IETF Logo Mail Archive

Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)

Colin Perkins <csp@csperkins.org> Wed, 03 April 2024 22:27 UTC

Return-Path: <csp@csperkins.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B44C1C14F680 for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2024 15:27:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bt06VDTGfuwb for <cfrg@ietfa.amsl.com>; Wed, 3 Apr 2024 15:26:57 -0700 (PDT)
Received: from mx1.mythic-beasts.com (mx1.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 951BFC14F5FB for <cfrg@irtf.org>; Wed, 3 Apr 2024 15:26:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=Date:Subject:To:From; bh=aMQmBn65FbK+qO0jSlCafz2sQ6/mk7MA65os+taRnus=; b=LrkAOohbCOAHj7qq+FK05EoIeB mLBDRSRJlrYhvAvkbtK8ZT/JkBjlVqCsRXqn3vYmh2CjsrpWgtFrdHAkik67Qorhv8K7AO0xcUaid F5wOGmAmg71d5LTgC7UowIJOsBxtkQo3sPFt/40yLF/kucuJcFbIZ5Qlly79WWk0biJPnXfSYaQa8 uQAJAWVZ5tQi+fMjEbPvHNHDkEfNFRcDeshTAnTwoQBz2uK9aHWzUUVmq6vjq4N486hpnxJu6/YI7 moKUvMaGQnZ43z/qzGGR9jaD5xbR+60E/QKm+kwitNa+ihNn9/ujnNDkusneoUlXccWZSDKlAdYRf uehXB8Nw==;
Received: by mailhub-cam-d.mythic-beasts.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <csp@csperkins.org>) id 1rs94K-001Hea-4k; Wed, 03 Apr 2024 23:26:56 +0100
From: Colin Perkins <csp@csperkins.org>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Date: Wed, 03 Apr 2024 23:26:54 +0100
X-Mailer: MailMate (1.14r6025)
Message-ID: <61EEA3B7-3413-4B26-B92B-B67D9C728B32@csperkins.org>
In-Reply-To: <F1F7DDAB-1161-48C7-A545-285BE9ABB31A@gmail.com>
References: <20240130102359.887F91A3A476@rfcpa.amsl.com> <F1F7DDAB-1161-48C7-A545-285BE9ABB31A@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_937FA06A-9EDE-4547-83E0-86C05CFF657E_="
Content-Transfer-Encoding: 8bit
Embedded-HTML: [{"plain":[249, 3434], "uuid":"D4B5B77B-43B8-4E8C-A1B8-832445E122F7"}]
X-BlackCat-Spam-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vJIWlXe_Vh3ebngR0pLFt_S7lDo>
Subject: Re: [CFRG] [Technical Errata Reported] RFC9180 (7790)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 22:27:02 -0000

Hi,

This erratum hasn't seen much discussion, the other two have been 
discussed previously. In all three cases I think input from the CFRG 
Chairs is needed to judge consensus on how to proceed.

Colin


On 2 Apr 2024, at 21:46, Neil Madden wrote:

> Anyone know what’s going on with errata for HPKE? I reported this 
> one in January and not heard anything about it. There appears to be 3 
> errata on RFC 9180 that are in “reported” state, 2 of which date 
> back to 2022. Is anyone looking at them?
>
> Regards,
>
> Neil
>
> Begin forwarded message:
>
>> From: RFC Errata System <rfc-editor@rfc-editor.org>
>> Date: 30 January 2024 at 10:24:00 GMT
>> To: rlb@ipv.sx, karthikeyan.bhargavan@inria.fr, ietf@benjaminlipp.de, 
>> caw@heapingbits.net, irsg@irtf.org
>> Cc: neil.e.madden@gmail.com, rfc-editor@rfc-editor.org
>> Subject: [Technical Errata Reported] RFC9180 (7790)
>>
>> The following errata report has been submitted for RFC9180,
>> "Hybrid Public Key Encryption".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid7790
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Neil Madden <neil.e.madden@gmail.com>
>>
>> Section: 9.1.2
>>
>> Original Text
>> -------------
>>   A detailed computational analysis of HPKE's Auth mode single-shot
>>   encryption API has been done in [ABHKLR20].  The paper defines
>>   security notions for authenticated KEMs and for authenticated 
>> public
>>   key encryption, using the outsider and insider security terminology
>>   known from signcryption [SigncryptionDZ10].  The analysis proves 
>> that
>>   DHKEM's AuthEncap()/AuthDecap() interface fulfills these notions 
>> for
>>   all Diffie-Hellman groups specified in this document.
>>
>>
>> Corrected Text
>> --------------
>>   A detailed computational analysis of HPKE's Auth mode single-shot
>>   encryption API has been done in [ABHKLR20].  The paper defines
>>   security notions for authenticated KEMs and for authenticated 
>> public
>>   key encryption, using the outsider and insider security terminology
>>   known from signcryption [SigncryptionDZ10].  The analysis proves 
>> that
>>   DHKEM's AuthEncap()/AuthDecap() interface fulfills the notions of
>>   Outsider-CCA, Insider-CCA, and Outsider-Auth for all Diffie-Hellman
>>   groups specified in this document. It does not fulfill the notion 
>> of
>>   Insider-Auth defined in the paper.
>>
>> Notes
>> -----
>> The referenced paper defines four notions of security, Outsider-CCA, 
>> Insider-CCA, Outsider-Auth, and Insider-Auth. It proves that HPKE 
>> meets the first three, but, contrary to the current text of the RFC, 
>> it proves that it does *not* meet Insider-Auth security and that this 
>> is infeasible for HPKE. This is an important negative security result 
>> that should have been highlighted in the RFC.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". (If it is spam, it
>> will be removed shortly by the RFC Production Center.) Please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> will log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC9180 (draft-irtf-cfrg-hpke-12)
>> --------------------------------------
>> Title               : Hybrid Public Key Encryption
>> Publication Date    : February 2022
>> Author(s)           : R. Barnes, K. Bhargavan, B. Lipp, C. Wood
>> Category            : INFORMATIONAL
>> Source              : Crypto Forum Research Group
>> Area                : N/A
>> Stream              : IRTF
>> Verifying Party     : IRSG

> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://mailman.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email