Closed chris-wood closed 4 years ago
These are some excellent points!
Indeed we are only talking about authentication with respect to the PSK:
If the psk and pskID arguments are provided, then the recipient is
assured that the sender held the PSK.
This variant extends the base mechanism by allowing the recipient to
authenticate that the sender possessed a given pre-shared key (PSK).
The analysis I did in CryptoVerif shows that confidentiality remains if the KEM keys are compromised (or if the KEM keys are not compromised but the PSK is compromised). So we should indeed add this as a desired security property, with pretty much the same reasoning as employed by WireGuard, see Section 5.2 in the WireGuard whitepaper.
In the same way, the analysis shows that authentication remains if KEM keys are compromised, or if the PSK is compromised but not the KEM keys.
So, in a way, this is just about discussing desired security properties in different compromise cases, where certain compromise cases are especially relevant because of quantum adversaries.
By the way, in Security Properties, we should add that the PSK mode is also providing sender authentication.
Sender authentication: Proof of sender origin for Auth and AuthPSK modes
Later, in Metadata Protection, PSK mode is correctly listed as authenticated mode.
The authenticated modes of HPKE (PSK, Auth, AuthPSK) require […]
I'll try to find time to draft a pull request.
Fixed in #119.
From https://mailarchive.ietf.org/arch/msg/cfrg/ZcTCJkilzCDshxsIj7MwKHNlNuM/
Section 8.1: "A full proof of post-quantum security .". Although we understand that a full proof of post-quantum security may not be achievable within the timeline of this draft's publication, we would nevertheless recommend some additional discussion on what might be desirable to prove. In the draft, the PSK is employed as an authentication factor, so presumably the proof being contemplated would be that authentication in the modes involving PSKs remains secure against a quantum computer. A stronger property would be more attractive: that encryption in the PSK modes remains secure against a quantum computer, whether the KEM itself is post-quantum or not. If the authors consider this property plausible, then it should be mentioned here as a goal for security analysis. If not, then the reasons for not targeting this property should also be given.