IETF Logo Mail Archive

[hpke] Re: Clarification on some corner cases of HPKE

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 17 June 2026 20:38 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: hpke@mail2.ietf.org
Delivered-To: hpke@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 20D1A102F401B for <hpke@mail2.ietf.org>; Wed, 17 Jun 2026 13:38:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1781728696; bh=uVXKTN6eJzdDpd9KNuaHgwikbKimqZ6Lm045oiqIxlI=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=xlhd0cHMCGO1GhKivCp1W3nBPn7SS/l/q429vjQWO6mBZlRiyWUmRbGu2D3dnm22E R8oEh1iBLOjv3HtfSNlijjUfBnmbisuYZgrYnZHcKmDeY9h44eqrV3mWqEQHqsCYjx elDXVYWaX5HHZhqYjOhUOD7QgvUQFGksA1i4IxZc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AS7PCvXFNoo for <hpke@mail2.ietf.org>; Wed, 17 Jun 2026 13:38:14 -0700 (PDT)
Received: from DB3PR0202CU003.outbound.protection.outlook.com (mail-northeuropeazon11020081.outbound.protection.outlook.com [52.101.84.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 70536102F3DF4 for <hpke@ietf.org>; Wed, 17 Jun 2026 13:36:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=bc73dGFSV0goG6CyaXT29dMOlwJ8wKCMBP9X66/Jk1EtWp/6/TLya+kClZV+aKWVWUQqxcMy5EsUu7tCva6fCmdMA9jazt3Zv6zoE6cMCKrj4pAo3m+r9syjW2n0+TRMHv7GxpzsLV8opgbVSW4SG7vPn8t6D8dZraqISjHR8OUhBvSLTQm/Y0royGDLnzhNAPaykciFZL1p0/PEhU6BYq6GYvyeGgom0FkNLIoK8/n5vnqQ+RprKerr2MqgIASfDV7SUU43QzpFA4s3MSXOt31GGBuEoNXOh6lvoc7BFI/WC83TRPYUKssF4AlP39YV8KG3qewuBBMMN+u/fQ/n4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uVXKTN6eJzdDpd9KNuaHgwikbKimqZ6Lm045oiqIxlI=; b=qCly2XTN6h0rMBxvOxKurDzKV8keicpZReKHP/Sxoeal+f39sd8t+pu0QIyzn5pR/JujcoNcw1aE9cWyRaibtHZ1561pw0+E0KpCergm+ibLKz2lUE9oKOMMgUlFbtSopdCJSLOqlicf2FpIFPP08iGUBMwkIJ+D8AoKDvHOSUclHKD7DoNhuc4+X4K4MlDOPQm84BdlGAI/vA+sH/JwtiRZIFW25dtoBvovAbFylueZDdgXQZp3I9H7xWyyLGhpoG330IB/08tAD4I5tQSdITOTF8Ws15DsPAkhX3bHMCDM266UHczgnyG+9DM9sLcOMuMFiJ0UP25B54zto5UOYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uVXKTN6eJzdDpd9KNuaHgwikbKimqZ6Lm045oiqIxlI=; b=arkoW1kxp94u1xhS5RBlU7HFdDkc6a34aV5gNJsIhHoYoHLDppkMlCyb5dtsCkExjLV4it9goo4qfE4Tz8fVD9UFubaiQ0UmtXgi33EeYYIOgtDHHZ3FSzHNwFnhZ66jJXLC8/lLIyAnb4FscuGbFeBu3ztQ9jLIYpYgG7LabO01fWSJ/GbPnbptLlgaa8gv8abZ5JlPoMU5hpdIQEAvlvnC0jm4vT5FVjh2y8GKHsWqgP5rr9WDoCI24vRLm3wGu42XQDe52sKpaedFbafjwMKbU8Ah9lXLP0MrKCKRi0tsmCINBa+WSSimaqTdDB3jdU+ohX48kUI02Xq3b6qezQ==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from PA3PR02MB11163.eurprd02.prod.outlook.com (2603:10a6:102:4b4::19) by DB9PR02MB6764.eurprd02.prod.outlook.com (2603:10a6:10:1f9::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.139.11; Wed, 17 Jun 2026 20:36:20 +0000
