Hybrid Public Key Encryption
draft-irtf-cfrg-hpke-04
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9180.
|
|
|---|---|---|---|
| Authors | Richard Barnes , Karthikeyan Bhargavan , Christopher A. Wood | ||
| Last updated | 2020-05-09 (Latest revision 2020-05-08) | ||
| Replaces | draft-barnes-cfrg-hpke | ||
| RFC stream | Internet Research Task Force (IRTF) | ||
| Formats | |||
| IETF conflict review | conflict-review-irtf-cfrg-hpke, conflict-review-irtf-cfrg-hpke, conflict-review-irtf-cfrg-hpke, conflict-review-irtf-cfrg-hpke, conflict-review-irtf-cfrg-hpke, conflict-review-irtf-cfrg-hpke | ||
| Additional resources | Mailing list discussion | ||
| Stream | IRTF state | In RG Last Call | |
| Consensus boilerplate | Yes | ||
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 9180 (Informational) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-irtf-cfrg-hpke-04
Network Working Group R.L. Barnes
Internet-Draft Cisco
Intended status: Informational K. Bhargavan
Expires: 9 November 2020 Inria
C.A. Wood
Cloudflare
8 May 2020
Hybrid Public Key Encryption
draft-irtf-cfrg-hpke-04
Abstract
This document describes a scheme for hybrid public-key encryption
(HPKE). This scheme provides authenticated public key encryption of
arbitrary-sized plaintexts for a recipient public key. HPKE works
for any combination of an asymmetric key encapsulation mechanism
(KEM), key derivation function (KDF), and authenticated encryption
with additional data (AEAD) encryption function. We provide
instantiations of the scheme using widely-used and efficient
primitives.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 9 November 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Barnes, et al. Expires 9 November 2020 [Page 1]
Internet-Draft HPKE May 2020
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4
3. Notation . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Cryptographic Dependencies . . . . . . . . . . . . . . . . . 5
4.1. DH-Based KEM . . . . . . . . . . . . . . . . . . . . . . 6
5. Hybrid Public Key Encryption . . . . . . . . . . . . . . . . 9
5.1. Creating the Encryption Context . . . . . . . . . . . . . 10
5.1.1. Encryption to a Public Key . . . . . . . . . . . . . 13
5.1.2. Authentication using a Pre-Shared Key . . . . . . . . 13
5.1.3. Authentication using an Asymmetric Key . . . . . . . 14
5.1.4. Authentication using both a PSK and an Asymmetric
Key . . . . . . . . . . . . . . . . . . . . . . . . . 15
5.2. Encryption and Decryption . . . . . . . . . . . . . . . . 15
5.3. Secret Export . . . . . . . . . . . . . . . . . . . . . . 16
6. Single-Shot APIs . . . . . . . . . . . . . . . . . . . . . . 17
7. Algorithm Identifiers . . . . . . . . . . . . . . . . . . . . 17
7.1. Key Encapsulation Mechanisms (KEMs) . . . . . . . . . . . 17
7.1.1. Marshal . . . . . . . . . . . . . . . . . . . . . . . 18
7.1.2. Validation of Inputs and Outputs . . . . . . . . . . 18
7.2. Key Derivation Functions (KDFs) . . . . . . . . . . . . . 18
7.3. Authenticated Encryption with Associated Data (AEAD)
Functions . . . . . . . . . . . . . . . . . . . . . . . . 19
8. Security Considerations . . . . . . . . . . . . . . . . . . . 19
8.1. Security Properties . . . . . . . . . . . . . . . . . . . 19
8.2. Security Requirements on a KEM used within HPKE . . . . . 21
8.3. Security Requirements on a KDF . . . . . . . . . . . . . 22
8.4. Pre-Shared Key Recommendations . . . . . . . . . . . . . 22
8.5. Domain Separation . . . . . . . . . . . . . . . . . . . . 22
8.6. External Requirements / Non-Goals . . . . . . . . . . . . 23
8.7. Metadata Protection . . . . . . . . . . . . . . . . . . . 24
8.8. Designated-Verifier Signature . . . . . . . . . . . . . . 24
9. Message Encoding . . . . . . . . . . . . . . . . . . . . . . 25
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
10.1. KEM Identifiers . . . . . . . . . . . . . . . . . . . . 25
10.2. KDF Identifiers . . . . . . . . . . . . . . . . . . . . 26
10.3. AEAD Identifiers . . . . . . . . . . . . . . . . . . . . 26
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
11.1. Normative References . . . . . . . . . . . . . . . . . . 26
11.2. Informative References . . . . . . . . . . . . . . . . . 27
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 29
Barnes, et al. Expires 9 November 2020 [Page 2]
Internet-Draft HPKE May 2020
A.1. DHKEM(Curve25519, HKDF-SHA256), HKDF-SHA256,
AES-GCM-128 . . . . . . . . . . . . . . . . . . . . . . . 29
A.1.1. Base Setup Information . . . . . . . . . . . . . . . 29
A.1.2. PSK Setup Information . . . . . . . . . . . . . . . . 31
A.1.3. Auth Setup Information . . . . . . . . . . . . . . . 33
A.1.4. AuthPSK Setup Information . . . . . . . . . . . . . . 35
A.2. DHKEM(Curve25519, HKDF-SHA256), HKDF-SHA256,
ChaCha20Poly1305 . . . . . . . . . . . . . . . . . . . . 37
A.2.1. Base Setup Information . . . . . . . . . . . . . . . 37
A.2.2. PSK Setup Information . . . . . . . . . . . . . . . . 39
A.2.3. Auth Setup Information . . . . . . . . . . . . . . . 41
A.2.4. AuthPSK Setup Information . . . . . . . . . . . . . . 43
A.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-GCM-128 . . . 45
A.3.1. Base Setup Information . . . . . . . . . . . . . . . 45
A.3.2. PSK Setup Information . . . . . . . . . . . . . . . . 47
A.3.3. Auth Setup Information . . . . . . . . . . . . . . . 49
A.3.4. AuthPSK Setup Information . . . . . . . . . . . . . . 51
A.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256,
ChaCha20Poly1305 . . . . . . . . . . . . . . . . . . . . 53
A.4.1. Base Setup Information . . . . . . . . . . . . . . . 53
A.4.2. PSK Setup Information . . . . . . . . . . . . . . . . 55
A.4.3. Auth Setup Information . . . . . . . . . . . . . . . 57
A.4.4. AuthPSK Setup Information . . . . . . . . . . . . . . 59
A.5. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-GCM-256 . . . 61
A.5.1. Base Setup Information . . . . . . . . . . . . . . . 61
A.5.2. PSK Setup Information . . . . . . . . . . . . . . . . 63
A.5.3. Auth Setup Information . . . . . . . . . . . . . . . 65
A.5.4. AuthPSK Setup Information . . . . . . . . . . . . . . 67
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 69
1. Introduction
"Hybrid" public-key encryption schemes (HPKE) that combine asymmetric
and symmetric algorithms are a substantially more efficient solution
than traditional public key encryption techniques such as those based
on RSA or ElGamal. Encrypted messages convey an encryption key
encapsulated with a public-key scheme, along with one or more
ciphertexts encrypted using that key. This type of public key
encryption has many applications in practice, for example:
* PGP [RFC6637]
* Messaging Layer Security [I-D.ietf-mls-protocol]
* Encrypted Server Name Indication [I-D.ietf-tls-esni]
* Protection of 5G subscriber identities [fiveG]
Barnes, et al. Expires 9 November 2020 [Page 3]
Internet-Draft HPKE May 2020
Currently, there are numerous competing and non-interoperable
standards and variants for hybrid encryption, mostly based on ECIES,
including ANSI X9.63 (ECIES) [ANSI], IEEE 1363a [IEEE], ISO/IEC
18033-2 [ISO], and SECG SEC 1 [SECG]. See [MAEA10] for a thorough
comparison. All of these existing schemes have problems, e.g.,
because they rely on outdated primitives, lack proofs of IND-CCA2
security, or fail to provide test vectors.
