Re: [CFRG] misuse-resistant AEAD and HPKE
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Tue, 03 November 2020 01:01 UTC
Return-Path: <prvs=85765c245c=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF3BA3A12EB for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 17:01:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6NBWiL6sWtmM for <cfrg@ietfa.amsl.com>; Mon, 2 Nov 2020 17:00:59 -0800 (PST)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713C53A12EA for <cfrg@irtf.org>; Mon, 2 Nov 2020 17:00:58 -0800 (PST)
Received: from LLE2K16-MBX03.mitll.ad.local (LLE2K16-MBX03.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id 0A310tBG036280; Mon, 2 Nov 2020 20:00:55 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=Y5z3M9iBaeUDWPRb0R9ZCFSfCeUBTEx2R7S2RYBdy9OlknLR0GrnNikh4Jl4rPmE0n/Xf2cQrL6rfaSXDzzTDSCtZ2vsxeNgWMyXtJsDMLxi6GCvg4IqHjtMe/4odGrDLUvKC8jgmUktJhfBcZ0z8fXSqrxuGpkSkjhWsLXhFBqVX9h7d/TSTTBVzUe/PFcCgGlnIqaOTYLxNlSA1TocS3Lv0Uy/Hhw+CeEoST2QpkqR5hjCNQyOZ3KVxZuK0dM8ypXGQ4jlfKmdFnauXZEYb91h9TFzA7YwJsz/tSMtbFPhW+zo8qTaLApe1xEdhs0TDzL57hE2eLgUvYujPQyVfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GzcoN09go90oIPupE3Wy6sY1qwB/7tC3NsqBn20fPQs=; b=0TzMUG6xyTQG2xMcqAmjHM4EJHXE08nJnCH+V5CMTsYUcfa5OcjzYswoLf4xy8pgghlBdUfV+IjecKHWQoUqZNxCMkjKy0oB6ytZCnMg9JcNwGksQ9G47TyDFthSeY7OjfxhfRJAbSFANa+4xe+ZuMS+HKH4G0OCCUREgQpYPCOZl0y40ONabqIaMiQgOgRcm6KZ3PrQ7O9b+HpEwQCHsbIYr8paTD+uswwuN2IQCNZ+F4VT+lt8td3wcLxyEDKxvWFifroOXD1mhx+ntdLX2m5ITFOOczlf+GimX6oDywqwUv1gXQfC2/svOVjU/XyzTw2SW2sCdpr+hOP1IIC4jQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Dan Harkins <dharkins@lounge.org>
CC: CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] misuse-resistant AEAD and HPKE
Thread-Index: AQHWsVnMEY+ZQZ6NpUaQrm+FTT5CnKm1eNIAgAAZCQCAAATYAA==
Date: Tue, 03 Nov 2020 01:00:49 +0000
Message-ID: <84EED12E-6EBB-469F-9FA4-D541D48C3D77@ll.mit.edu>
References: <d2dabd93-0eae-665d-9294-4b81a44670fc@lounge.org> <CAL02cgSOH-yT6MY4JYvOwrQZ=kn6f+OWoBZ8m=SbCck1NpVqNg@mail.gmail.com> <e7b99d15-9d0e-28fe-03d9-3dfbce5ae0ec@lounge.org>
In-Reply-To: <e7b99d15-9d0e-28fe-03d9-3dfbce5ae0ec@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
authentication-results: lounge.org; dkim=none (message not signed) header.d=none;lounge.org; dmarc=none action=none header.from=ll.mit.edu;
x-originating-ip: [129.55.200.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b463e8ee-1752-4cf5-c224-08d87f93e796
x-ms-traffictypediagnostic: BN3P110MB0452:
x-microsoft-antispam-prvs: <BN3P110MB04524BA9EF65D6CE7795180590110@BN3P110MB0452.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN3P110MB0467.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(8676002)(71200400001)(66446008)(966005)(498600001)(2616005)(83380400001)(166002)(4326008)(6512007)(6506007)(53546011)(5660300002)(76116006)(8936002)(33656002)(2906002)(6486002)(6916009)(186003)(26005)(75432002)(86362001)(66556008)(64756008)(66946007)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_84EED12E6EBB469F9FA4D541D48C3D77llmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN3P110MB0467.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b463e8ee-1752-4cf5-c224-08d87f93e796
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2020 01:00:49.2493 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3P110MB0452
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-11-02_16:2020-11-02, 2020-11-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2011030002
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yXi7FLxfupsYngvcn0aT0V7x-SE>
Subject: Re: [CFRG] misuse-resistant AEAD and HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 01:01:02 -0000