Received: from PA3PR02MB11163.eurprd02.prod.outlook.com ([fe80::71cc:8d7f:5cb5:3772]) by PA3PR02MB11163.eurprd02.prod.outlook.com ([fe80::71cc:8d7f:5cb5:3772%5]) with mapi id 15.21.0113.015; Wed, 17 Jun 2026 20:36:20 +0000
Message-ID: <9e8df6bb-facf-4741-a6f3-ebb903cc0b02@cs.tcd.ie>
Date: Wed, 17 Jun 2026 21:36:12 +0100
User-Agent: Mozilla Thunderbird
To: David Benjamin <davidben@chromium.org>, "Samuel Lee (ENS/Crypto)" <Samuel.Lee=40microsoft.com@dmarc.ietf.org>
References: <DS4PR21MB536838B9BE8C256C9C1325B980E42@DS4PR21MB5368.namprd21.prod.outlook.com> <CAF8qwaBoQj-7b0HCdzbGuR2J97EqhRcVm15kHjwoofEUb001Gw@mail.gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CAF8qwaBoQj-7b0HCdzbGuR2J97EqhRcVm15kHjwoofEUb001Gw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------LWvhsEuH3xKAxuucfKGwnbFz"
X-ClientProxiedBy: CH0PR03CA0098.namprd03.prod.outlook.com (2603:10b6:610:cd::13) To PA3PR02MB11163.eurprd02.prod.outlook.com (2603:10a6:102:4b4::19)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: PA3PR02MB11163:EE_|DB9PR02MB6764:EE_
X-MS-Office365-Filtering-Correlation-Id: a16fb43f-7b30-4274-82c4-08deccb0168a
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|4022899009|376014|19092799006|10070799003|23010399003|786006|366016|56012099006|11063799006|6133799003|22082099003|18002099003|3023799007|4133799003|4143699003;
X-Microsoft-Antispam-Message-Info: Cad6aODyQgVTOezk9BR4DemLmGUubsJW5rave94D9JSoW7Va+3C6+YHIiA4aAEsjZbv1+BIANMrT/aZG7XzvSCP1hLKsoEjp4nYefUz32c7d7okHftRLl/z+uQARuFRMfpKjyFk0xkb1/77FdHlGtGb5fn1/GC/UIQy4acNHKCBDXqr3PZBoeyA+n2MhAGo3l2s1ws+ETnlu/VHyOUOy8MokDtOmSozm3wZhpO4UbyfL4iN3z4+6MLIj4Y4VPoisCLvE8e/rpNqJ9uqwSLLUZf2qw52QkpztHkHpQWK1Ztfa2mypTujjfYTigzQfK4+OyQCDnPOyQ8FSonvB1HSUqbLjltNmILoWFZlkBEOFucx40cz0iMD4mrMNf3outmaR2L0DU1XtMRowZ6p+pPF3Xn8FRkBSSE+dpn8fYK2ckMyOwggVMD7hqHvIiF3I9h9+QTqIfr2a7oZJSj3bVfVV5cLwuU03aGJjf3ZBNJjTquxqSl9S/kY/TpMBVZnGi+AOBlc+hSAZNeDbNCvYdvADirAoQG1g3sw3U6HzS04kuEsDUttKiqOHr/OdDdddnTk/hLgVHXcHGfrVWebMyWmCmu+Bw3fN/anVVbLBlWTJetxURMgQfpLSTWKbMwxR8UXikkemsyYqFoFSLBiiz5DHiG+Pz1Z0uG2bpWE1FQNWttjCNSquhW4Ot4qQLc3ScEdx
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PA3PR02MB11163.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(4022899009)(376014)(19092799006)(10070799003)(23010399003)(786006)(366016)(56012099006)(11063799006)(6133799003)(22082099003)(18002099003)(3023799007)(4133799003)(4143699003);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: 