
Date: Wednesday, 30 March 2022 at 12:29
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] HPKE and Key Wrapping
> Date: Wed, 30 Mar 2022 08:51:44 +0000
> From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
>
> How does AES-SIV (RFC 5297) compare with AES-GCM-SIV (RFC 8452)? Do
> we need both algorithms in the future? Does AES-GCM-SIV with a fixed
> nonce provide the same properties as nonce-less AES-SIV or is there
> a difference?

There is a fairly substantial difference.  In the Daence paper I drew
a table of advantage bounds for AES-SIV and AES-GCM-SIV, using the
best formulae I could find (with the function/permutation-switching
lemma of https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a129ecc550c2c3ad&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Fcr.yp.to%2Fpapers.html%23permutations that gives better
bounds than the conventional q*(q - 1)/2 used in most papers):

https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-fc96309953b1fcfb&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Feprint.iacr.org%2F2020%2F067.pdf%23page%3D5

Smaller advantage bounds, i.e., larger values of n in the 2^-n terms,
are better.  1 means no advantage bound has been proven at all for
these parameters.

This table was computed using the logic at

https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-ab6fc8eec24511fa&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Fgithub.com%2Friastradh%2Fdaence%2Fblob%2Fmaster%2Fadv.py

which cites the sources in the literature I used for the formulae.
You can reuse the same logic to recompute bounds for different message
sizes/numbers if what you're looking for isn't in the table, of
course.

It may be worth noting that the security advertisment in RFC 8452 for
AES-GCM-SIV explicitly discourages nonce reuse even between different
users (different keys), which means you should even avoid the policy
of sequential message numbers that, e.g., TLS 1.3 uses with AES-GCM to
rule out a class of attacks:

https://datatracker.ietf.org/doc/html/rfc8452#page-12

The bottom line is that AES-GCM-SIV is designed for randomized nonces,
with some level of protection if your RNG fails.  In contrast, AES-SIV
is designed for security without nonces at all, and is particularly
well-suited to key-wrap, which should come as no surprise since that's
what it was designed for originally, as sung in Appendix F of:

https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.html

v2.23.0 | Report a Bug | By Email