Re: [CFRG] HPKE and Key Wrapping
John Mattsson <john.mattsson@ericsson.com> Wed, 30 March 2022 11:46 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8219F3A1011 for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 04:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.113
X-Spam-Level:
X-Spam-Status: No, score=-0.113 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kRsPybo5Zw6O for <cfrg@ietfa.amsl.com>; Wed, 30 Mar 2022 04:46:15 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03on062d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0a::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 711713A0FFF for <cfrg@irtf.org>; Wed, 30 Mar 2022 04:46:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JlZDyHa12gZjeDBumDM2sl/IIzq8Lp2WsDkHujPsmC8TmBiuBI10qbucLaUhXycwoPDTuwvUBEklRh7BXE99J11owXEiaxV2+bRMeXNdnhDDFeOZAYaJVKY4XPIKdg8UlTE1misRT90+M75DqmZ52/SISbL+KHUiQlYj433ZfoXjkczdC26cfymgW8W4SaLA27FcGQMBgC+iCEyL339dw/6ltqghCdCzTBSZ/GJVvfxsxbhy7LQpsYUrt4Xc/kiKxHCdUYXeV5qHtfMKT6rJQ39XZ6VA3lTvKPQWPpwuUIYtK7Qg8SSbuU8iHmd0FbdIj9Kfzuilm9OxNfhH95K41g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=i+kPNf+A8tJUD/5/lcz1V7fVxDeekSXNK1HRVuFP020=; b=PQaKj78M0l4y46BBcK89pZ/cz2Ixgt8qwUwmjDpW4zjgXD6El9KeiuGcWbGKjrKe9iPPUjHaJ9H1qN6TcVXlghMu12iHM3JW5itHVQmlPk4bDJgeJ35BFoJTXVfL/QOw24X0A7pYNgplwANyFaJqww7f4Oyr9vUPxUDvRc73lv+D/kIUtuaK2VqXKbloHE2VNEMpadX7kHi4x8/a0hTy61nOLQnvr6r3Ut/SqDlOsU9slK5iwQWI9LL0qGngU43JLe3kShYsPBKNaEB2J7J7J0hLRLf9nqQ8TasMBDpBBoKlEZj+9HigGk7GlsQUIUHzSbZexOSORZVulIBTmnQodA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=i+kPNf+A8tJUD/5/lcz1V7fVxDeekSXNK1HRVuFP020=; b=jGy4cuPLuebDo/28W9IDuf3gpOfCcugI3N4m+Zod6FQUJV6WEFVU6vsw3r9lLtdFaBTRezplphvB4h532I48Rk6a8o+LgRuYTCggNFD/3ic8CGwKeFn6EzSEEvOpLkWhP1VkCTg1k6FZXvrePGFjRiXQPHXCspyjK4t9eJ/XqlM=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DB7PR07MB5321.eurprd07.prod.outlook.com (2603:10a6:10:68::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.19; Wed, 30 Mar 2022 11:46:11 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::b462:480e:b937:c62c%7]) with mapi id 15.20.5123.019; Wed, 30 Mar 2022 11:46:10 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Taylor R Campbell <campbell+cfrg@mumble.net>
CC: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] HPKE and Key Wrapping
Thread-Index: AQHYRCD9/8QeXFCaAUyCD94F7Va7HKzXzr6C
Date: Wed, 30 Mar 2022 11:46:10 +0000
Message-ID: <HE1PR0701MB30507A04EBAF0D19FC481DD9891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB30505DA9DCB9626D0EAFE56E891F9@HE1PR0701MB3050.eurprd07.prod.outlook.com> (john.mattsson=40ericsson.com@dmarc.ietf.org) <20220330102724.C64F260BA2@jupiter.mumble.net>
In-Reply-To: <20220330102724.C64F260BA2@jupiter.mumble.net>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 422cc0a5-a88c-41ca-adaa-08da1242e299
x-ms-traffictypediagnostic: DB7PR07MB5321:EE_
x-microsoft-antispam-prvs: <DB7PR07MB53211BE16810CBC0AF6C6D2D891F9@DB7PR07MB5321.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aSQKTmh29sgIJ5YDoHtNq8/5c4KV7Kh1R7QL1Tnky0JCoN9x1bTIElDGbJsTOX9F8w+QO75l+FVdvQdYL+uMirCNBu45RtHFBYjcMYeHgD8y0A67xH54SCX0uW0q6qSrYLo6WpWkDnSOQLgGgO3hvhEZVSH3jRcA1t7LNUfuDxM04ebI0atC5QIQzfPDUl/jAzgQe+TPtUfDnFaBAigFiPCcNSzXqOIe/yAyCGr4kMhA2iElKe3GlJomYJJLYTQy8heETvr0BdA6FK/ffLeWd8DgFKtI0gF7S4joLPEPct+bU1IaF6OJvI/fBLblrUXV+w2YALLSsS8frb+hLZFjrQ8Jt3+VweLSDAETOhsrb/d/sy42Fo6xvtSK2Sg8ZrdvkIzgKiZAc8O+WR+yZVjH9l5VsHh02unkZZ3wl5477PPOEozZYKeb6xRBJ6z2shOwUaoxhID+VWPHSfxVoW6Kj5SIXvdhEFEQw+ohEHArgSfmZGsa0pkbEE5RMeA5eGmsuJh1iYTTFfRuFR4tbFoH5mybzSAw6mNx+