blipp
commented
4 years ago These are some excellent points!
PSK is also strengthening confidentiality
Indeed we are only talking about authentication with respect to the PSK:
- Creating the Encryption Context
If the psk and pskID arguments are provided, then the recipient is assured that the sender held the PSK. - Authentication using a Pre-Shared Key and Authentication using both a PSK and an Asymmetric Key
This variant extends the base mechanism by allowing the recipient to authenticate that the sender possessed a given pre-shared key (PSK).
The analysis I did in CryptoVerif shows that confidentiality remains if the KEM keys are compromised (or if the KEM keys are not compromised but the PSK is compromised). So we should indeed add this as a desired security property, with pretty much the same reasoning as employed by WireGuard, see Section 5.2 in the WireGuard whitepaper.
Authentication provided by PSK in quantum setting
In the same way, the analysis shows that authentication remains if KEM keys are compromised, or if the PSK is compromised but not the KEM keys.
So, in a way, this is just about discussing desired security properties in different compromise cases, where certain compromise cases are especially relevant because of quantum adversaries.
Minor nit
By the way, in Security Properties, we should add that the PSK mode is also providing sender authentication.
Sender authentication: Proof of sender origin for Auth and AuthPSK modesLater, in Metadata Protection, PSK mode is correctly listed as authenticated mode.
The authenticated modes of HPKE (PSK, Auth, AuthPSK) require […]I'll try to find time to draft a pull request.
chris-wood
From https://mailarchive.ietf.org/arch/msg/cfrg/ZcTCJkilzCDshxsIj7MwKHNlNuM/
Section 8.1: "A full proof of post-quantum security .". Although we understand that a full proof of post-quantum security may not be achievable within the timeline of this draft's publication, we would nevertheless recommend some additional discussion on what might be desirable to prove. In the draft, the PSK is employed as an authentication factor, so presumably the proof being contemplated would be that authentication in the modes involving PSKs remains secure against a quantum computer. A stronger property would be more attractive: that encryption in the PSK modes remains secure against a quantum computer, whether the KEM itself is post-quantum or not. If the authors consider this property plausible, then it should be mentioned here as a goal for security analysis. If not, then the reasons for not targeting this property should also be given.