IETF Logo Mail Archive

[openpgp] Re: Deterministic generation of (symmetric) public key params from private key params

Justus Winter <justus@sequoia-pgp.org> Thu, 14 November 2024 15:41 UTC

Return-Path: <justus@sequoia-pgp.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29FFAC17C8A2 for <openpgp@ietfa.amsl.com>; Thu, 14 Nov 2024 07:41:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=sequoia-pgp.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0QTEqfm-_eRy for <openpgp@ietfa.amsl.com>; Thu, 14 Nov 2024 07:41:27 -0800 (PST)
Received: from mailgate02.uberspace.is (mailgate02.uberspace.is [IPv6:2a00:d0c0:200:0:1c7b:a6ff:fee0:8ea4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EABDAC151099 for <openpgp@ietf.org>; Thu, 14 Nov 2024 07:41:26 -0800 (PST)
Received: from harrington.uberspace.de (harrington.uberspace.de [185.26.156.85]) by mailgate02.uberspace.is (Postfix) with ESMTPS id 77EF6181177 for <openpgp@ietf.org>; Thu, 14 Nov 2024 16:41:23 +0100 (CET)
Received: (qmail 26577 invoked by uid 500); 14 Nov 2024 15:41:22 -0000
Authentication-Results: harrington.uberspace.de; auth=pass (plain)
Received: from unknown (HELO unkown) (::1) by harrington.uberspace.de (Haraka/3.0.1) with ESMTPSA; Thu, 14 Nov 2024 16:41:22 +0100
From: Justus Winter <justus@sequoia-pgp.org>
To: Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org>
In-Reply-To: <prYwCJCeUbCUx9PF-bWdQf-DpImAj18NQ9VhjOH0NpT-6WFmO_4JHrmI-2x0laDmEKjVVEif6GPZJa4rhz64k8-2-aZW6Og03YG6RLeGtfA=@protonmail.com>
References: <FxKXcgs81L4JQJjqV8sB_941ghtKVj5cjVYx6povy95enL27NdtRWhG5cLgElc9jJXQRqFqbTroNYlSL1agjgDVfRTmKJtKVwJkC0U1PmS8=@protonmail.com> <87a5e3xmba.fsf@europ.lan> <prYwCJCeUbCUx9PF-bWdQf-DpImAj18NQ9VhjOH0NpT-6WFmO_4JHrmI-2x0laDmEKjVVEif6GPZJa4rhz64k8-2-aZW6Og03YG6RLeGtfA=@protonmail.com>
Date: Thu, 14 Nov 2024 16:41:21 +0100
Message-ID: <877c95yg9q.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Rspamd-Bar: -----
X-Rspamd-Report: BAYES_HAM(-2.995633) SIGNED_PGP(-2) MIME_GOOD(-0.2)
X-Rspamd-Score: -5.195633
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sequoia-pgp.org; s=uberspace; h=from:to:cc:subject:date; bh=d2jcHHMWEItbGvHWe3sZfudF+U8X3S09UXGLwtnfeOg=; b=Fs7s5VIxlHBfK4RAJOxy95n/BcAt5KW+9C+Lp3RAAeOsWKy18DQKelEHIArLI6tlZvKVeyVGWD oxblR89FQ6plg02azaNwDDcFl8C3Kh3SdYM0JNVyrnpHBCHuLJbaZ5r+5cgaodw+asMtfeZTIgOl jCLvyujA5CyN/3+aDbwTC13SAnFhQQ7Hb8bHSml60gntfEHCsi5xq9vcMyI2DtsRH1LPaPVW+/U6 0T99hZag2J0V/RNT7mAj9MKnLea6TNuv8nNgmlJ2UvHhpeaaJk2ow/lNLVpocwTe5M8AyL6P28KP CQUzs1iyIbReGOqyrpvDLWwpUs/OFVO0AUhzXiw+sy85kJHM73yf5KNYXnjYsk3PHeHPjaqwCNTc Kad8SYHG+evRGxVDAP/rRyjAXvzWT4O2u1Uzi8kjl/ALiTQysxE4cxV3+/GejDUdSuVhlFVZ4T+L AUwsRL6LuIt5q8lc9mVI3FzPdvnvpTe4WQ7OWn//rKjG8SN/Y+Ufz+gZsGjyc3E6fcr1m06yD6Cr Hxb3D14by3JyzUiNOvyrW8cST3kHB0/7PlxJxJStpayIL7tx/wiT07b64P1u9YvTAJm8RPl7i0Qi WkPKNJB3bhC0l6s3JyzXGPUr5P48d3VfKueDjHmKoOy/HzviGUAqfMmptr6Dfh3WitUfMuesuvi/ o=
Message-ID-Hash: FI4RLAA3OALYY2MD2QXTWNNKGP5PNJLG
X-Message-ID-Hash: FI4RLAA3OALYY2MD2QXTWNNKGP5PNJLG
X-MailFrom: justus@sequoia-pgp.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF OpenPGP WG <openpgp@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Deterministic generation of (symmetric) public key params from private key params
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/yNYRFGdYkN5Xh5VrwzckTEtVNQA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Hi Daniel :)

Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> writes:

> On Wednesday, November 13th, 2024 at 15:03, Justus Winter wrote:
>> I don't understand the motivation for the hash seed in the first place.
>> Why not derive a mock public key from the secret key, i.e. include
>> SHA2-256(persistent symmetric key material) in the algorithm-specific
>> bits of the public key packet?
>
> I'm not 100% sure this is safe in all scenarios. For an AES-256 key it
> probably is, but for an AES-128 key, due to the birthday paradox, after
> "only" 2^64 keys there's a ~50% chance that two people will share a key.
>
> If the encrypted private keys are stored on a server, like Proton does,
> then the server can find out which two users share a private key by
> looking at the public key material; and ask one user to decrypt a
> message of the other user, for example. That seems bad.
>
> We could say that persistent symmetric keys may only be used with >=256
> bit keys, but having a separate hash seed just seemed simpler and easier
> to reason about.

Interesting.  What about also hashing in the other metadata (i.e. the
timestamp).  Then, the problem arises only if you have 2^64 users
creating a symmetric key at the exact same time

Best,
Justus

v2.36.0 | Report a Bug | By Email | System Status