Re: [CFRG] [Cfrg] I-D Action: draft-irtf-cfrg-hpke-06.txt

Christopher Wood <caw@heapingbits.net> Tue, 03 November 2020 15:07 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9296C3A0855 for <cfrg@ietfa.amsl.com>; Tue, 3 Nov 2020 07:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=WcGJpN2a; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=GEghZ4jH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SpG8yDrcjNr9 for <cfrg@ietfa.amsl.com>; Tue, 3 Nov 2020 07:07:37 -0800 (PST)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49CEB3A0CEE for <cfrg@irtf.org>; Tue, 3 Nov 2020 07:07:34 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 46A6BD16 for <cfrg@irtf.org>; Tue, 3 Nov 2020 10:07:32 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute4.internal (MEProxy); Tue, 03 Nov 2020 10:07:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=nkme+1KB/PfF7HXpjxVaE8A/q2oWXr9 GLo8pCa7J4yI=; b=WcGJpN2ajCNVwu/3kU91fYxEuKN0T7ZzUUD/VByw4I+RzjG 9s3VPdMge9wJ1oH8E91ULjpgIzBy67EfQK+cfRZ4ivThjX4TfPwz0XbJZV5saOEp +dw5MTicJJ7MtERYQcSAQWeuj77h5mvt7BNCXJdWbhTcXyOvBWMsKgKgVwdwSznA BIeOcc7cDOJVDGQ+AAgqQB8A8gljtMyK46XFfmTaHGP5qpCqjjfJ8oMRATl7vT/d BvYx/VkxcXdMcPtK+T+QfwcXUPbTIy/Rm2OKlw3t2rnxaS9ok4CtURfCaZW9guv+ KK3qaRdsUwuMeVOh0qvLB4iEfQO0dCZY/mR3Acw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=nkme+1 KB/PfF7HXpjxVaE8A/q2oWXr9GLo8pCa7J4yI=; b=GEghZ4jHzjOpHaGFc+494J 2Vr9J0y2DtdVd+59hdYHDCOZ2JCmmHZUxUI5vPxpoDE8cWdat++6GdvjWyM9pSRB 1DkklC4ndA7CJnexa6quiSk3alq0UJdYRI36lYgO7zfKDiKbshTYt5VofZtGWeUf iNgbJROx48JGscH7DYpvAD88kxXtV9XhBI/JvYZK3p+419LBJ2kOLlaG7JR38HlG 9oHr7Uc7zSBiBR/CAaxBvCuG1KftrAqDY7dVB8gvmaHJCZcYAf4GVtqANH52k4Dr 4LxfK4xPUZ31WYD8I9Dy3dVAgVPhIxWV+LsjIKpcsud9JXmQi4cgOQ6f0AYX9MUg ==
X-ME-Sender: <xms:M3KhX9gzQA0m8LaAPJd10iX4VMeyuKU6tZLb6Fg3yy8XXXRlRmRcYw> <xme:M3KhXyA_ALahHs216giXP9rGXQQK35aY17diH7-xW4rc0hkKxcmk98EUOqsCGXiff O7DBM21cZxAr0_lDUQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedruddtfedgjedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucggtffrrghtthgvrhhnpeduffeitddutd etgfegfeekgedvkeelvdeiiedtjeetteeuvdejveelleeltedtheenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsg hithhsrdhnvght
X-ME-Proxy: <xmx:M3KhX9H4sZ9ghl24pUjiZat-jx_nFQoZKbFau9b6QkJ_uXfQaQMjxg> <xmx:M3KhXyQj4sfoz6_zvkFj317k1-6Ga5cSkskCL6WKHbWTnWsxz3tk0g> <xmx:M3KhX6wSTyCK57B7hbRPf7qaCec8at5plnViME5rt_W_7XC73LFn_w> <xmx:M3KhX59BAsiP0HqqTaqT74u_LTb5z7VgoPdufL1IMX4zqzCaGa_XRg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 714943C00A1; Tue, 3 Nov 2020 10:07:31 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-530-g8da6958-fm-20201021.003-g69105b13-v35
Mime-Version: 1.0
Message-Id: <64413716-205a-49b0-8438-3c473d7e6707@www.fastmail.com>
In-Reply-To: <7eac427e-3746-4ebf-aea7-f2bdf2fec26c@www.fastmail.com>
References: <CAGiyFdejssUBrs3wmQL7QVKS_YkAr4aoOjow9wOgPHfcsPv+UA@mail.gmail.com> <SJ0PR09MB684891C13A558A4E53E9DD84F3190@SJ0PR09MB6848.namprd09.prod.outlook.com> <CAG2Zi214vikhdR4wa=0M6Yiyw0NTeHygKqTtwT_h=r1OR+WthQ@mail.gmail.com> <7eac427e-3746-4ebf-aea7-f2bdf2fec26c@www.fastmail.com>
Date: Tue, 03 Nov 2020 07:06:58 -0800
From: "Christopher Wood" <caw@heapingbits.net>
To: cfrg@irtf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zjQ6KTzuLMgSsGA7KfvOqCBBciM>
Subject: Re: [CFRG] [Cfrg] I-D Action: draft-irtf-cfrg-hpke-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 15:07:38 -0000

On Wed, Oct 28, 2020, at 4:21 PM, Christopher Wood wrote:
> On Mon, Oct 26, 2020, at 10:04 AM, Christopher Patton wrote:
> > Hi all,
> > 
> > I agree that we shouldn't discourage adoption of alternatives to HKDF. 
> > However, I don't think the spec does so: it merely requires adherence 
> > to the Extract-then-Expand API. There should be ways to securely "wrap" 
> > alternatives into Extract-then-Expand API providers, perhaps at the 
> > cost of CPU cycles. (E.g., how Noise uses Blake2b as pointed out above.)
> 
> +1.
> 
> The two-step Extract-then-Expand split does not rule out other KDFs and 
> allows best use of HKDF out of the box. Consequently, I don't think the 
> HPKE specification should change at this point.

To be more concrete, if desired, one could wrap HKDF as follows:

  Extract(salt, ikm): HKDF(secret=ikm, salt=salt, info="", length=Nh)
  Expand(prk, info, L): HKDF(secret=prk, salt="", info=info, length=L)

Similarly, I think one could wrap BLAKE3 as follows:

  Extract(salt, ikm): derive_key(context=salt, key_material=ikm), and output Nh bytes
  Expand(prk, info, L): derive_key(context=info, key_material=prk), and output L bytes

Best,
Chris