This document defines an HPKE scheme that provides a subset of the
functions provided by the collection of schemes above, but specified
with sufficient clarity that they can be interoperably implemented
and formally verified. It is secure against (adaptive) chosen
ciphertext attacks (IND-CCA2 secure) under classical assumptions
about the underlying primitives [HPKEAnalysis]. A summary of this
analysis is in Section 8.1.
2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Notation
The following terms are used throughout this document to describe the
operations, roles, and behaviors of HPKE:
* Sender (S): Entity which sends an encrypted message.
* Recipient (R): Entity which receives an encrypted message.
* Ephemeral (E): A fresh random value meant for one-time use.
* "(skX, pkX)": A KEM key pair used in role X; "skX" is the private
key and "pkX" is the public key
* "pk(skX)": The public key corresponding to private key "skX"
* "encode_big_endian(x, n)": An byte string encoding the integer
value "x" as an n-byte big-endian value
* "concat(x0, ..., xN)": Concatenation of byte strings.
"concat(0x01, 0x0203, 0x040506) = 0x010203040506"
* "zero(n)": An all-zero byte string of length "n" bytes. "zero(4) =
0x00000000"
Barnes, et al. Expires 9 November 2020 [Page 4]
Internet-Draft HPKE May 2020
* "xor(a,b)": XOR of byte strings; "xor(0xF0F0, 0x1234) = 0xE2C4".
It is an error to call this function with two arguments of unequal
length.
4. Cryptographic Dependencies
HPKE variants rely on the following primitives:
* A Key Encapsulation Mechanism (KEM):
- GenerateKeyPair(): Generate a key pair (sk, pk)
- Marshal(pk): Produce a fixed-length byte string encoding the
public key "pk"
- Unmarshal(enc): Parse a fixed-length byte string to recover a
public key
- Encap(pk): Generate an ephemeral, fixed-length symmetric key
and a fixed-length encapsulation of that key that can be
decapsulated by the holder of the private key corresponding to
pk
- Decap(enc, sk): Use the private key "sk" to recover the
ephemeral symmetric key from its encapsulated representation
"enc"
- AuthEncap(pkR, skS) (optional): Same as Encap(), but the
outputs encode an assurance that the ephemeral shared key is
known only to the holder of the private key "skS"
- AuthDecap(skR, pkS) (optional): Same as Decap(), but the holder
of the private key "skR" is assured that the ephemeral shared
key is known only to the holder of the private key
corresponding to "pkS"
- Nzz: The length in bytes of a shared secret produced by this
KEM
- Nenc: The length in bytes of an encapsulated key produced by
this KEM
- Npk: The length in bytes of an encoded public key for this KEM
* A Key Derivation Function (KDF):
Barnes, et al. Expires 9 November 2020 [Page 5]
Internet-Draft HPKE May 2020
- Extract(salt, IKM): Extract a pseudorandom key of fixed length
"Nh" bytes from input keying material "IKM" and an optional
byte string "salt"
- Expand(PRK, info, L): Expand a pseudorandom key "PRK" using
optional string "info" into "L" bytes of output keying material
- Nh: The output size of the Extract function in bytes
* An AEAD encryption algorithm [RFC5116]:
- Seal(key, nonce, aad, pt): Encrypt and authenticate plaintext
"pt" with associated data "aad" using secret key "key" and
nonce "nonce", yielding ciphertext and tag "ct"
- Open(key, nonce, aad, ct): Decrypt ciphertext "ct" using
associated data "aad" with secret key "key" and nonce "nonce",
returning plaintext message "pt" or the error value "OpenError"
- Nk: The length in bytes of a key for this algorithm
- Nn: The length in bytes of a nonce for this algorithm
A set of algorithm identifiers for concrete instantiations of these
primitives is provided in Section 7. Algorithm identifier values are
two bytes long.
The following two functions are defined for a KDF to facilitate
domain separation of calls as well as context binding:
def LabeledExtract(salt, label, IKM):
labeledIKM = concat("RFCXXXX ", label, IKM)
return Extract(salt, labeledIKM)
def LabeledExpand(PRK, label, info, L):
labeledInfo = concat(encode_big_endian(L, 2),
"RFCXXXX ", label, info)
return Expand(PRK, labeledInfo, L)
[[RFC editor: please change "RFCXXXX" to the correct number before
publication.]]
