Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03
Richard Barnes <rlb@ipv.sx> Thu, 07 December 2023 22:43 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 210D7C14F5FD for <cfrg@ietfa.amsl.com>; Thu, 7 Dec 2023 14:43:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6A8SrhL0LOCX for <cfrg@ietfa.amsl.com>; Thu, 7 Dec 2023 14:43:09 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB0DBC14F5FE for <cfrg@irtf.org>; Thu, 7 Dec 2023 14:43:09 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a1ef2f5ed02so131916266b.1 for <cfrg@irtf.org>; Thu, 07 Dec 2023 14:43:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1701988988; x=1702593788; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+8IZR1Z6s78MyiGCo4Qqe2UfUVKF2E2XvTeh4Vk19/w=; b=2M8XMdDjRkSFusBrtsK6uCyRin7dspeLvt0nKwFNtAMpw0YE+dBnCpXoJ1WTcYnYJ4 DGXUKs2TtT/x+nT3X62zQLXqixe2l5cL/tIHQT1QOjKNgzhRt1aTxOU1mp/zzK0epp5n pTh8WJnSJm+Fs771cDMne0uTf95HgupEa0dKtFMXXrpGCMmiP+p+KyrV/vkvouLrKtJI tN02TbOEss1Quvok1vrP8FBl5zQBE/LCH/qYQsyuDs5LZbLX+9TN2DQcKd9fVswLRbZ1 Fsym+fFqAmL820V+w0DYFkvrIsMZOOuJwInS2IZuogDVhKxvxHij8sKZ9WCbw6U3m8sz V1rA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701988988; x=1702593788; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+8IZR1Z6s78MyiGCo4Qqe2UfUVKF2E2XvTeh4Vk19/w=; b=pXTahECmZxVd+LcMyyCMsOkh6gJm7xLVu7+HoHW4now8rl42l9eRJXJTeUptlTV0LV n+9q7IS5LShKN6mozAvXmuGIAc9NV4xiNCWgKDUQ2CJvUgWzDbt+7Grd3MDbvd9ZHkUc CJbOlY/CaDfFfJzAljPtp7wSGExnMR26OTQc8QjpWMnxqolUFDrTpP07cvAEZIwGNtQH b4bCIfA+Dj6OKGeQ0eEjxx0xetpc/n0UwEopRHJk8CxVaK3lHokPkBhcNObFaNqLLnro XhRIkLzSGtOmoYtsajtUwMspqwgDF6twSUr1hu486bGe3iO1dUUHRzis0pz7LjuZ7B5Q iORQ==
X-Gm-Message-State: AOJu0YxWB0gUCJJASIqKqWZ/qID8zf/bBck0y7zlFJPBdQp3RE9/AZXj ioIeRIslrbLDGcadlHB574C5AiL/8a5Hb5Khg4LNlw==
X-Google-Smtp-Source: AGHT+IGz8SGbGIRrVBc+MiAQMwJiWNZkZBrfiKMQ2Zl0wy3Km7BwzB2MGy1BhDQwBRdDqBhZcDlLjwCQdDlnYZm8XgA=
X-Received: by 2002:a17:906:15b:b0:a1e:7683:4da5 with SMTP id 27-20020a170906015b00b00a1e76834da5mr1191978ejh.3.1701988987795; Thu, 07 Dec 2023 14:43:07 -0800 (PST)
MIME-Version: 1.0
References: <4169984b-78cd-4193-b226-1a0297f524b9@isode.com> <66FD05E0-54F6-4651-92DF-773C91CBC651@heapingbits.net> <CAFR824wdxuRfX+pv4AOpMrqRegGEDCdwa+wNetc4kn_s196mfQ@mail.gmail.com>
In-Reply-To: <CAFR824wdxuRfX+pv4AOpMrqRegGEDCdwa+wNetc4kn_s196mfQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 07 Dec 2023 17:42:56 -0500
Message-ID: <CAL02cgRXkKRfa_sHKS0bLz64USpYtmPFM6otmSAVVicOYs0umg@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, CFRG <cfrg@irtf.org>, cfrg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000078bb8060bf33152"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yaCuIVtezTZuaweEzD_kEHaHQwQ>
Subject: Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Dec 2023 22:43:14 -0000
I strongly agree with Chris's analysis here. The KEMs are fine. They've already been registered; we should publish them. The new "AEAD"s are not acceptable. The major security claim of RFC 9180 is that "[HPKE] is IND-CCA2-secure as long as the underlying KEM and AEAD schemes are IND-CCA2-secure". The DAE schemes in this draft are not IND-CCA2-secure, so none of the security analysis that underlies RFC 9180 applies -- all bets are off. So there are two problems with just plugging DAE into HPKE: 1. This new construction would provide substantially different security properties than HPKE 2. This draft does not provide supporting analysis for *any* security properties As Chris says, the former problem is reason enough to call a KEM+DAE something other than "HPKE". The