IETF Logo Mail Archive

Re: [CFRG] RFC9180/HPKE erratum on recommended sizes

Benjamin Beurdouche <ietf@beurdouche.com> Thu, 17 November 2022 17:01 UTC

Return-Path: <w@beurdouche.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D36FC14CEE7 for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 09:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=beurdouche-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5TIoZaa587w for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 09:01:14 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBABBC14CEE3 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 09:01:14 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id m22so6551049eji.10 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 09:01:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beurdouche-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CXstRhTaKE2kbMh+oKUBqoshnE4L+SmnACY24V8tQmo=; b=hrekaYaQm1YoLlESdpGocIFD2N3sY9dNP8GsOsEpZv3uh8tY6gH63Sc9DRyjlOwQZa nQ4piutZ2rhNyWqlP5wy2WEreSjnkpINtYBg8u7fT2UFLBjBjdkCPfnZljk/exk7Z2tn 8VxqKwWTldMd4k7PHIt3XcW58p28DoCrmLaxU++mgpBZ2+JMMXkGf2Nq15ujQljIYRe+ AAZ2z/zVyp2QQbsIIcUB1yKzqQ2yJHjR6ppq/iKS+dXFkkQbNcGjpwuqC1rE//OIhlH3 fyVNT2ymCsdkw2gMWhGbe0rL5jy06ObXIB2fXHgorBNvNnFcjtSLomRtg31NIb9C3h3h R3FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CXstRhTaKE2kbMh+oKUBqoshnE4L+SmnACY24V8tQmo=; b=gfhohFAAdYT7VJ6jS8BgY6K0xWeE98go4Y5+ZtFlbf6QQH5m0vGUpPLOPiFoudeCqA lUHHJ5TvHmIJ+hG5dzklGaRv4mIJLdOROOegZqzxTOSEv7IBDrRzKap0/LZmo+9YH8yp Zu9Dg+rju11CqSNMHQqRDx16CMd59njWetakXnCUiC47gncTBXSnYra3ne/yoLNAH/MS Za+jKC8C1vTsVzuZZHIWkqtv8pE4Fuwl77jg9628U7XhflaxLBjxtWryaQu4g8tJa7zO oUiG8boYkxcsPNVyBSkwHzAymMSfqZaeiU3A3OAxfoyoBgpUhwH9aMFPiwjg8lf2POFt 7o0Q==
X-Gm-Message-State: ANoB5pkJOykM1QMqMbBwGB4egncB6Fny8RFsnbwvWDaTiUwh4UgVe3tp MgwzzQ9ZRWVmAHM1pOxwsrc3SVWyWx8KQh56HIhDLw==
X-Google-Smtp-Source: AA0mqf430db+WVEBwTf6DtTwfcLZGq7qw12iZTCvBdosCzCcfDA3Cup0HCNcn6hqSbldIgAszwcna7GeoICeeEhOuUI=
X-Received: by 2002:a17:906:5851:b0:7ae:bfeb:2219 with SMTP id h17-20020a170906585100b007aebfeb2219mr2840136ejs.145.1668704468771; Thu, 17 Nov 2022 09:01:08 -0800 (PST)
MIME-Version: 1.0
References: <2268807e-e934-2061-608a-afd422934acb@cs.tcd.ie> <CAF8qwaCsHeTA6fmrZzLGnfk-NjXZ9qgYdw9KLHQ7OKfrfC5PdQ@mail.gmail.com>
In-Reply-To: <CAF8qwaCsHeTA6fmrZzLGnfk-NjXZ9qgYdw9KLHQ7OKfrfC5PdQ@mail.gmail.com>
From: Benjamin Beurdouche <ietf@beurdouche.com>
Date: Thu, 17 Nov 2022 18:00:57 +0100
Message-ID: <CA+LxFugzLbL7N2bJr6Oo=TrhwWTjMfDYvGPxjCktjpkzb4cg2w@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000001a1fa105edad8916"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yMSImaPiJsZdJko83ARakjZQyIo>
Subject: Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 17:01:19 -0000

You might find this useful... formal bounds for all those HPKE inputs can
be found here:
https://github.com/hacl-star/hacl-star/blob/main/specs/Spec.Agile.HPKE.fsti#L330

... of course it is a weird formula which depends on which hash algorithm
[a] is used.
An audit of this would be welcome btw.

B.

Le jeu. 17 nov. 2022 à 16:05, David Benjamin <davidben@chromium.org> a
écrit :

> Our implementation doesn't impose any particular limits on info. But this
> maybe points to a larger issue here. The resolution of
> https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/226 to recommend
> using info like an AEAD's aad parameter, which typically does not have
> tight limits. And, even independent of that advice, non-single-shot uses
> (like ECH) may well have non-trivial per-context additional authenticated
> data. For ECH in particular, should we ever stick PQ KEMs into ECH, the
> info field will become a lot larger.
> https://www.rfc-editor.org/rfc/rfc9180.html#section-8.1
>
> Looks like the size issue comes from info being used as the IKM to
> LabeledExtract, which constructs a labeled_ikm by prepending a prefix. This
> means that, if your HKDF API requires contiguous IKMs, you need to make a
> copy of the info string.
> https://www.rfc-editor.org/rfc/rfc9180.html#section-5.1-9
> https://www.rfc-editor.org/rfc/rfc9180.html#section-4-9
>
> I would not expect most HKDF-Extract APIs to support discontiguous IKMs,
> as that's kinda weird for keying material. Then again, if we break the
> abstraction, it's just the body of an HMAC, which typically can be
> streamed, much less discontiguous. So we do't *actually* need to make a
> copy here. But breaking the abstraction here is not ideal because HPKE aims
> to abstract over KDFs. So if we want to rely on that, we might need to make
> a note to tweak the definition for future KDFs so they don't need to rely
> on the HMAC internals.
>
>
> On Wed, Nov 16, 2022 at 7:27 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
>
>>
>> Hiya,
>>
>> I filed an erratum [1] on RFC9180. It'd be good know what
>> other implementations support before we finalise/approve
>> that.
>>
>> The issues:
>>
>> - section 7.2.1 recommends a max of 64 octets for various
>>    values, but appendix A.6.1 and other test vectors require
>>    handling values that are 66 octets long
>>
>> - 64 octets is too short for the "info" parameter, as used
>>    for ECH (where it needs to allow 8+len(ECHConfig) which
>>    will be longer, and ECHConfig is extensible so we can't
>>    be sure how long)
>>
>> One way to handle this might be to change the erratum so
>> it recommends supporting up to 128 octets for all values
>> except "info" where we might recommend supporting up to
>> 1024.
>>
>> So - would the above work for your HPKE implementation or
>> application using HPKE, or would you prefer some other
>> change?
>>
>> Thanks,
>> S.
>>
>> [1] https://www.rfc-editor.org/errata/eid7251
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email