4.1. DH-Based KEM
Suppose we are given a KDF, and a Diffie-Hellman group providing the
following operations:
Barnes, et al. Expires 9 November 2020 [Page 6]
Internet-Draft HPKE May 2020
* GenerateKeyPair(): Generate an ephemeral key pair "(sk, pk)" for
the DH group in use
* DH(sk, pk): Perform a non-interactive DH exchange using the
private key sk and public key pk to produce a Diffie-Hellman
shared secret of length Ndh
* Marshal(pk): Produce a byte string of length Npk encoding the
public key "pk"
* Unmarshal(enc): Parse a byte string of length Npk to recover a
public key
* Ndh: The length in bytes of a Diffie-Hellman shared secret
produced by the DH function of this KEM.
Then we can construct a KEM called "DHKEM(Group, KDF)" in the
following way, where "Group" denotes the Diffie-Hellman group and
"KDF" the KDF:
Barnes, et al. Expires 9 November 2020 [Page 7]
Internet-Draft HPKE May 2020
def ExtractAndExpand(dh, kemContext):
prk = LabeledExtract(zero(Nh), "dh", dh)
return LabeledExpand(prk, "prk", kemContext, Nzz)
def Encap(pkR):
skE, pkE = GenerateKeyPair()
dh = DH(skE, pkR)
enc = Marshal(pkE)
pkRm = Marshal(pkR)
kemContext = concat(enc, pkRm)
zz = ExtractAndExpand(dh, kemContext)
return zz, enc
def Decap(enc, skR):
pkE = Unmarshal(enc)
dh = DH(skR, pkE)
pkRm = Marshal(pk(skR))
kemContext = concat(enc, pkRm)
zz = ExtractAndExpand(dh, kemContext)
return zz
def AuthEncap(pkR, skS):
skE, pkE = GenerateKeyPair()
dh = concat(DH(skE, pkR), DH(skS, pkR))
enc = Marshal(pkE)
pkRm = Marshal(pkR)
pkSm = Marshal(pk(skS))
kemContext = concat(enc, pkRm, pkSm)
zz = ExtractAndExpand(dh, kemContext)
return zz, enc
def AuthDecap(enc, skR, pkS):
pkE = Unmarshal(enc)
dh = concat(DH(skR, pkE), DH(skR, pkS))
pkRm = Marshal(pk(skR))
pkSm = Marshal(pkS)
kemContext = concat(enc, pkRm, pkSm)
zz = ExtractAndExpand(dh, kemContext)
return zz
Barnes, et al. Expires 9 November 2020 [Page 8]
Internet-Draft HPKE May 2020
The KDF used in DHKEM can be equal to or different from the KDF used
in the remainder of HPKE, depending on the chosen variant.
Implementations MUST make sure to use the constants (Nh) and function
calls (LabeledExtract, LabeledExpand) of the appropriate KDF when
implementing DHKEM. See Section 8.3 for a comment on the choice of a
KDF for the remainder of HPKE, and Section 8.5 for the rationale of
the labels.
For the variants of DHKEM defined in this document, Ndh is equal to
Npk, and Nzz is equal to the output length of the hash function
underlying the KDF.
The GenerateKeyPair, Marshal, and Unmarshal functions are the same as
for the underlying DH group. The Marshal functions for the curves
referenced in {#ciphersuites} are as follows:
* P-256: A single byte set to 4, followed by the X-coordinate and
the Y-coordinate of the point, encoded as 32-byte big-endian
integers
* P-384: A single byte set to 4, followed by the X-coordinate and
the Y-coordinate of the point, encoded as 48-byte big-endian
integers
* P-521: A single byte set to 4, followed by the X-coordinate and
the Y-coordinate of the point, encoded as 66-byte big-endian
integers
* Curve25519: The standard 32-byte representation of the public key
* Curve448: The standard 56-byte representation of the public key
Senders and recipients MUST validate KEM inputs and outputs as
described in Section 7.1.
5. Hybrid Public Key Encryption
In this section, we define a few HPKE variants. All variants take a
recipient public key and a sequence of plaintexts "pt", and produce
an encapsulated key "enc" and a sequence of ciphertexts "ct". These
outputs are constructed so that only the holder of the private key
corresponding to "pkR" can decapsulate the key from "enc" and decrypt
the ciphertexts. All of the algorithms also take an "info" parameter
that can be used to influence the generation of keys (e.g., to fold
in identity information) and an "aad" parameter that provides
Additional Authenticated Data to the AEAD algorithm in use.
Barnes, et al. Expires 9 November 2020 [Page 9]
Internet-Draft HPKE May 2020
In addition to the base case of encrypting to a public key, we
include two authenticated variants, one of which authenticates
possession of a pre-shared key, and one of which authenticates
possession of a KEM private key. The following one-byte values will
be used to distinguish between modes:
+---------------+-------+
| Mode | Value |
+===============+=======+
| mode_base | 0x00 |
+---------------+-------+
| mode_psk | 0x01 |
+---------------+-------+
| mode_auth | 0x02 |
+---------------+-------+
| mode_auth_psk | 0x03 |
+---------------+-------+
Table 1
All of these cases follow the same basic two-step pattern:
1. Set up an encryption context that is shared between the sender
and the recipient
2. Use that context to encrypt or decrypt content
A "context" encodes the AEAD algorithm and key in use, and manages
the nonces used so that the same nonce is not used with multiple
plaintexts.
The constructions described here presume that the relevant non-
private parameters ("enc", "pskID", etc.) are transported between the
sender and the recipient by some application making use of HPKE.
The procedures described in this session are laid out in a Python-
like pseudocode. The algorithms in use are left implicit.
5.1. Creating the Encryption Context
The variants of HPKE defined in this document share a common key
schedule that translates the protocol inputs into an encryption
context. The key schedule inputs are as follows:
* "zz" - A shared secret generated via the KEM for this transaction
* "info" - Application-supplied information (optional; default value
"")
Barnes, et al. Expires 9 November 2020 [Page 10]
Internet-Draft HPKE May 2020
* "psk" - A pre-shared secret held by both the sender and the
recipient (optional; default value "zero(Nh)").
* "pskID" - An identifier for the PSK (optional; default value
"zero(0)")
* "pkSm" - The sender's encoded public key (optional; default value
"zero(Npk)")
Senders and recipients MUST validate KEM inputs and outputs as
described in Section 7.1.
The "psk" and "pskID" fields MUST appear together or not at all.
That is, if a non-default value is provided for one of them, then the
other MUST be set to a non-default value.
