RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 9180, "Hybrid Public Key Encryption", February 2022

Source of RFC: IRTF

Errata ID: 7790
Status: Reported
Type: Technical
Publication Format(s) : TEXT, HTML

Reported By: Neil Madden
Date Reported: 2024-01-30

Section 9.1.2 says:

   A detailed computational analysis of HPKE's Auth mode single-shot
   encryption API has been done in [ABHKLR20].  The paper defines
   security notions for authenticated KEMs and for authenticated public
   key encryption, using the outsider and insider security terminology
   known from signcryption [SigncryptionDZ10].  The analysis proves that
   DHKEM's AuthEncap()/AuthDecap() interface fulfills these notions for
   all Diffie-Hellman groups specified in this document. 

It should say:

   A detailed computational analysis of HPKE's Auth mode single-shot
   encryption API has been done in [ABHKLR20].  The paper defines
   security notions for authenticated KEMs and for authenticated public
   key encryption, using the outsider and insider security terminology
   known from signcryption [SigncryptionDZ10].  The analysis proves that
   DHKEM's AuthEncap()/AuthDecap() interface fulfills the notions of 
   Outsider-CCA, Insider-CCA, and Outsider-Auth for all Diffie-Hellman 
   groups specified in this document. It does not fulfill the notion of
   Insider-Auth defined in the paper.

Notes:

The referenced paper defines four notions of security, Outsider-CCA, Insider-CCA, Outsider-Auth, and Insider-Auth. It proves that HPKE meets the first three, but, contrary to the current text of the RFC, it proves that it does *not* meet Insider-Auth security and that this is infeasible for HPKE. This is an important negative security result that should have been highlighted in the RFC.

Report New Errata



Advanced Search