Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt

Nasrul Zikri <> Wed, 04 December 2019 01:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 374C0120059 for <>; Tue, 3 Dec 2019 17:16:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uDujAspVUB1G for <>; Tue, 3 Dec 2019 17:16:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B994012000F for <>; Tue, 3 Dec 2019 17:16:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=FNW2xWRfFW2VqAp71qHrYKIrosoyrLuAyobtgyrEoECfbrIz5to2VvpJMjxw+Xh1NMIpQT1ohZpdUx7ZEqvBmJsQyWU88SWcWw9hWvuPkicXN2D802Uj3zovv9DWGwP6FEIoAF5RrFt82WuCbHR0yiPm6/QCu81paIEu1Km9yU3iDU+ufu2EyYVQoaPF+HZy1GWYa2a69Gl4PyOqUCU/BP53rUIfrccvqy+zCKtNvtAVYiC0HGi25w1J4yYjVTAKZUc2FRutKFcR+9J+dma1aQBaDPXWX3/3UcafIxTkw/f98f1Fpj7HlmMlNA5pwDKrQ/5zKv+omA51bv4ZEmVZXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OvWqzyBYyyVVx4t5LrwJEJQZmiyriANl5hyVLsjrunc=; b=Sky7gqJQPPXzjAPGOCrsj3zN4knDH+2CQ0ITl/PimAXKAeFXClC6+5s8Oykfo6cGwZFN5gTgKAr1SXm3C2lpPLFUpaPQwXf2bNEZq1Rawx7YhqsdeuZWekL7x+3TejOU1wfUWNhNuRW3rbiEaGBQdq7lsZlAIRX00qdo9G0rCvRV1gV0bes4UCn+J+v3/g914FHJVyQ9tdUtg+j8epgxvIkDQWuQWdrUJADRa0QNtEwBgx8eV/q3oGJJhEt1KZT7GODEF23HdbnzmTTqTRsT4tZgPgDyiQuk08d3PN1PJBWXv6KXaqqNyLFggZ8sF0XOmjG67pZDhqMttI/g1n8iow==
ARC-Authentication-Results: i=1; 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OvWqzyBYyyVVx4t5LrwJEJQZmiyriANl5hyVLsjrunc=; b=ur4hKJ8tnteNhZ5AHj3GpXZSG7DmbVU1UEfBqBlWdvVnaVrnHNvMqZIQY06+0atNl4IHp7Z9UfZ2va16QnPrG72sxLi//XnVoBo+usuqrLSoTyKQ1SRzu+Va9vMpg8Ko0Ef2WsP6S4qSdo4/0zDI9Ao9r7s7ZW4JoGBr4OPcGg7QEm32MZmS5n/YfU6drFbOMy/f7g8IKqXanwtkUmqBZp0PH5dhlAw4E+6n1TgDrzsPX0vvlj0mBtHHxc/wj1momY1PgiGaoyYQJksXYSm9BUlI76w+yCCaPDhJDdpihaeFXY3MzDeEjSrFFMLCWl5+4upvhDt7kZHx8GyAXUltGQ==
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.25; Wed, 4 Dec 2019 01:16:38 +0000
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.25 via Frontend Transport; Wed, 4 Dec 2019 01:16:37 +0000
Received: from ([fe80::3076:a7ea:eac2:8b10]) by ([fe80::3076:a7ea:eac2:8b10%5]) with mapi id 15.20.2495.014; Wed, 4 Dec 2019 01:16:37 +0000
From: Nasrul Zikri <>
To: "" <>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt
Thread-Index: AQHVnwlQ535jm3a+BEOkPAVUTE70gqeffTAAgAlZ/LQ=
Date: Wed, 4 Dec 2019 01:16:37 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-incomingtopheadermarker: OriginalChecksum:EC9DF463A2CBF4CC69FD0C26FCBDFDEB139F0CF019C3DFF36A6F88A5F7C4801F; UpperCasedChecksum:969E314E4F860FC01664F7D5E0BCDD0505B3C6E8FE5984F53AE8225DA840944A; SizeAsReceived:7038; Count:45
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [fwbvQ0EQaKGuOrClfqeqE/XZxIpM6XNT]
x-ms-publictraffictype: Email
x-incomingheadercount: 45
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: b04a3fe4-01a4-4ed5-af6d-08d778579c75
x-ms-traffictypediagnostic: SG2APC01HT012:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dtzJCT7HoTtrG7y8TZhuCe5NMSKj0C9gOch+LvW4/SBOYesJ71ahrHwPcVo/bIxa90RcAlV6EjHTnM/2VwwD6JCgEqV2+Niv/Yq1ScHTxjuEHPKvgKrgSZi9IIkaw1Em2HC1C+jZ7JmWr0HCAVZ/Rv8LsU0JpGruHJPpwOZbJWExN3fspvp9toMaTzVjgn9mfSDIBJhxUrcuUxxnx4Xmk8vSfRCHzJ142vk3/oqe6Pc=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_PU1PR01MB19473B071CC97F419EF35C11A8420PU1PR01MB1947apcp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: b04a3fe4-01a4-4ed5-af6d-08d778579c75
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2019 01:16:37.7791 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SG2APC01HT012
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Dec 2019 01:16:51 -0000