The key and nonce computed by this algorithm have the property that
they are only known to the holder of the recipient private key, and
the party that ran the KEM to generate "zz" and "enc". If the "psk"
and "pskID" arguments are provided, then the recipient is assured
that the sender held the PSK. If the "pkSm" argument is provided,
then the recipient is assumed that the sender held the corresponding
private key (assuming that "zz" and "enc" were generated using the
AuthEncap / AuthDecap methods; see below).
The HPKE algorithm identifiers, i.e., the KEM "kem_id", KDF "kdf_id",
and AEAD "aead_id" 2-byte code points, are assumed implicit from the
implementation and not passed as parameters.
Barnes, et al. Expires 9 November 2020 [Page 11]
Internet-Draft HPKE May 2020
default_pkSm = zero(Npk)
default_psk = zero(Nh)
default_pskID = zero(0)
def VerifyMode(mode, psk, pskID, pkSm):
got_psk = (psk != default_psk and pskID != default_pskID)
no_psk = (psk == default_psk and pskID == default_pskID)
got_pkSm = (pkSm != default_pkSm)
no_pkSm = (pkSm == default_pkSm)
if mode == mode_base and (got_psk or got_pkSm):
raise Exception("Invalid configuration for mode_base")
if mode == mode_psk and (no_psk or got_pkSm):
raise Exception("Invalid configuration for mode_psk")
if mode == mode_auth and (got_psk or no_pkSm):
raise Exception("Invalid configuration for mode_auth")
if mode == mode_auth_psk and (no_psk or no_pkSm):
raise Exception("Invalid configuration for mode_auth_psk")
def KeySchedule(mode, zz, info, psk, pskID, pkSm):
VerifyMode(mode, psk, pskID, pkSm)
ciphersuite = concat(encode_big_endian(kem_id, 2),
encode_big_endian(kdf_id, 2),
encode_big_endian(aead_id, 2))
pskID_hash = LabeledExtract(zero(Nh), "pskID_hash", pskID)
info_hash = LabeledExtract(zero(Nh), "info", info)
context = concat(ciphersuite, mode, pskID_hash, info_hash)
psk = LabeledExtract(zero(Nh), "psk_hash", psk)
secret = LabeledExtract(psk, "zz", zz)
key = LabeledExpand(secret, "key", context, Nk)
nonce = LabeledExpand(secret, "nonce", context, Nn)
exporter_secret = LabeledExpand(secret, "exp", context, Nh)
return Context(key, nonce, exporter_secret)
Note that the context construction in the KeySchedule procedure is
equivalent to serializing a structure of the following form in the
TLS presentation syntax:
Barnes, et al. Expires 9 November 2020 [Page 12]
Internet-Draft HPKE May 2020
struct {
uint16 kem_id;
uint16 kdf_id;
uint16 aead_id;
uint8 mode;
opaque pskID_hash[Nh];
opaque info_hash[Nh];
} HPKEContext;
5.1.1. Encryption to a Public Key
The most basic function of an HPKE scheme is to enable encryption for
the holder of a given KEM private key. The "SetupBaseS()" and
"SetupBaseR()" procedures establish contexts that can be used to
encrypt and decrypt, respectively, for a given private key.
The shared secret produced by the KEM is combined via the KDF with
information describing the key exchange, as well as the explicit
"info" parameter provided by the caller.
def SetupBaseS(pkR, info):
zz, enc = Encap(pkR)
return enc, KeySchedule(mode_base, zz, info,
default_psk, default_pskID, default_pkSm)
def SetupBaseR(enc, skR, info):
zz = Decap(enc, skR)
return KeySchedule(mode_base, zz, info,
default_psk, default_pskID, default_pkSm)
5.1.2. Authentication using a Pre-Shared Key
This variant extends the base mechanism by allowing the recipient to
authenticate that the sender possessed a given pre-shared key (PSK).
We assume that both parties have been provisioned with both the PSK
value "psk" and another byte string "pskID" that is used to identify
which PSK should be used.
The primary differences from the base case are:
* The PSK is used as the "salt" input to the KDF (instead of 0)
* The PSK ID is added to the context string used as the "info" input
to the KDF
The PSK SHOULD be of length Nh bytes or longer, and SHOULD have Nh
bytes of entropy or more. See Section 8.4 for a more detailed
discussion.
Barnes, et al. Expires 9 November 2020 [Page 13]
Internet-Draft HPKE May 2020
def SetupPSKS(pkR, info, psk, pskID):
zz, enc = Encap(pkR)
return enc, KeySchedule(mode_psk, zz, info, psk, pskID, default_pkSm)
def SetupPSKR(enc, skR, info, psk, pskID):
zz = Decap(enc, skR)
return KeySchedule(mode_psk, zz, info, psk, pskID, default_pkSm)
5.1.3. Authentication using an Asymmetric Key
This variant extends the base mechanism by allowing the recipient to
authenticate that the sender possessed a given KEM private key. This
assurance is based on the assumption that "AuthDecap(enc, skR, pkS)"
produces the correct shared secret only if the encapsulated value
"enc" was produced by "AuthEncap(pkR, skS)", where "skS" is the
private key corresponding to "pkS". In other words, only two people
could have produced this secret, so if the recipient is one, then the
sender must be the other.
The primary differences from the base case are:
* The calls to "Encap" and "Decap" are replaced with calls to
"AuthEncap" and "AuthDecap".
* The sender public key is added to the context string
Obviously, this variant can only be used with a KEM that provides
"AuthEncap()" and "AuthDecap()" procedures.
This mechanism authenticates only the key pair of the sender, not any
other identity. If an application wishes to authenticate some other
identity for the sender (e.g., an email address or domain name), then
this identity should be included in the "info" parameter to avoid
unknown key share attacks.
def SetupAuthS(pkR, info, skS):
zz, enc = AuthEncap(pkR, skS)
return enc, KeySchedule(mode_auth, zz, info, default_psk, default_pskID, pkSm)
def SetupAuthR(enc, skR, info, pkS):
zz = AuthDecap(enc, skR, pkS)
return KeySchedule(mode_auth, zz, info, default_psk, default_pskID, pkSm)
Barnes, et al. Expires 9 November 2020 [Page 14]
Internet-Draft HPKE May 2020
5.1.4. Authentication using both a PSK and an Asymmetric Key
This mode is a straightforward combination of the PSK and
authenticated modes. The PSK is passed through to the key schedule
as in the former, and as in the latter, we use the authenticated KEM
variants.
def SetupAuthPSKS(pkR, info, psk, pskID, skS):
zz, enc = AuthEncap(pkR, skS)
return enc, KeySchedule(mode_auth_psk, zz, info, psk, pskID, pkSm)
def SetupAuthPSKR(enc, skR, info, psk, pskID, pkS):
zz = AuthDecap(enc, skR, pkS)
return KeySchedule(mode_auth_psk, zz, info, psk, pskID, pkSm)
The PSK SHOULD be of length Nh bytes or longer, and SHOULD have Nh
bytes of entropy or more. See Section 8.4 for a more detailed
discussion.