Would you consider some kind of merge with AES-GCM-SIV? To avoid the need for double-wide key (which, IMHO, is a nuisance)? On Nov 2, 2020, at 19:43, Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>> wrote: Hi Richard, On 11/2/20 3:13 PM, Richard Barnes wrote: Hi Dan, I'm not sure what sort of support you have in mind here. If the idea is just to define some ciphersuites for SIV or whatnot, feel free to email IANA once the registry exists. The text surrounding the APIs requires the maintenance of state unless you're doing a single-shot version. Just firing off an email to IANA once the registry exists would be a little too late I think. So what I have in mind is some text in section 5.2 explaining that if (let's imagine how this *might* look) the "MRAE" column in table 5 indicates "yes" then the encryption/decryption need not be stateful. The existing ciphers in table 5 would all have "no" in the "MRAE" column. That's one way of doing it. Since there is a separate section for "single shot APIs" using the stateful API from section 5.2 there could also be a new one for "MRAE APIs" that similarly uses the stateful API from section 5.2. That's another way of doing this. There may be others. I would not be OK with specializing HPKE so that it *only* supports misuse-resistant AEADs. Even having different behavior for misuse-resistant vs. not seems like more trouble than it's worth -- more code paths and more management overhead (is this one misuse-resistant or not?) in exchange for saving ~2 hash invocations. I'm not suggesting it *only* support misuse-resistant AEAD; not suggesting the removal of anything. Since AES-SIV takes a double-wide key I'm suggesting the addition of AES-SIV-256 and AES-SIV-512 and text describing what they bring to the table. The issue is not the savings of ~2 hash invocations, it's the introduction of misuse-resistance. Dan. --Richard On Mon, Nov 2, 2020 at 3:49 PM Dan Harkins <dharkins@lounge.org<mailto:dharkins@lounge.org>> wrote: Hello, For some use cases it would be good to avoid the stateful requirements of the the Seal() and Open() constructs in HPKE. This would seem especially important if (skX, pkX) are derived deterministically which could result in reuse of a particular nonce-secret for distinct invocations of Seal() or Open(). Rogaway and Shrimpton formalized the notion of a misuse-resistant AEAD scheme in [1]. The mode they defined, AES-SIV, has the following properties: - the nonce can be arbitrary; - the nonce can repeat without loss of authenticity of the message, with privacy lost to the extent that one could know that the same message was sent (if, in fact, it was); - the nonce is not even required-- truly deterministic AEAD. While that last property is pretty cool, it would probably be too hard to pry into HPKE at this point. But the other properties could be supported quite straightforwardly I think. AES-SIV has been defined in RFC 5297. I would be happy to provide some suggested text to add support for AES-SIV if there is consensus that it's a good idea. regards, Dan. [1] "Deterministic Authenticated Encryption, A Provable-Security Treatment of the Key-Wrap Problem"-- EUROCRYPT '06, St. Petersburg, Russia, 2006. -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg -- "The object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." -- Marcus Aurelius _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg
- [CFRG] misuse-resistant AEAD and HPKE Dan Harkins
- Re: [CFRG] misuse-resistant AEAD and HPKE Richard Barnes
- Re: [CFRG] misuse-resistant AEAD and HPKE Dan Harkins
- Re: [CFRG] misuse-resistant AEAD and HPKE Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] misuse-resistant AEAD and HPKE Dan Harkins