Hello Richard,

Thanks for looking at my use-case. I have been working recently on a quick implementation of FFDH so I would be interested to see how this perform in HPKE. If I can test this first and then request code points later that is good enough. If you can find a way to re-use TLS cipher suite code points (like Stephen say) that is good also because this defines ffdhe2048(0x0100), ffdhe3072(0x0101), ffdhe4096(0x0102), ffdhe6144(0x0103), ffdhe8192(0x0104), ffdhe_private_use(0x01FC..0x01FF).

I think there are improvements that can be made for generating custom group for better security and speed. Using custom group help defend against an powerful adversary who would put a lot of work into breaking a fixed group, so I disagree that they are "even worse idea", but I realise there will be difficulties in negotiate parameters for custom group so I don't want to delay your draft.


From: Richard Barnes <>
Sent: Thursday, November 28, 2019 04:02
To: Nasrul Zikri <>
Cc: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-hpke-02.txt

Hi Nasrul,

Thanks for taking a look at this draft.  Personally, I am disinclined to define FFDH schemes, unless there are other folks in the RG who think they would be useful.  That said, the registry policy on group IDs is Specification Required, so you can get code points if you have a specification; it doesn't have to be in this doc.  AFAIK, there should be no technical barrier to doing FFDH.

As far as custom parameters, I think the only reasonable way to accommodate them here would be to reserve some space in the registry for private, vendor-specific use.  But this seems like an even worse idea than FFDH, so again, I'm inclined to do nothing here.

If other folks are interested in these cases, please speak up.


On Wed, Nov 20, 2019 at 1:32 AM Nasrul Zikri <<>> wrote:
On your draft of Hybrid Public Key Encryption.

The draft appears to be for any DH KEM, but I note, however that the
examples and test vectors it gives are only for the elliptic curves
P-256, Curve25519, P-521, Curve448.

Would it be possible to define the algorithm identifiers and test
vectors for some FFDH groups as well as the elliptic curve? Or is there
some important reason why only ECDH methods are suitable?

If FFDH groups are indeed correct for use in the draft, it would appear
that the table in section 8.1 could be extended to allocate identifiers
for at least the parameter ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144,
ffdhe8192 as stated in RFC 7919, and perhaps the MODP groups as stated
in RFC 3526 and RFC 5114.

I would also like there to be a way of specifying the use of a custom
finite field for when the use of a defined elliptic curve or finite
field is not enough. I realise that stating a method for transporting
the parameters {p,q,g} is outside the scope of this draft, but could a
value for custom groups or private use be stated in this table also?


> Hey all,
> Happy IETF 106 deadline day!
> The authors feel that this version of HPKE is substantially complete.  All
> of the functional parts are there, as well as test vectors to facilitate
> interop.  And I think we've got some formal proofs on the way.  Please take
> a look and speak up if you see any gaps.
> Thanks,
> --Richard
> On Mon, Nov 4, 2019 at 3:47 PM <<>>; wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > This draft is a work item of the Crypto Forum RG of the IRTF.
> >
> >         Title           : Hybrid Public Key Encryption
> >         Authors         : Richard L. Barnes
> >                           Karthik Bhargavan
> >         Filename        : draft-irtf-cfrg-hpke-02.txt
> >         Pages           : 45
> >         Date            : 2019-11-04
> >
> > Abstract:
> >    This document describes a scheme for hybrid public-key encryption
> >    (HPKE).  This scheme provides authenticated public key encryption of
> >    arbitrary-sized plaintexts for a recipient public key.  HPKE works
> >    for any combination of an asymmetric key encapsulation mechanism
> >    (KEM), key derivation function (KDF), and authenticated encryption
> >    with additional data (AEAD) encryption function..  We provide
> >    instantiations of the scheme using widely-used and efficient
> >    primitives.
> >
> >
> > The IETF datatracker status page for this draft is:
> >
> >
> > There are also htmlized versions available at:
> >
> >
> >
> > A diff from the previous version is available at:
> >
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission
> > until the htmlized version and diff are available at<>.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> ><>
> >

Cfrg mailing list<>