5.2. Encryption and Decryption
HPKE allows multiple encryption operations to be done based on a
given setup transaction. Since the public-key operations involved in
setup are typically more expensive than symmetric encryption or
decryption, this allows applications to "amortize" the cost of the
public-key operations, reducing the overall overhead.
In order to avoid nonce reuse, however, this decryption must be
stateful. Each of the setup procedures above produces a context
object that stores the required state:
* The AEAD algorithm in use
* The key to be used with the AEAD algorithm
* A base nonce value
* A sequence number (initially 0)
All of these fields except the sequence number are constant. The
sequence number is used to provide nonce uniqueness: The nonce used
for each encryption or decryption operation is the result of XORing
the base nonce with the current sequence number, encoded as a big-
endian integer of the same length as the nonce. Implementations MAY
use a sequence number that is shorter than the nonce (padding on the
left with zero), but MUST return an error if the sequence number
overflows.
Barnes, et al. Expires 9 November 2020 [Page 15]
Internet-Draft HPKE May 2020
Encryption is unidirectional from sender to recipient. Each
encryption or decryption operation increments the sequence number for
the context in use. The sender's context MUST be used for encryption
only. Similarly, the recipient's context MUST be used for decryption
only. Higher-level protocols re-using the HPKE key exchange for more
general purposes can derive separate keying material as needed using
use the Export interface; see Section 5.3 for more details.
It is up to the application to ensure that encryptions and
decryptions are done in the proper sequence, so that encryption and
decryption nonces align. If a Seal or Open operation would cause the
"seq" field to wrap, then the implementation MUST return an error.
def Context.Nonce(seq):
encSeq = encode_big_endian(seq, Nn)
return xor(self.nonce, encSeq)
def Context.IncrementSeq():
if self.seq >= (1 << Nn) - 1:
return NonceOverflowError
self.seq += 1
def Context.Seal(aad, pt):
ct = Seal(self.key, self.Nonce(self.seq), aad, pt)
self.IncrementSeq()
return ct
def Context.Open(aad, ct):
pt = Open(self.key, self.Nonce(self.seq), aad, ct)
if pt == OpenError:
return OpenError
self.IncrementSeq()
return pt
5.3. Secret Export
HPKE provides a interface for exporting secrets from the encryption
Context, similar to the TLS 1.3 exporter interface (See [RFC8446],
Section 7.5). This interface takes as input a context string
"exporter_context" and desired length "L" (in bytes), and produces a
secret derived from the internal exporter secret using the
corresponding KDF Expand function.
def Context.Export(exporter_context, L):
return LabeledExpand(self.exporter_secret, "sec", exporter_context, L)
Barnes, et al. Expires 9 November 2020 [Page 16]
Internet-Draft HPKE May 2020
6. Single-Shot APIs
In many cases, applications encrypt only a single message to a
recipient's public key. This section provides templates for HPKE
APIs that implement stateless "single-shot" encryption and decryption
using APIs specified in Section 5.1.1 and Section 5.2:
def Seal<MODE>(pkR, info, aad, pt, ...):
enc, ctx = Setup<MODE>I(pkR, info, ...)
ct = ctx.Seal(aad, pt)
return enc, ct
def Open<MODE>(enc, skR, info, aad, ct, ...):
ctx = Setup<MODE>R(enc, skR, info, ...)
return ctx.Open(aad, ct)
The "MODE" template parameter is one of Base, PSK, Auth, or AuthPSK.
The optional parameters indicated by "..."" depend on "MODE" and may
be empty. SetupBase, for example, has no additional parameters.
Thus, SealAuthPSK and OpenAuthPSK would be implemented as follows:
def SealAuthPSK(pkR, info, aad, pt, psk, pskID, skS):
enc, ctx = SetupAuthPSKS(pkR, info, psk, pskID, skS)
ct = ctx.Seal(aad, pt)
return enc, ct
def OpenAuthPSK(enc, skR, info, aad, ct, psk, pskID, pkS):
ctx = SetupAuthPSKR(enc, skR, info, psk, pskID, pkS)
return ctx.Open(aad, ct)
7. Algorithm Identifiers
7.1. Key Encapsulation Mechanisms (KEMs)
+--------+-------------------+-----+------+-----+---------------+
| Value | KEM | Nzz | Nenc | Npk | Reference |
+========+===================+=====+======+=====+===============+
| 0x0000 | (reserved) | N/A | N/A | N/A | N/A |
+--------+-------------------+-----+------+-----+---------------+
| 0x0010 | DHKEM(P-256, | 32 | 65 | 65 | [NISTCurves], |
| | HKDF-SHA256) | | | | [RFC5869] |
+--------+-------------------+-----+------+-----+---------------+
| 0x0011 | DHKEM(P-384, | 48 | 97 | 97 | [NISTCurves], |
| | HKDF-SHA384) | | | | [RFC5869] |
+--------+-------------------+-----+------+-----+---------------+
| 0x0012 | DHKEM(P-521, | 64 | 133 | 133 | [NISTCurves], |
| | HKDF-SHA512) | | | | [RFC5869] |
+--------+-------------------+-----+------+-----+---------------+
Barnes, et al. Expires 9 November 2020 [Page 17]
Internet-Draft HPKE May 2020
| 0x0020 | DHKEM(Curve25519, | 32 | 32 | 32 | [RFC7748], |
| | HKDF-SHA256) | | | | [RFC5869] |
+--------+-------------------+-----+------+-----+---------------+
| 0x0021 | DHKEM(Curve448, | 64 | 56 | 56 | [RFC7748], |
| | HKDF-SHA512) | | | | [RFC5869] |
+--------+-------------------+-----+------+-----+---------------+
Table 2
7.1.1. Marshal
For the NIST curves P-256, P-384 and P-521, the Marshal function of
the DH scheme produces the normal (non-compressed) representation of
the public key, according to [SECG].
