[hpke] Re: purpose and practice for aad and info parameters
Laurence Lundblade <lgl@island-resort.com> Wed, 11 March 2026 17:55 UTC
Return-Path: <lgl@island-resort.com>
X-Original-To: hpke@mail2.ietf.org
Delivered-To: hpke@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 495BEC85DD64 for <hpke@mail2.ietf.org>; Wed, 11 Mar 2026 10:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.695
X-Spam-Level:
X-Spam-Status: No, score=-1.695 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=island-resort.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUNXqJmnMnyi for <hpke@mail2.ietf.org>; Wed, 11 Mar 2026 10:55:55 -0700 (PDT)
Received: from sender4-pp-f112.zoho.com (sender4-pp-f112.zoho.com [136.143.188.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8FE1FC85DD5F for <hpke@ietf.org>; Wed, 11 Mar 2026 10:55:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773251741; cv=none; d=zohomail.com; s=zohoarc; b=FCS5uz2FHjWkh0L//Rez3uJRXa3Rd2moiHb1clIDG+4RIoVsVyNfOFPMMRWUFFkaKnKpYAmnBqS8jY0/KTHZyi0NQz+oW62/chQrVT3uQI+Qjhj4sAwMHIXteuLjlPIokdMKRrM92EZFknk113+6OXAIwpB76TPxKAHT/oOkMZs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773251741; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=i5kyEVRDIe2sdslj0RoIGEVBlgYvgV1pC+/nM5DtAGU=; b=dgCXMYokBaKioFGtSAhqAu4ogfaZG+7+rNlE7ezgLywug8NZTs8SFkHSLFpTXcCjdiCPJnaPGzFidSCAD2VmOq6ObR9WUy0koXdXobVqZAJtmqHm/SY2Bb3LSOg1EkWKrYzI4c+jCDjHIWfZd2OkDokEotzxdnSevEtCuz85slc=
ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=island-resort.com; spf=pass smtp.mailfrom=lgl@island-resort.com; dmarc=pass header.from=<lgl@island-resort.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1773251741; s=island; d=island-resort.com; i=lgl@island-resort.com; h=From:From:Message-Id:Message-Id:Content-Type:Mime-Version:Subject:Subject:Date:Date:In-Reply-To:Cc:Cc:To:To:References:Reply-To; bh=i5kyEVRDIe2sdslj0RoIGEVBlgYvgV1pC+/nM5DtAGU=; b=djhdJmXvBWH+EUT27ML6AkCmVhzxjonohluha+IpwbSuCxRDtgFTk/tLGBPOE+mb 078Y4NgReFTpvqNdyx/fISlhq0VtHtiCSQoC/TpRFBXuYhAveb3lCOVTkYqzjEoYOIG djgdo/u+8nZtELcXvPVtq4e+hJ1LpqMW1vHZrM5M=
Received: by mx.zohomail.com with SMTPS id 1773251738672414.63946722738683; Wed, 11 Mar 2026 10:55:38 -0700 (PDT)
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <BBD1134B-7CB6-457F-8E84-B3A432ECF439@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C1B40B41-FE17-4A78-86EF-6CB9F96FB890"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.500.181.1.5\))
Date: Wed, 11 Mar 2026 10:55:27 -0700
In-Reply-To: <abB7dLfYJpCMNqwK@LK-Perkele-VII2.locald>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <EF1711CD-13C9-4A57-8CF7-A659FDE68859@island-resort.com> <abB7dLfYJpCMNqwK@LK-Perkele-VII2.locald>
X-Mailer: Apple Mail (2.3826.500.181.1.5)
X-ZohoMailClient: External
Message-ID-Hash: NX2IPJSQLTYNKVNG4L2IT3KSS5PMHHOJ
X-Message-ID-Hash: NX2IPJSQLTYNKVNG4L2IT3KSS5PMHHOJ
X-MailFrom: lgl@island-resort.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: hpke@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [hpke] Re: purpose and practice for aad and info parameters
List-Id: "Hybrid Public Key Exchange (HPKE) Publication, Kept Efficient (hpke) to discuss updates and improvements to HPKE." <hpke.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/hpke/wzFKBz5-O24KEHJSTIPgKkGWs3M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hpke>
List-Help: <mailto:hpke-request@ietf.org?subject=help>
List-Owner: <mailto:hpke-owner@ietf.org>
List-Post: <mailto:hpke@ietf.org>
List-Subscribe: <mailto:hpke-join@ietf.org>
List-Unsubscribe: <mailto:hpke-leave@ietf.org>
> On Mar 10, 2026, at 1:13 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > > On Tue, Mar 10, 2026 at 11:26:27AM -0700, Laurence Lundblade wrote: >> Is this correct? >> >> aad: Useful for authenticating data (but note that in mode_base, this >> authentication is not strong, not equivalent to signing). >> >> info: Useful for authenticating data (same as aad) AND influencing >> the key schedule and context set up. >> >> There’s not really any difference of substance between aad and info >> for authenticating additional data except info sometimes has some >> size limitations that aad does not. Data to be authenticated is not >> difficult to understand and isn’t required for security reasons like >> info might be. >> >> >> The question, then, is when info is actually needed for security >> reasons? > > - For protocol separation. > - For mode separation (if AAD does not do it reliably). > - Authenticating session (as opposed to message) data. Right, but wouldn’t the aad parameter to HPKE Seal/Open work just as well for these? By protocol, you mean the application protocol using HPKE, right? By mode, you mean HPKE modes (base, psk,…) Or, maybe you want these in info so they are part of domain separation? Maybe domain separation is the main way to characterize the difference between info and aad? > - For SuppPrivInfo (using aad for this is insecure!). > > The first two are the most common ones. For those, 64 bytes should be > plenty. > > >> [Section 5.2 of RFC 9053] defines a fairly complex mechanism for this >> and refers to [SP800-56A] for guidance on how and when. HPKE does not >> include an equivalent discussion. > > Most of those fields are either meaningless or implicit in HPKE. > > >> This is a bit above my pay grade, but my understanding is that HPKE, >> as designed and used with the registered algorithms, should remain >> secure even if the info parameter is empty. Can someone confirm that? >> It seems like an important point. >> >> That said, it seems possible to use the HPKE framework with poor >> algorithms or a weak random number generator where input via the info >> is necessary for the reasons discussed in [SP800-56A]. In other words, >> not every conceivable use of HPKE is guaranteed to be secure enough >> that info can be empty. > > Including SuppPrivInfo might help with a bad KEM, but it will not help > with a bad AEAD. Bad KDF is mostly not a thing. I note that compensating for a bad RNG is an explicit non-goal of HPKE. That seems like a really good choice to me. Still, adding some pre-shared secret can increase security. Maybe the security issue is how the secret parts of the KEM are protected or managed has a little weakness and there’s a pre-shared secret that is stored or managed differently. Thanks for your response. LL
- [hpke] purpose and practice for aad and info para… Laurence Lundblade
- [hpke] Re: purpose and practice for aad and info … Ilari Liusvaara
- [hpke] Re: purpose and practice for aad and info … Laurence Lundblade