Re: [MLS] DeriveKeyPair IKM size
Rohan Mahy <rohan.ietf@gmail.com> Thu, 14 March 2024 23:52 UTC
Return-Path: <rohan.mahy@gmail.com>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA81FC14F6AC for <mls@ietfa.amsl.com>; Thu, 14 Mar 2024 16:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sb3ppiYN-tRy for <mls@ietfa.amsl.com>; Thu, 14 Mar 2024 16:52:27 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A507BC14F6A4 for <mls@ietf.org>; Thu, 14 Mar 2024 16:52:27 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-56845954ffeso2063356a12.2 for <mls@ietf.org>; Thu, 14 Mar 2024 16:52:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710460345; x=1711065145; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ItAhwtv6jENEYVMvVcKxQOswJtTOjRwcTc9Y6y7mJMI=; b=l2z2XJwfHopSzz9EuQ5z0d7oGi9kGdZvMPfM81+qp9R6K4mRLILkbviWEyHqc7GPb8 liHDyiCBdyRWyZqqM4ju8JOR+5jdrgJ+xfCMT7uYUzejDJEw67aQaUnqALk+ZH0q/9HA DVNJOM2Y/txePCPfSOvcktXCN85fGy3KhuosHNKvuBIfYPPm48Z/D1ZVdfcAo0B3LIZ0 odscnkSUXsPi9nPxY+ruZ0m5tO0BkhaUtQs2lsYRsqTxL5iVyJ4OlxMiuHhD1ySz9pIX si3CAlh3FH1WKjPNpAk9qcj/OfW7YY7+FnHtQkPWngaG4AAMc5x1vXqnsgHuGgPEJ9o9 7NSA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710460345; x=1711065145; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ItAhwtv6jENEYVMvVcKxQOswJtTOjRwcTc9Y6y7mJMI=; b=Be2zI4HZUgIiarsCpc+34WgP/dU2I1De0PJPbg4jAiBZn9Fj8B6I9uGP0a0hwRluLH NrUJSypooS7nU0Iq2s9kVf9qu36wX3+LobLc0QwsWUVcJWm8caF1rKsHO8vn7mExrcbU HsywqlMiKUyVIXJfKAg+XxxS7iPoajtInZD7kaT7pa0GvZxEsW0XMP6l520S9jWyAkaO MXZQPlddxwtwAKI6ejwxCHkB/YURCFQkSoeXOhA20HoMuKUw332VCetZzL2D74ImH90e osyVAh9doNxxfU6HdV4czIpTxLpEcu2GwF9dmJLi2+WY5/8cFODK/dqMKST7ZEfTWzPm F1JA==
X-Gm-Message-State: AOJu0YxglnL6LOaOinmlj1iEskuTMTMIJf/vYFVqoxPZDJ1Yuxf+5DIs h5BKyFjZjprz/1WV1LyOuEQvCSz+eVufCfDASPlYtn1tWoYbbVFSbUbUPGtNfT/FdFbhXna4sJs 4piHClN8kkBXW6bvEm6tKbk8oQx4j220MI3T2wO4i
X-Google-Smtp-Source: AGHT+IGBhwz1+lNL4xat7bMlH4OBxyxmtxcsxxnodcIxrtluA+Elk3DY8YS5svFfXLC0q/kywwBqeQmdCGQsMZ9/bjA=
X-Received: by 2002:aa7:d30e:0:b0:568:93c0:8a37 with SMTP id p14-20020aa7d30e000000b0056893c08a37mr1437519edq.41.1710460345403; Thu, 14 Mar 2024 16:52:25 -0700 (PDT)
MIME-Version: 1.0
References: <kE3ovynJvl22pnmihJkm7J67dybmL4xQHYxBu1vvwabY_U3X2TBJO5V3agUDnNF2aYl7z4aBupEdLteupSa7vjvXNMIdyY-GN2czK6NeDi0=@emersion.fr>
In-Reply-To: <kE3ovynJvl22pnmihJkm7J67dybmL4xQHYxBu1vvwabY_U3X2TBJO5V3agUDnNF2aYl7z4aBupEdLteupSa7vjvXNMIdyY-GN2czK6NeDi0=@emersion.fr>
From: Rohan Mahy <rohan.ietf@gmail.com>
Date: Fri, 15 Mar 2024 09:52:13 +1000
Message-ID: <CAKoiRuYKt4jJW4TpH=k+0WU5LUPyV6P04=1-U-P64H9Wc+Sr6w@mail.gmail.com>
To: Simon Ser <contact@emersion.fr>
Cc: "mls@ietf.org" <mls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004a4f230613a7956e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/XxXDLH_fEMfrXVR5mnoW-_A32-c>
Subject: Re: [MLS] DeriveKeyPair IKM size
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 23:52:31 -0000
Hi Simon, The issue you are pointing out is an issue with HPKE (RFC9180) which was a product of the CFRG research group, and should probably be discussed there. That said, it seems like the intention was that ikm needs to have enough entropy to maintain the target security level (twice the number of octets as in the target security level). Note that [XWing], also contraindicates the SHOULD in [HPKE] Section 7.1.3, because 2432 octets of entropy is excessive, and 32 octets is expected to be sufficient. Thanks, -rohan [XWing] https://www.ietf.org/archive/id/draft-connolly-cfrg-xwing-kem-01.html#name-use-in-hpke [HPKE] https://www.rfc-editor.org/rfc/rfc9180.html#derive-key-pair On Thu, Mar 14, 2024 at 9:18 AM Simon Ser <contact@emersion.fr> wrote: > Hi, > > In [1] I reported that some MLS cipher suites will pass an IKM to > DeriveKeyPair > which doesn't match the recommendations of HPKE. The HPKE RFC says: > > > For a given KEM, the ikm parameter given to DeriveKeyPair() SHOULD have > length > > at least Nsk, and SHOULD have at least Nsk bytes of entropy. > > But MLS cipher suite 0x05 will pass an IKM with size 64, while Nsk = 66. > > Is this intentional? > > Simon > > [1]: > https://github.com/cloudflare/circl/issues/486#issuecomment-1996056891 > > _______________________________________________ > MLS mailing list > MLS@ietf.org > https://www.ietf.org/mailman/listinfo/mls >
- [MLS] DeriveKeyPair IKM size Simon Ser
- Re: [MLS] DeriveKeyPair IKM size Rohan Mahy
- Re: [MLS] DeriveKeyPair IKM size Simon Ser
- Re: [MLS] DeriveKeyPair IKM size Simon Ser