For the CFRG curves Curve25519 and Curve448, the Marshal function is
the identity function, since these curves already use fixed-length
byte strings for public keys.
7.1.2. Validation of Inputs and Outputs
The following public keys are subject to validation if the curve
requires public key validation: the sender MUST validate the
recipient's public key "pkR"; the recipient MUST validate the
ephemeral public key "pkE"; in authenticated modes, the recipient
MUST validate the sender's static public key "pkS".
For the NIST curves P-256, P-384 and P-521, senders and recipients
MUST perform full public-key validation on all public key inputs as
defined in [keyagreement], which includes validating that a public
key is on the curve and part of the correct prime-order subgroup.
Additionally, one of the following checks MUST be ensured: the scalar
given as input to DH is in the interval [1, n-1] where n is the prime
order of the subgroup; the result of DH is not the point at infinity.
For the CFRG curves Curve25519 and Curve448, validation of public
keys is not required. Senders and recipients MUST check whether the
shared secret is the all-zero value and abort if so, as described in
[RFC7748].
7.2. Key Derivation Functions (KDFs)
+--------+-------------+-----+-----------+
| Value | KDF | Nh | Reference |
+========+=============+=====+===========+
| 0x0000 | (reserved) | N/A | N/A |
+--------+-------------+-----+-----------+
| 0x0001 | HKDF-SHA256 | 32 | [RFC5869] |
Barnes, et al. Expires 9 November 2020 [Page 18]
Internet-Draft HPKE May 2020
+--------+-------------+-----+-----------+
| 0x0002 | HKDF-SHA384 | 48 | [RFC5869] |
+--------+-------------+-----+-----------+
| 0x0003 | HKDF-SHA512 | 64 | [RFC5869] |
+--------+-------------+-----+-----------+
Table 3
7.3. Authenticated Encryption with Associated Data (AEAD) Functions
+--------+------------------+-----+-----+-----------+
| Value | AEAD | Nk | Nn | Reference |
+========+==================+=====+=====+===========+
| 0x0000 | (reserved) | N/A | N/A | N/A |
+--------+------------------+-----+-----+-----------+
| 0x0001 | AES-GCM-128 | 16 | 12 | [GCM] |
+--------+------------------+-----+-----+-----------+
| 0x0002 | AES-GCM-256 | 32 | 12 | [GCM] |
+--------+------------------+-----+-----+-----------+
| 0x0003 | ChaCha20Poly1305 | 32 | 12 | [RFC8439] |
+--------+------------------+-----+-----+-----------+
Table 4
8. Security Considerations
8.1. Security Properties
HPKE has several security goals, depending on the mode of operation,
against active and adaptive attackers that can compromise partial
secrets of senders and recipients. The desired security goals are
detailed below:
* Message secrecy: Privacy of the sender's messages, i.e., IND-CCA2
security
* Export key secrecy: Indistinguishability of each export secret
from a uniformly random bitstring of equal length
* Sender authentication: Proof of sender origin for Auth and AuthPSK
modes
It is shown in [CS01] that a hybrid scheme of essentially the same
form described here is IND-CCA2-secure as long as the the underlying
KEM and AEAD schemes are IND-CCA2-secure. The main difference
between the scheme proposed there and the scheme in this document
(both named HPKE) is that we interpose some KDF calls between the KEM
and the AEAD. So further analysis is needed on two fronts, first to
Barnes, et al. Expires 9 November 2020 [Page 19]
Internet-Draft HPKE May 2020
verify that the additional KDF calls do not cause the IND-CCA2
property to fail, and second to verify the two additional properties
noted above.
This work has been done for the case where the KEM is DHKEM, the AEAD
is any IND-CCA2 scheme, and the DH group and KDF satisfy the
following conditions:
* DH group: The gap Diffie-Hellman (GDH) problem is hard [GAP].
* Extract and Expand (in DHKEM): Extract is indifferentiable from a
random oracle. Expand is a pseudorandom function, wherein the
first argument is the key.
* Extract and Expand (elsewhere): Extract is indifferentiable from a
random oracle. Expand is a pseudorandom function, wherein the
first argument is the key.
In particular, the KDFs and DH groups defined in this document (see
Section 7.2 and Section 7.1) satisfy these properties.
The analysis in [HPKEAnalysis] demonstrates that under these
constraints, HPKE continues to provide IND-CCA2 security, and
provides the additional properties noted above. The analysis
considers two variants of HPKE usage: single-shot message encryption
and secret key export. In the single-shot variant, S uses the
single-shot API to use the key once to encrypt a plaintext. The
export variant is the same as single-shot variant, except that the
sender additionally exports two independent secrets using the secret
export interface. We distinguish these two variants because the
single-shot API does not lend itself to use the Export interface.
The table below summarizes the main results from [HPKEAnalysis]. N/A
means that a property does not apply for the given mode, whereas X
means the given mode satisfies the property.
Barnes, et al. Expires 9 November 2020 [Page 20]
Internet-Draft HPKE May 2020
+----------------------+--------------+-------------+--------------+
| Variant | Message Sec. | Export Sec. | Sender Auth. |
+======================+==============+=============+==============+
| Base, single-shot | X | N/A | N/A |
+----------------------+--------------+-------------+--------------+
| PSK, single-shot | X | N/A | X |
+----------------------+--------------+-------------+--------------+
| Auth, single-shot | X | N/A | X |
+----------------------+--------------+-------------+--------------+
| AuthPSK, single-shot | X | N/A | X |
+----------------------+--------------+-------------+--------------+
| Base, export | X | X | N/A |
+----------------------+--------------+-------------+--------------+
| PSK, export | X | X | X |
+----------------------+--------------+-------------+--------------+
| Auth, export | X | X | X |
+----------------------+--------------+-------------+--------------+
| AuthPSK, export | X | X | X |
+----------------------+--------------+-------------+--------------+
Table 5
If non-DH-based KEM schemes are to be used with HPKE, further
analysis will be necessary to prove their security. The results from
[CS01] provide some indication that any IND-CCA2 KEM will suffice
here, but are not conclusive given the difference in schemes.
In addition, both [CS01] and [HPKEAnalysis] are premised on classical
security models and assumptions, and do not consider attackers
capable of quantum computation. A full proof of post-quantum
security would need to take this difference into account, in addition
to simply using a post-quantum KEM.
