4. Cryptographic Dependencies
4. Cryptographic Dependencies
HPKE variants rely on the following primitives:
A key encapsulation mechanism (KEM):
-
GenerateKeyPair(): Randomized algorithm to generate a key pair (skX, pkX). -
DeriveKeyPair(ikm): Deterministic algorithm to derive a key pair (skX, pkX) from the byte string ikm, where ikm SHOULD have at least Nsk bytes of entropy (see Section 7.1.3 for discussion). -
SerializePublicKey(pkX): Produce a byte string of length Npk encoding the public key pkX. -
DeserializePublicKey(pkXm): Parse a byte string of length Npk to recover a public key. This function can raise aDeserializeErrorerror upon pkXm deserialization failure. -
Encap(pkR): Randomized algorithm to generate an ephemeral, fixed-length symmetric key (the KEM shared secret) and a fixed-length encapsulation of that key that can be decapsulated by the holder of the private key corresponding to pkR. This function can raise anEncapErroron encapsulation failure. -
Decap(enc, skR): Deterministic algorithm using the private key skR to recover the ephemeral symmetric key (the KEM shared secret) from its encapsulated representation enc. This function can raise aDecapErroron decapsulation failure. -
AuthEncap(pkR, skS)(optional): Same asEncap(), and the outputs encode an assurance that the KEM shared secret was generated by the holder of the private key skS. -
AuthDecap(enc, skR, pkS)(optional): Same asDecap(), and the recipient is assured that the KEM shared secret was generated by the holder of the private key skS. -
Nsecret: The length in bytes of a KEM shared secret produced by this KEM. -
Nenc: The length in bytes of an encapsulated key produced by this KEM. -
Npk: The length in bytes of an encoded public key for this KEM. -
Nsk: The length in bytes of an encoded private key for this KEM.
A key derivation function (KDF):
-
Extract(salt, ikm): Extract a pseudorandom key of fixed length Nh bytes from input keying material ikm and an optional byte string salt. -
Expand(prk, info, L): Expand a pseudorandom key prk using optional string info into L bytes of output keying material. -
Nh: The output size of theExtract()function in bytes.
An AEAD encryption algorithm [RFC5116]:
-
Seal(key, nonce, aad, pt): Encrypt and authenticate plaintext pt with associated data aad using symmetric key key and nonce nonce, yielding ciphertext and tag ct. This function can raise aMessageLimitReachedErrorupon failure. -
Open(key, nonce, aad, ct): Decrypt ciphertext and tag ct using associated data aad with symmetric key key and nonce nonce, returning plaintext message pt. This function can raise anOpenErrororMessageLimitReachedErrorupon failure. -
Nk: The length in bytes of a key for this algorithm. -
Nn: The length in bytes of a nonce for this algorithm. -
Nt: The length in bytes of the authentication tag for this algorithm.
Beyond the above, a KEM MAY also expose the following functions, whose behavior is detailed in Section 7.1.2:
-
SerializePrivateKey(skX): Produce a byte string of length Nsk encoding the private key skX. -
DeserializePrivateKey(skXm): Parse a byte string of length Nsk to recover a private key. This function can raise aDeserializeErrorerror upon skXm deserialization failure.
A ciphersuite is a triple (KEM, KDF, AEAD) containing a choice of algorithm for each primitive.
A set of algorithm identifiers for concrete instantiations of these primitives is provided in Section 7. Algorithm identifier values are two bytes long.
Note that GenerateKeyPair can be implemented as DeriveKeyPair(random(Nsk)).
The notation pk(skX), depending on its use and the KEM and its implementation, is either the computation of the public key using the private key, or just syntax expressing the retrieval of the public key, assuming it is stored along with the private key object.
The following two functions are defined to facilitate domain separation of KDF calls as well as context binding:
def LabeledExtract(salt, label, ikm):
labeled_ikm = concat("HPKE-v1", suite_id, label, ikm)
return Extract(salt, labeled_ikm)
def LabeledExpand(prk, label, info, L):
labeled_info = concat(I2OSP(L, 2), "HPKE-v1", suite_id,
label, info)
return Expand(prk, labeled_info, L)
The value of suite_id depends on where the KDF is used; it is assumed implicit from the implementation and not passed as a parameter. If used inside a KEM algorithm, suite_id MUST start with "KEM" and identify this KEM algorithm; if used in the remainder of HPKE, it MUST start with "HPKE" and identify the entire ciphersuite in use. See Sections 4.1 and 5.1 for details.