3/pcr/Ki9vurB91nX6pSMN5jWiT7g74vq9B+k/ca2kwCf59heWvAuxxyIMPI6icDyb6zk+PZuflY4CIaAiQlMhD80gjbEXKt2jMYZDcrT43NHrwYG5h6GnIvu9N461rylt8WG+DrXXAXxp+Ck5x3gIu4OgmHmNfla/KAGWksVCDJrpR1gmS5QdiT2iKhDZg4OnlnldWKJ5v8ugzDF/vMfjMSzdDaCd4HGN3eU9TZRVSJRAu7Ee8xFjIv1xMEmC2HHyEBheM2f7Kl1+Ltal+iMEjK9Wg+Jl9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8936002)(6506007)(5660300002)(38100700002)(966005)(316002)(33656002)(7696005)(53546011)(66556008)(66476007)(64756008)(508600001)(38070700005)(44832011)(9686003)(2906002)(54906003)(66446008)(4326008)(8676002)(55016003)(122000001)(91956017)(86362001)(76116006)(26005)(166002)(71200400001)(186003)(83380400001)(21615005)(66946007)(82960400001)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6gVL1+F1cp9H0+Q+4UYzTlcpN64akdl9gY2iBhCGDazpzsEO+/9mFEqXXd9FTdmM9cMrt9z/Fl9OugFRmBik+dTPDD2xgSk79upile7UDD9lupGoUbCkcPsDwO8XF/PHidZjOv4Vsg8Ke2pbV0OjfIujNk+MLpc1xhMVpc9S1Xx/Z6zntWSYctrGK0xhw60nUCPCvszCrLQ2nQdAblM5M+A0aR9qWn93The/lH9cfdAtH2CUlCFC6iTMQX7zW3o+WuF4gAL79iUhEHUT+Wje8B8itm1p54JMImZGRG8dme9VPpNshDJJ2S4sNquZC4b8mJ9GJ0kqIiQD/vRejST5f7vkDCAF4QQJhCdFNMVC5988lkgaDZB1di+BPB1o2oCQapa7JmpxNAj+Vy0JitVx7LvuaQKYTJHTzzL7ZVtvJqkAYW+LqAgzsj1Iv/OmNbvnUJYVMWHPfvEMr2LUnGTUajVqarobfUx3oEPIaVxUXXyQyg9o++UwBIrAM9DR6pQWkdy2AokcOpNMYeul447ItxXnTSIrq3PKejeTG4HNbM4/mmCao3ikFeSKIGfLliK/+ZHQhstBbcDMttA4/rednforxo6CNkevmO+3OENFi8mSt7xQutcGheGD8RAB9+m40zU4H+1KBnbUG6tSwiJk494fwAnicyBBTZi488+vEmaELAH8LF1JXwOiWMH2462LA/CQZT0PjVpm7IWnJRWyh1GAh22eCpLuwK2fdKZFpsNB2ELFfzMo5AAXyg0LfBcqkRGznxW6hj4KRXUo/qDjDK5MhSsqLk08b7RlrfQywwtm7cYgOqiMX+LPQdtpe5g5L1pzU9oJW/xoZdIMeZm0kTU4uvO07fugUleOVRvvKo4ZhrhQpgV8ZyqFKMUtvuDUK6Wk7tvVPGfzv4eH239jbu4YQ59oQMVw0SbtUbqZM68IoLq94rfmqkWH7HK2AVjSQndwsldHZnolX5CCGt+7dRw8cBWQ1dqVtiDBuVDq7/vWIn3UytAYn40BOsVXCGHWZq8+cIYzHsXdmMoNKZXL159TLYbQhZq3w6Uicqbtng1Zqi5bM8XZ+MxWa0+cjL4HiVPKB/WKfJUnr/ppbz2Pd4O6Jc/FAdUwcAgaUDt5DFPAnoHS9Rch0CLDDqYoNJX92J52ltAnzW3s6ojyCmrw8vYf3jRi5BJ7d3YkRi2X+XTC889EwNt0wcQc1DZr29caXVSWzKAYzXEl6S+TezdcD/oL3EydpEbHoH7wiTjxY+e0nW8rJ0KhSkFs4Ik1CQV/I/UBB2ezUIJUJPZ8WwxgVeaa1z3WHsp/btOAJQ+EncKOyp0j26Hb4Z4MLFyX+1Fl4U67xfD1RRNFZEhbS5fZPSZySDBSww1AQXv603nk5/shcSPVuN5DfXrD9XfETaC2VYitrvTCoE57D0B46Z3cJK4/5xFx90CVSA7c2gxu2ah15/WYtUjCkWjBLbIIiVp0uJh6f4uhu/mtVycwfVQVVhUyZzXtfnw0nasNPv616yYeqsVvJ7zXMtLrZjtAdF8qWz/enJxc/7MiNBI2lh+EbGYFtdxJlLzxzQS7WPGedkxUJGfqS0TWDjJYFSAtRpwIO+pD7HR8IL7k4FVUUlWyQMp8NJ7wWzrz5oVELqNe6Q/TD6HZw+7ssHaL8mp/VyHw3fk/Sw6YvEnI2FXsy4jFI/Buv+XvUtzALJxYaf3VcYxqRkA/mrhlFCTGlMBTDZxQW0gCMAWTK69xhUGcrfclRLpvBDk15WPc7avxHG3K0jCtMg8kgM7Sqi72vula7++b
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB30507A04EBAF0D19FC481DD9891F9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 422cc0a5-a88c-41ca-adaa-08da1242e299
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2022 11:46:10.1616 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: v48S+hyYbv9d+dAND0up7YRD+xyngO2g9o1+/f1Vph4CWd9tahh3kumpyrZvQuiE+6jkcdPC+LCdJ9QCa13vsm80LCUwF7zM7pzGb8qae2g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5321
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vEy8ZD8xWFstLt5bqCfmotnHgNg>
Subject: Re: [CFRG] HPKE and Key Wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 11:46:21 -0000