8.2. Security Requirements on a KEM used within HPKE
A KEM used within HPKE MUST ensure the following to avoid identity
mis-binding issues: The shared secret computed by Encap and Decap
MUST depend explicitly on the KEM public key pkR and the KEM
ciphertext enc. The shared secret returned by AuthEncap and
AuthDecap MUST explicitly depend on the KEM public keys pkR and pkS
and the KEM ciphertext enc. This is usually implemented by including
these values explicitly into the context of the key derivation
function used to compute the shared secret. This is also how DHKEM
meets the requirement.
Barnes, et al. Expires 9 November 2020 [Page 21]
Internet-Draft HPKE May 2020
8.3. Security Requirements on a KDF
The choice of the KDF for the remainder of HPKE should be made based
on the security level provided by the KEM and, if applicable, by the
PSK. The KDF SHOULD have at least have the security level of the KEM
and SHOULD at least have the security level provided by the PSK.
HPKE's KeySchedule uses LabeledExtract to convert an arbitrary-length
PSK into a fixed-length PSK. This is necessary because of the
restrictions on the key in HMAC's indifferentiability theorem [HMAC].
A future instantiation of HPKE MAY omit this line if: Extract is not
instantiated by HKDF-Extract and there is an indifferentiability
theorem for Extract without restriction on the key's length.
8.4. Pre-Shared Key Recommendations
In the PSK and AuthPSK modes, the PSK SHOULD be of length Nh bytes or
longer, and SHOULD have Nh bytes of entropy or more. Using a PSK
shorter than Nh bytes is permitted. A PSK that is longer than Nh
bytes or that has more than Nh bytes of entropy, respectively, does
not increase the security level of HPKE, because the extraction step
involving the PSK only outputs Nh bytes.
HPKE is specified to use HKDF as key derivation function. HKDF is
not designed to slow down dictionary attacks, see [RFC5869]. Thus,
HPKE's PSK mechanism is not suitable for use with a low-entropy
password as the PSK: in scenarios in which the adversary knows the
KEM shared secret zz and has access to an oracle that allows to
distinguish between a good and a wrong PSK, it can perform a
dictionary attack on the PSK. This oracle can be the decryption
operation on a captured HPKE ciphertext or any other recipient
behavior which is observably different when using a wrong PSK. The
adversary knows the KEM shared secret zz if it knows all KEM private
keys of one participant. In the PSK mode this is trivially the case
if the adversary acts as sender.
8.5. Domain Separation
HPKE allows combining a DHKEM variant DHKEM(Group, KDF') and a KDF
such that both KDFs are instantiated by the same KDF. By design, the
calls to Extract and Expand inside DHKEM and the remainder of HPKE
have different prefix-free encodings for the second parameter. This
is achieved by the different prefix-free label parameters in the
calls to LabeledExtract and LabeledExpand. This serves to separate
the input domains of all Extract and Expand invocations. It also
justifies modeling them as independent functions even if instantiated
by the same KDF.
Barnes, et al. Expires 9 November 2020 [Page 22]
Internet-Draft HPKE May 2020
Future KEM instantiations MUST ensure that all internal invocations
of Extract and Expand can be modeled as functions independent from
the invocations of Extract and Expand in the remainder of HPKE. One
way to ensure this is by using an equal or similar prefixing scheme
with an identifier different from "RFCXXXX ". Particular attention
needs to be paid if the KEM directly invokes functions that are used
internally in HPKE's Extract or Expand, such as Hash and HMAC in the
case of HKDF. It MUST be ensured that inputs to these invocations
cannot collide with inputs to the internal invocations of these
functions inside Extract or Expand. In HPKE's KeySchedule this is
avoided by using Extract instead of Hash on the arbitrary-length
inputs "info", "pskID", and "psk".
The string literal "RFCXXXX" used in LabeledExtract and LabeledExpand
ensures that any secrets derived in HPKE are bound to the scheme's
name, even when possibly derived from the same Diffie-Hellman or KEM
shared secret as in another scheme.
8.6. External Requirements / Non-Goals
HPKE is designed to be a fairly low-level primitive, and thus does
not provide several features that a more high-level protocol might
provide, for example:
* Downgrade prevention - HPKE assumes that the sender and recipient
agree on what algorithms to use. Depending on how these
algorithms are negotiated, it may be possible for an intermediary
to force the two parties to use suboptimal algorithms.
* Replay protection - The requirement that ciphertexts be presented
to the Context.Open function in the same order they were generated
by Context.Seal provides a degree of replay protection within a
stream of ciphertexts resulting from a given Context. HPKE
provides no other replay protection.
* Forward secrecy - HPKE ciphertexts are not forward-secure. In
mode_base and mode_auth, a given ciphertext can be decrypted if
the recipient's public encryption key is compromised. In mode_psk
and mode_auth_psk, a given ciphertext can be decrypted if the
recipient's public encryption key and the PSK are compromised.
Barnes, et al. Expires 9 November 2020 [Page 23]
Internet-Draft HPKE May 2020
8.7. Metadata Protection
The authenticated modes of HPKE (PSK, Auth, AuthPSK) require that the
recipient know what key material to use for the sender. This can be
signaled in applications by sending the PSK ID ("pskID" above) and/or
the sender's public key ("pkS"). However, these values themselves
might be considered sensitive, since in a given application context,
they might identify the sender.
An application that wishes to protect these metadata values without
requiring further provisioning of keys can use an additional instance
of HPKE, using the unauthenticated base mode. Where the application
might have sent "(pskID, pkS, enc, ciphertext)" before, it would now
send (enc2, ciphertext2, enc, ciphertext), where "(enc2,
ciphertext2)" represent the encryption of the "pskID" and "pkS"
values.
The cost of this approach is an additional KEM operation each for the
sender and the recipient. A potential lower-cost approach (involving
only symmetric operations) would be available if the nonce-protection
schemes in [BNT19] could be extended to cover other metadata.
However, this construction would require further analysis.
8.8. Designated-Verifier Signature
The Auth and AuthPSK modes HPKE can be used to construct a
lightweight "designated-verifier signature" scheme [JKR96], in the
sense that the message is authenticated as coming from the sender,
but the only party who can verify the authentication is the recipient
(the holder of "skR").
To create such a signature, the sender simply performs a normal HPKE
setup in the proper mode, and calls the Seal method on the resulting
context with an empty plaintext value and the content to be signed as
AAD. This produces an encoded key "enc" and a ciphertext value that
contains only the AAD tag.