55lbyg2Anygceq6/MkFhlp21JcFZqYoxA+8UOFXyhh4Qe6JiZsgoj+unEylc5UEmhRvP1aDJhzA/Yl3lxeOBp47qmNum9fBjwPB6Yd9r1efUax+5MUD34Ga0vai2c+qdkAWffmNahXldSvFOjrYBKpoiRvLOT4Cul1nZ2IO/Gx4TQvJbqlZP6iHAmafIR87AZE+bCU4y3V40HXDNCnAGutJKSk4w7QqMg2FItAJeI4MYbI+gwHdr1Fw3fZ1vz/oJkjPQjrm6gCIQ3XKWmbQKulfpus3w8qDeXyJ90iDwhd+QhkPHedP6aAtGVyYSbTmxBViDMVlzkMxqgT6Rs37zsmm4sVA89m+cyyM52Df9uz5/n29KGEUxZ2Jymta52EtlfGT88AWGyJzOKh4BggxVrydYjTGHD7LpoftLnVP35+FwITR38MeRg/4O8U51otGqMgVVI4yo8mjCA9q5YFsT/0axXOU0/4Svpx1Y9bNt656EIMduBSXSRfN0o5ByHHfws7OXULTLZIMEqS1KYZLSEIGpjcRNXpjRofbxlMN8TicJpEcfPAeDbPjzpT8U/j6uQiQtyrgKdQkxuH13dSwplYoBlMnPDkSuBMKRv2itGRz9M/Iji2hVbkAR50C0pmlepBrFDWeXGIYMWgONi/hOzr61Ad92VHW/2rwxwTV0vACMV9zr0n9jkfO3HhGbhCxNiYuRhy5Gm0u+L/D9L5Yt+pkEPc5SQNlfuRvV1FhpiLvowc/elFT/YKGlJ/UqosAR2rqv249dSQGTCF1eHJGtxHZeLkUwe8bIQCTK6tGKdYkuG2x5viLUjmJhYWUUJ7dy8XGQ8n/NGO8d4OQ1NGco6xJP3Zf/gr+yVmna3GJqx7lXgUoesh3ENzHIaqDeBMpO3jQZxd+rMqrNAdKiD3prRO5nvp0iy2tb7Kenuo1vTsTpVPjgBhaaEuaxiYwMIcM8agsHGfRr0Tn+yBloaUNiXNjpq5QmtBFcv6+Q7bqaqaBf38zpA0BG+DyNTuMhMZQ8JYXLZuTa+A2YekhXNnyr8ELzM0WRh1lfjOetFJWaSDVbtQyaN4e0jqOCl4/FQWO3mslqgmNSL6M5MTkqNwcWleRbUyZzApNRXVXyJq27RDFADbmc7ySyDW6eOZkmvnnstHZsgUoWEbBCQSvSORaDkrDabalmz5r/8vGHiSD7mQ6Ov+nU8rJD398qk0eirnCKcab2paVRKn1PMewPTBR/pa6ky4VG4am65ghj8D+KGDcl49/NmlIsKiX0REU/WI0mUFUkooyLk3iYyURj43dn52d3L9fUdX63jUWJkCAFC1q/o5sQBNg6V/TYkJj83cxYHJd7K+p8ioVBzCUgiQjg7JkXestsqZw3VmCTzfrffXN1pOyO5v8P4dLmc0sAk2m39F86ymHvNWI1bEX5HY1QlI8D0BGEbS1fQ2O9qtWy+OpQW7Zy/xaE18lOQkue7nzeKardOxwTeILpIuFQ+PW6Wiou66ZyBO6Hyp/xKL7iF4E8I3nMvArKZcUOh/6LcKOnO1rAmgWYiEmUhDYTnlPX8+z3YvsK9pAeiV11iZqanFiVcSEymdncHaOFDQiy1QooyQI134y2LZMrkqQu+A4U4XcOjPyoDnwcSRUiYiRpm1p28jwhJukPeoO4T0YOeWbBYM9u+PiLFzorbSNHRcOtB+CQp8GXBzvl4p0NpUNAlT3p4TqwJtzmHU4n4z9vqsPS45YpPiQuYClNoExLSGaRSbcFic5xnusPoUqAMcop61AhZLvjjUo/BaIMyqWBua6ipTIktHQF
X-MS-Exchange-AntiSpam-MessageData-1: 6jvC16WqCVDUsg==
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: a16fb43f-7b30-4274-82c4-08deccb0168a
X-MS-Exchange-CrossTenant-AuthSource: PA3PR02MB11163.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jun 2026 20:36:20.1676 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: hIZwj0R4FxegnNtt8nIQ+KO8VJpizcUteuLqfpjAfIz7jEENO/EjkcphtVl9oG03
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR02MB6764
Message-ID-Hash: MWZS6LLYZGJC5RKQ3YFA6NLSYEXD2HYY
X-Message-ID-Hash: MWZS6LLYZGJC5RKQ3YFA6NLSYEXD2HYY
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "hpke@ietf.org" <hpke@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [hpke] Re: Clarification on some corner cases of HPKE
List-Id: "Hybrid Public Key Exchange (HPKE) Publication, Kept Efficient (hpke) to discuss updates and improvements to HPKE." <hpke.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/hpke/f06uzG1wSyy4PqF3pdqzTTVrOvw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hpke>
List-Help: <mailto:hpke-request@ietf.org?subject=help>
List-Owner: <mailto:hpke-owner@ietf.org>
List-Post: <mailto:hpke@ietf.org>
List-Subscribe: <mailto:hpke-join@ietf.org>
List-Unsubscribe: <mailto:hpke-leave@ietf.org>

