IETF Logo Mail Archive

Re: [CFRG] misuse-resistant AEAD and HPKE

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 03 November 2020 01:01 UTC

Return-Path: <prvs=85765c245c=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3BA3A12EB for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 17:01:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6NBWiL6sWtmM for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 17:00:59 -0800 (PST)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713C53A12EA for <cfrg@irtf.org>; Mon, 2 Nov 2020 17:00:58 -0800 (PST)
Received: from LLE2K16-MBX03.mitll.ad.local (LLE2K16-MBX03.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 0A310tBG036280; Mon, 2 Nov 2020 20:00:55 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Y5z3M9iBaeUDWPRb0R9ZCFSfCeUBTEx2R7S2RYBdy9OlknLR0GrnNikh4Jl4rPmE0n/Xf2cQrL6rfaSXDzzTDSCtZ2vsxeNgWMyXtJsDMLxi6GCvg4IqHjtMe/4odGrDLUvKC8jgmUktJhfBcZ0z8fXSqrxuGpkSkjhWsLXhFBqVX9h7d/TSTTBVzUe/PFcCgGlnIqaOTYLxNlSA1TocS3Lv0Uy/Hhw+CeEoST2QpkqR5hjCNQyOZ3KVxZuK0dM8ypXGQ4jlfKmdFnauXZEYb91h9TFzA7YwJsz/tSMtbFPhW+zo8qTaLApe1xEdhs0TDzL57hE2eLgUvYujPQyVfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GzcoN09go90oIPupE3Wy6sY1qwB/7tC3NsqBn20fPQs=; b=0TzMUG6xyTQG2xMcqAmjHM4EJHXE08nJnCH+V5CMTsYUcfa5OcjzYswoLf4xy8pgghlBdUfV+IjecKHWQoUqZNxCMkjKy0oB6ytZCnMg9JcNwGksQ9G47TyDFthSeY7OjfxhfRJAbSFANa+4xe+ZuMS+HKH4G0OCCUREgQpYPCOZl0y40ONabqIaMiQgOgRcm6KZ3PrQ7O9b+HpEwQCHsbIYr8paTD+uswwuN2IQCNZ+F4VT+lt8td3wcLxyEDKxvWFifroOXD1mhx+ntdLX2m5ITFOOczlf+GimX6oDywqwUv1gXQfC2/svOVjU/XyzTw2SW2sCdpr+hOP1IIC4jQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] misuse-resistant AEAD and HPKE
Thread-Index: AQHWsVnMEY+ZQZ6NpUaQrm+FTT5CnKm1eNIAgAAZCQCAAATYAA==
Date: Tue, 03 Nov 2020 01:00:49 +0000
Message-ID: <84EED12E-6EBB-469F-9FA4-D541D48C3D77@ll.mit.edu>
References: <d2dabd93-0eae-665d-9294-4b81a44670fc@lounge.org> <CAL02cgSOH-yT6MY4JYvOwrQZ=kn6f+OWoBZ8m=SbCck1NpVqNg@mail.gmail.com> <e7b99d15-9d0e-28fe-03d9-3dfbce5ae0ec@lounge.org>
In-Reply-To: <e7b99d15-9d0e-28fe-03d9-3dfbce5ae0ec@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: lounge.org; dkim=none (message not signed) header.d=none;lounge.org; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b463e8ee-1752-4cf5-c224-08d87f93e796
x-ms-traffictypediagnostic: BN3P110MB0452:
x-microsoft-antispam-prvs: <BN3P110MB04524BA9EF65D6CE7795180590110@BN3P110MB0452.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN3P110MB0467.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(8676002)(71200400001)(66446008)(966005)(498600001)(2616005)(83380400001)(166002)(4326008)(6512007)(6506007)(53546011)(5660300002)(76116006)(8936002)(33656002)(2906002)(6486002)(6916009)(186003)(26005)(75432002)(86362001)(66556008)(64756008)(66946007)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_84EED12E6EBB469F9FA4D541D48C3D77llmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN3P110MB0467.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b463e8ee-1752-4cf5-c224-08d87f93e796
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2020 01:00:49.2493 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3P110MB0452
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-11-02_16:2020-11-02, 2020-11-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2011030002
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yXi7FLxfupsYngvcn0aT0V7x-SE>
Subject: Re: [CFRG] misuse-resistant AEAD and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 01:01:02 -0000

Would you consider some kind of merge with AES-GCM-SIV? To avoid the need for double-wide key (which, IMHO, is a nuisance)?


On Nov 2, 2020, at 19:43, Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>> wrote:


  Hi Richard,

On 11/2/20 3:13 PM, Richard Barnes wrote:
Hi Dan,

I'm not sure what sort of support you have in mind here.  If the idea is just to define some ciphersuites for SIV or whatnot, feel free to email IANA once the registry exists.

  The text surrounding the APIs requires the maintenance of state unless
you're doing a single-shot version. Just firing off an email to IANA once
the registry exists would be a little too late I think.

  So what I have in mind is some text in section 5.2 explaining that if (let's
imagine how this *might* look) the "MRAE" column in table 5 indicates "yes"
then the encryption/decryption need not be stateful. The existing ciphers in
table 5 would all have "no" in the "MRAE" column. That's one way of doing it.
Since there is a separate section for "single shot APIs" using the stateful API
from section 5.2 there could also be a new one for "MRAE APIs" that similarly
uses the stateful API from section 5.2. That's another way of doing this. There
may be others.

I would not be OK with specializing HPKE so that it *only* supports misuse-resistant AEADs.  Even having different behavior for misuse-resistant vs. not seems like more trouble than it's worth -- more code paths and more management overhead (is this one misuse-resistant or not?) in exchange for saving ~2 hash invocations.

  I'm not suggesting it *only* support misuse-resistant AEAD; not suggesting
the removal of anything. Since AES-SIV takes a double-wide key I'm suggesting
the addition of AES-SIV-256 and AES-SIV-512 and text describing what they
bring to the table.

  The issue is not the savings of ~2 hash invocations, it's the introduction of
misuse-resistance.

  Dan.


--Richard


On Mon, Nov 2, 2020 at 3:49 PM Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>> wrote:

  Hello,

  For some use cases it would be good to avoid the stateful requirements
of the the Seal() and Open() constructs in HPKE. This would seem especially
important if (skX, pkX) are derived deterministically which could result
in reuse of a particular nonce-secret for distinct invocations of Seal()
or Open().

  Rogaway and Shrimpton formalized the notion of a misuse-resistant AEAD
scheme in [1]. The mode they defined, AES-SIV, has the following properties:

   - the nonce can be arbitrary;
   - the nonce can repeat without loss of authenticity of the message,
     with privacy lost to the extent that one could know that the same
     message was sent (if, in fact, it was);
   - the nonce is not even required-- truly deterministic AEAD.

While that last property is pretty cool, it would probably be too
hard to pry into HPKE at this point. But the other properties could
be supported quite straightforwardly I think.

  AES-SIV has been defined in RFC 5297. I would be happy to provide
some suggested text to add support for AES-SIV if there is consensus
that it's a good idea.

  regards,

  Dan.


[1] "Deterministic Authenticated Encryption, A Provable-Security Treatment
    of the Key-Wrap Problem"-- EUROCRYPT '06, St. Petersburg, Russia, 2006.


--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg


--
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius

_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email