Thanks Taylor! Then it seems to me that AES-256-SIV and AES-512-SIV are the AES-based modes that should be added to HPKE to enable key wrapping security independent of the RNG. These are exactly the two AEADs suggested by draft-harkins-cfrg-dnhpke-01. Key wrapping mechanisms have in the past aimed to provide security even in the case of compromised RNG but it would be interesting to hear if someone think that property is needed in this case. Cheers, John From: Taylor R Campbell <campbell@mumble.net> on behalf of Taylor R Campbell <campbell+cfrg@mumble.net> Date: Wednesday, 30 March 2022 at 12:29 To: John Mattsson <john.mattsson@ericsson.com> Cc: Dan Harkins <dharkins@lounge.org>, IRTF CFRG <cfrg@irtf.org> Subject: Re: [CFRG] HPKE and Key Wrapping > Date: Wed, 30 Mar 2022 08:51:44 +0000 > From: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> > > How does AES-SIV (RFC 5297) compare with AES-GCM-SIV (RFC 8452)? Do > we need both algorithms in the future? Does AES-GCM-SIV with a fixed > nonce provide the same properties as nonce-less AES-SIV or is there > a difference? There is a fairly substantial difference. In the Daence paper I drew a table of advantage bounds for AES-SIV and AES-GCM-SIV, using the best formulae I could find (with the function/permutation-switching lemma of https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a129ecc550c2c3ad&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Fcr.yp.to%2Fpapers.html%23permutations that gives better bounds than the conventional q*(q - 1)/2 used in most papers): https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-fc96309953b1fcfb&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Feprint.iacr.org%2F2020%2F067.pdf%23page%3D5 Smaller advantage bounds, i.e., larger values of n in the 2^-n terms, are better. 1 means no advantage bound has been proven at all for these parameters. This table was computed using the logic at https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-ab6fc8eec24511fa&q=1&e=117ce771-01cf-4d9c-aa89-a8b4b42eab86&u=https%3A%2F%2Fgithub.com%2Friastradh%2Fdaence%2Fblob%2Fmaster%2Fadv.py which cites the sources in the literature I used for the formulae. You can reuse the same logic to recompute bounds for different message sizes/numbers if what you're looking for isn't in the table, of course. It may be worth noting that the security advertisment in RFC 8452 for AES-GCM-SIV explicitly discourages nonce reuse even between different users (different keys), which means you should even avoid the policy of sequential message numbers that, e.g., TLS 1.3 uses with AES-GCM to rule out a class of attacks: https://datatracker.ietf.org/doc/html/rfc8452#page-12 The bottom line is that AES-GCM-SIV is designed for randomized nonces, with some level of protection if your RNG fails. In contrast, AES-SIV is designed for security without nonces at all, and is particularly well-suited to key-wrap, which should come as no surprise since that's what it was designed for originally, as sung in Appendix F of: https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.html
- [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Taylor R Campbell
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Christopher Wood
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Russ Housley
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Richard Barnes
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Martin Thomson
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping John Mattsson
- Re: [CFRG] HPKE and Key Wrapping Ilari Liusvaara
- Re: [CFRG] HPKE and Key Wrapping Neil Madden
- Re: [CFRG] HPKE and Key Wrapping Kampanakis, Panos
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins
- Re: [CFRG] HPKE and Key Wrapping Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] HPKE and Key Wrapping Shay Gueron
- Re: [CFRG] HPKE and Key Wrapping Dan Harkins