Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
Benjamin Beurdouche <ietf@beurdouche.com> Thu, 17 November 2022 17:01 UTC
Return-Path: <w@beurdouche.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D36FC14CEE7 for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 09:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=beurdouche-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5TIoZaa587w for <cfrg@ietfa.amsl.com>; Thu, 17 Nov 2022 09:01:14 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBABBC14CEE3 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 09:01:14 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id m22so6551049eji.10 for <Cfrg@irtf.org>; Thu, 17 Nov 2022 09:01:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beurdouche-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CXstRhTaKE2kbMh+oKUBqoshnE4L+SmnACY24V8tQmo=; b=hrekaYaQm1YoLlESdpGocIFD2N3sY9dNP8GsOsEpZv3uh8tY6gH63Sc9DRyjlOwQZa nQ4piutZ2rhNyWqlP5wy2WEreSjnkpINtYBg8u7fT2UFLBjBjdkCPfnZljk/exk7Z2tn 8VxqKwWTldMd4k7PHIt3XcW58p28DoCrmLaxU++mgpBZ2+JMMXkGf2Nq15ujQljIYRe+ AAZ2z/zVyp2QQbsIIcUB1yKzqQ2yJHjR6ppq/iKS+dXFkkQbNcGjpwuqC1rE//OIhlH3 fyVNT2ymCsdkw2gMWhGbe0rL5jy06ObXIB2fXHgorBNvNnFcjtSLomRtg31NIb9C3h3h R3FA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CXstRhTaKE2kbMh+oKUBqoshnE4L+SmnACY24V8tQmo=; b=gfhohFAAdYT7VJ6jS8BgY6K0xWeE98go4Y5+ZtFlbf6QQH5m0vGUpPLOPiFoudeCqA lUHHJ5TvHmIJ+hG5dzklGaRv4mIJLdOROOegZqzxTOSEv7IBDrRzKap0/LZmo+9YH8yp Zu9Dg+rju11CqSNMHQqRDx16CMd59njWetakXnCUiC47gncTBXSnYra3ne/yoLNAH/MS Za+jKC8C1vTsVzuZZHIWkqtv8pE4Fuwl77jg9628U7XhflaxLBjxtWryaQu4g8tJa7zO oUiG8boYkxcsPNVyBSkwHzAymMSfqZaeiU3A3OAxfoyoBgpUhwH9aMFPiwjg8lf2POFt 7o0Q==
X-Gm-Message-State: ANoB5pkJOykM1QMqMbBwGB4egncB6Fny8RFsnbwvWDaTiUwh4UgVe3tp MgwzzQ9ZRWVmAHM1pOxwsrc3SVWyWx8KQh56HIhDLw==
X-Google-Smtp-Source: AA0mqf430db+WVEBwTf6DtTwfcLZGq7qw12iZTCvBdosCzCcfDA3Cup0HCNcn6hqSbldIgAszwcna7GeoICeeEhOuUI=
X-Received: by 2002:a17:906:5851:b0:7ae:bfeb:2219 with SMTP id h17-20020a170906585100b007aebfeb2219mr2840136ejs.145.1668704468771; Thu, 17 Nov 2022 09:01:08 -0800 (PST)
MIME-Version: 1.0
References: <2268807e-e934-2061-608a-afd422934acb@cs.tcd.ie> <CAF8qwaCsHeTA6fmrZzLGnfk-NjXZ9qgYdw9KLHQ7OKfrfC5PdQ@mail.gmail.com>
In-Reply-To: <CAF8qwaCsHeTA6fmrZzLGnfk-NjXZ9qgYdw9KLHQ7OKfrfC5PdQ@mail.gmail.com>
From: Benjamin Beurdouche <ietf@beurdouche.com>
Date: Thu, 17 Nov 2022 18:00:57 +0100
Message-ID: <CA+LxFugzLbL7N2bJr6Oo=TrhwWTjMfDYvGPxjCktjpkzb4cg2w@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "cfrg@irtf.org" <Cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000001a1fa105edad8916"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yMSImaPiJsZdJko83ARakjZQyIo>
Subject: Re: [CFRG] RFC9180/HPKE erratum on recommended sizes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Nov 2022 17:01:19 -0000
You might find this useful... formal bounds for all those HPKE inputs can be found here: https://github.com/hacl-star/hacl-star/blob/main/specs/Spec.Agile.HPKE.fsti#L330 ... of course it is a weird formula which depends on which hash algorithm [a] is used. An audit of this would be welcome btw. B. Le jeu. 17 nov. 2022 à 16:05, David Benjamin <davidben@chromium.org> a écrit : > Our implementation doesn't impose any particular limits on info. But this > maybe points to a larger issue here. The resolution of > https://github.com/cfrg/draft-irtf-cfrg-hpke/issues/226 to recommend > using info like an AEAD's aad parameter, which typically does not have > tight limits. And, even independent of that advice, non-single-shot uses > (like ECH) may well have non-trivial per-context additional authenticated > data. For ECH in particular, should we ever stick PQ KEMs into ECH, the > info field will become a lot larger. > https://www.rfc-editor.org/rfc/rfc9180.html#section-8.1 > > Looks like the size issue comes from info being used as the IKM to > LabeledExtract, which constructs a labeled_ikm by prepending a prefix. This > means that, if your HKDF API requires contiguous IKMs, you need to make a > copy of the info string. > https://www.rfc-editor.org/rfc/rfc9180.html#section-5.1-9 > https://www.rfc-editor.org/rfc/rfc9180.html#section-4-9 > > I would not expect most HKDF-Extract APIs to support discontiguous IKMs, > as that's kinda weird for keying material. Then again, if we break the > abstraction, it's just the body of an HMAC, which typically can be > streamed, much less discontiguous. So we do't *actually* need to make a > copy here. But breaking the abstraction here is not ideal because HPKE aims > to abstract over KDFs. So if we want to rely on that, we might need to make > a note to tweak the definition for future KDFs so they don't need to rely > on the HMAC internals. > > > On Wed, Nov 16, 2022 at 7:27 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> >> Hiya, >> >> I filed an erratum [1] on RFC9180. It'd be good know what >> other implementations support before we finalise/approve >> that. >> >> The issues: >> >> - section 7.2.1 recommends a max of 64 octets for various >> values, but appendix A.6.1 and other test vectors require >> handling values that are 66 octets long >> >> - 64 octets is too short for the "info" parameter, as used >> for ECH (where it needs to allow 8+len(ECHConfig) which >> will be longer, and ECHConfig is extensible so we can't >> be sure how long) >> >> One way to handle this might be to change the erratum so >> it recommends supporting up to 128 octets for all values >> except "info" where we might recommend supporting up to >> 1024. >> >> So - would the above work for your HPKE implementation or >> application using HPKE, or would you prefer some other >> change? >> >> Thanks, >> S. >> >> [1] https://www.rfc-editor.org/errata/eid7251 >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] RFC9180/HPKE erratum on recommended sizes Stephen Farrell
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… David Benjamin
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Benjamin Beurdouche
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… David Benjamin
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Ilari Liusvaara
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Colin Perkins
- Re: [CFRG] RFC9180/HPKE erratum on recommended si… Dan Harkins