RFC Errata
RFC 9180, "Hybrid Public Key Encryption", February 2022
Source of RFC: IRTFSee Also: RFC 9180 w/ inline errata
Errata ID: 7790
Status: Verified
Type: Technical
Publication Format(s) : TEXT, HTML
Reported By: Neil Madden
Date Reported: 2024-01-30
Verifier Name: Stanislav Smyshlyaev
Date Verified: 2024-04-27
Section 9.1.2 says:
A detailed computational analysis of HPKE's Auth mode single-shot encryption API has been done in [ABHKLR20]. The paper defines security notions for authenticated KEMs and for authenticated public key encryption, using the outsider and insider security terminology known from signcryption [SigncryptionDZ10]. The analysis proves that DHKEM's AuthEncap()/AuthDecap() interface fulfills these notions for all Diffie-Hellman groups specified in this document.
It should say:
A detailed computational analysis of HPKE's Auth mode single-shot encryption API has been done in [ABHKLR20]. The paper defines security notions for authenticated KEMs and for authenticated public key encryption, using the outsider and insider security terminology known from signcryption [SigncryptionDZ10]. The analysis proves that DHKEM's AuthEncap()/AuthDecap() interface fulfills the notions of Outsider-CCA, Insider-CCA, and Outsider-Auth for all Diffie-Hellman groups specified in this document. It does not fulfill the notion of Insider-Auth defined in the paper.
Notes:
The referenced paper defines four notions of security, Outsider-CCA, Insider-CCA, Outsider-Auth, and Insider-Auth. It proves that HPKE meets the first three, but, contrary to the current text of the RFC, it proves that it does *not* meet Insider-Auth security and that this is infeasible for HPKE. This is an important negative security result that should have been highlighted in the RFC.