Hiya,

I disagree with David. That usually means I'm wrong:-)

Disclaimer: I contributed the OpenSSL HPKE stuff so am probably
quite blameworthy, but I've no recollection at all of either of
these issues being a topic of discussion.

On 17/06/2026 20:56, David Benjamin wrote:
> The byte string of length zero is a perfectly valid byte string. I don't
> see any reason for zero-length plaintext to be an error. 

ISTM that incrementing the sequence number after an initial
empty plaintext is more likely to confuse so disallowing
those doesn't seem unreasonable.

> I similarly don't
> see any reason to limit psk_id to NUL-terminated strings. 

I don't recall identifiers that can contain a NUL in the middle
as being anything other than a source of bugs/vulns, so also
disagree there. (A little more than for the empty plaintext
thing.)

That said, I don't disagree strongly in either case and if
there were some real use-case that required either I'd be
ok with making an OpenSSL PR for a fix. (Absent a real use-case
I'd probably not spend time on it now.)

Cheers,
S.


> In general, I
> think having holes in your input space like this just results in
> unnecessarily problems for the layers above. (Accidental truncation at
> NULs, extra error condition to worry about, etc.)
> 
> (Our implementation is perfectly happy with zero-length plaintexts. We
> don't currently implement the PSK modes but, if we did, I think we'd have
> allowed psk_id to just be a general byte string.)
> 
> On Wed, Jun 17, 2026 at 3:34 PM Samuel Lee (ENS/Crypto) <Samuel.Lee=
> 40microsoft.com@dmarc.ietf.org> wrote:
> 
>> Hey folks,
>>
>> I've been working on a new implementation of HPKE recently and when I
>> performed some interop testing with OpenSSL I found a couple of interesting
>> corners.
>>
>>
>> *Sealing an empty plaintext*
>> The HPKE spec seems to not make any restrictions on the minimum plaintext
>> length, and my implementation of HPKE allows a plaintext length for
>> Seal/Open to be zero-length.
>>
>> This naturally reduces to a MAC over the AAD for AEADs.
>> While the use case is probably niche, one could imagine that it might make
>> sense to want to just integrity protect some data between Sender and
>> Recipient for a specific message.
>>
>> OpenSSL appears to treat zero-length plaintext as an error.
>>
>>
>> *psk_id as a NUL terminated string vs. a byte array*
>> The HPKE spec seems to not make any restrictions on the form of PSK ID
>> beyond maximum lengths, and my implementation of HPKE takes psk_id as an
>> arbitrary byte buffer.
>>
>> OpenSSL takes psk_id as a NUL terminated string, so ids must not contain
>> NUL bytes.
>>
>>
>> For both of these issues, is there any opinion on whether these should be
>> treated as implementation defined vs. one way is "correct"?
>> Are there other interop gotchas that folks have run into that I should be
>> aware of, or HPKE implementations anyone would suggest looking at for
>> further interop testing?
>>
>> Best,
>> Sam
>> _______________________________________________
>> hpke mailing list -- hpke@ietf.org
>> To unsubscribe send an email to hpke-leave@ietf.org
>>
> 
> 
> _______________________________________________
> hpke mailing list -- hpke@ietf.org
> To unsubscribe send an email to hpke-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status