latter problem means that even if one were OK with the different security properties here, we should not publish this document because CFRG should not be in the business of publishing cryptographic constructions without any actual security analysis. As a final note, I would just point out that the even document's putative justification for DAE is false. It is perfectly possible to use HPKE in lossy networks. --Richard On Thu, Dec 7, 2023 at 5:27 PM Deirdre Connolly <durumcrustulum@gmail.com> wrote: > I agree. > > On Thu, Dec 7, 2023, 5:15 PM Christopher Wood <caw@heapingbits.net> wrote: > >> This has been discussed lots of times on the list before. The current >> state of the document doesn’t help make this discussion easy. Basically, >> there are two things at stake here: >> >> 1. The new KEMs, for which code points have already been allocated: >> https://www.iana.org/assignments/hpke/hpke.xhtml >> 2. The new AEADs, which is a point of debate. I won’t reiterate the >> argument here and point to my prior issue with the document: >> https://mailarchive.ietf.org/arch/msg/cfrg/mP7swra3Mfni5KoPg2NKFccWTOk/ >> >> That said, I do not think this document should be published in its >> current state. Changing the HPKE contract is no small thing, yet that’s >> precisely what (2) does, and it does so in the absence of analysis which >> says what the properties of HPKE with DAE (that is, not an IND-CCA2-secure >> AEAD) are. The responsible thing to do is to put (2) into a separate >> document, for a separate construction that is NOT HPKE, but something >> different. >> >> Best, >> Chris >> >> On Nov 16, 2023, at 9:42 AM, Alexey Melnikov <alexey.melnikov@isode.com> >> wrote: >> >> Dear CFRG participants, >> >> This message is starting 3 weeks RGLC on draft-irtf-cfrg-dnhpke-03 >> ("Deterministic Nonce-less Hybrid Public Key Encryption"), that will end on >> December 7th 2023. If you've read the document and think that it is ready >> (or not ready) for publication as an RFC, please send a message in reply to >> this email or directly to CFRG chairs (cfrg-chairs@ietf.org). If you >> have detailed comments, these would also be very helpful at this point. >> >> Thank you, >> Alexey, for CFRG chairs >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://mailman.irtf.org/mailman/listinfo/cfrg >> >> >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://mailman.irtf.org/mailman/listinfo/cfrg >> > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://mailman.irtf.org/mailman/listinfo/cfrg >
- [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Alexey Melnikov
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Stephen Farrell
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Stephen Farrell
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Deirdre Connolly
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Richard Barnes
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Martin Thomson
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Stephen Farrell
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Taylor R Campbell
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Orie Steele
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Stephen Farrell
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Eric Rescorla
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Dan Harkins
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Richard Barnes
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Ilari Liusvaara
- Re: [CFRG] RGLC on draft-irtf-cfrg-dnhpke-03 Christopher Wood