For example, using DHKEM-X25519 and AES-128-GCM, this would produce a
48-byte signature comprising a 32-byte ephemeral X25519 key and a
16-byte GCM tag.
To verify such a signature, the recipient performs the corresponding
HPKE setup and calls Open with the provided ciphertext. If the AEAD
authentication passes, then the signature is valid.
This scheme re-uses the authentication scheme underlying the AEAD
algorithm in use, while using the KEM to establish a one-time
authentication key from a pair of KEM public keys.
Barnes, et al. Expires 9 November 2020 [Page 24]
Internet-Draft HPKE May 2020
9. Message Encoding
This document does not specify a wire format encoding for HPKE
messages. Applications that adopt HPKE must therefore specify an
unambiguous encoding mechanism which includes, minimally: the
encapsulated value "enc", ciphertext value(s) (and order if there are
multiple), and any info values that are not implicit.
10. IANA Considerations
This document requests the creation of three new IANA registries:
* HPKE KEM Identifiers
* HPKE KDF Identifiers
* HPKE AEAD Identifiers
All of these registries should be under a heading of "Hybrid Public
Key Encryption", and administered under a Specification Required
policy [RFC8126]
10.1. KEM Identifiers
The "HPKE KEM Identifiers" registry lists identifiers for key
encapsulation algorithms defined for use with HPKE. These are two-
byte values, so the maximum possible value is 0xFFFF = 65535.
Template:
* Value: The two-byte identifier for the algorithm
* KEM: The name of the algorithm
* Nzz: The length in bytes of a shared secret produced by the
algorithm
* Nenc: The length in bytes of an encapsulated key produced by the
algorithm
* Npk: The length in bytes of an encoded public key for the
algorithm
* Reference: Where this algorithm is defined
Initial contents: Provided in Section 7.1
Barnes, et al. Expires 9 November 2020 [Page 25]
Internet-Draft HPKE May 2020
10.2. KDF Identifiers
The "HPKE KDF Identifiers" registry lists identifiers for key
derivation functions defined for use with HPKE. These are two-byte
values, so the maximum possible value is 0xFFFF = 65535.
Template:
* Value: The two-byte identifier for the algorithm
* KDF: The name of the algorithm
* Nh: The output size of the Extract function in bytes
* Reference: Where this algorithm is defined
Initial contents: Provided in Section 7.2
10.3. AEAD Identifiers
The "HPKE AEAD Identifiers" registry lists identifiers for
authenticated encryption with associated data (AEAD) algorithms
defined for use with HPKE. These are two-byte values, so the maximum
possible value is 0xFFFF = 65535.
Template:
* Value: The two-byte identifier for the algorithm
* AEAD: The name of the algorithm
* Nk: The length in bytes of a key for this algorithm
* Nn: The length in bytes of a nonce for this algorithm
* Reference: Where this algorithm is defined
Initial contents: Provided in Section 7.3
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Barnes, et al. Expires 9 November 2020 [Page 26]
Internet-Draft HPKE May 2020
[RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated
Encryption", RFC 5116, DOI 10.17487/RFC5116, January 2008,
<https://www.rfc-editor.org/info/rfc5116>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
11.2. Informative References
[ANSI] "Public Key Cryptography for the Financial Services
Industry -- Key Agreement and Key Transport Using Elliptic
Curve Cryptography", 2001.
[BNT19] "Nonces Are Noticed: AEAD Revisited", 2019,
<http://dx.doi.org/10.1007/978-3-030-26948-7_9>.
[CS01] "Design and Analysis of Practical Public-Key Encryption
Schemes Secure against Adaptive Chosen Ciphertext Attack",
2001, <https://eprint.iacr.org/2001/108>.
[fiveG] "Security architecture and procedures for 5G System",
2019,
<https://portal.3gpp.org/desktopmodules/Specifications/
SpecificationDetails.aspx?specificationId=3169>.
[GAP] "The Gap-Problems - a New Class of Problems for the
Security of Cryptographic Schemes",
ISBN 978-3-540-44586-9, 2001,
<https://link.springer.com/content/
pdf/10.1007/3-540-44586-2_8.pdf>.
[GCM] Dworkin, M., "Recommendation for block cipher modes of
operation :", DOI 10.6028/nist.sp.800-38d, National
Institute of Standards and Technology report, 2007,
<https://doi.org/10.6028/nist.sp.800-38d>.
[HMAC] "To Hash or Not to Hash Again? (In)differentiability
Results for H^2 and HMAC", 2013,
<https://eprint.iacr.org/2013/382>.
Barnes, et al. Expires 9 November 2020 [Page 27]
Internet-Draft HPKE May 2020
[HPKEAnalysis]
"An Analysis of Hybrid Public Key Encryption", 2020,
<https://eprint.iacr.org/2020/243.pdf>.
[I-D.ietf-mls-protocol]
Barnes, R., Beurdouche, B., Millican, J., Omara, E., Cohn-
Gordon, K., and R. Robert, "The Messaging Layer Security
(MLS) Protocol", Work in Progress, Internet-Draft, draft-
ietf-mls-protocol-09, 6 March 2020, <http://www.ietf.org/
internet-drafts/draft-ietf-mls-protocol-09.txt>.
[I-D.ietf-tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. Wood,
"Encrypted Server Name Indication for TLS 1.3", Work in
Progress, Internet-Draft, draft-ietf-tls-esni-06, 9 March
2020, <http://www.ietf.org/internet-drafts/draft-ietf-tls-
esni-06.txt>.
[IEEE] "IEEE 1363a, Standard Specifications for Public Key
Cryptography - Amendment 1 -- Additional Techniques",
2004.
[ISO] "ISO/IEC 18033-2, Information Technology - Security
Techniques - Encryption Algorithms - Part 2 -- Asymmetric
Ciphers", 2006.
[JKR96] "Designated Verifier Proofs and Their Applications", 1996,
<https://doi.org/10.1007%2F3-540-49677-7_30>.
[keyagreement]
Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R.
Davis, "Recommendation for pair-wise key-establishment
schemes using discrete logarithm cryptography",
DOI 10.6028/nist.sp.800-56ar3, National Institute of
Standards and Technology report, April 2018,
<https://doi.org/10.6028/nist.sp.800-56ar3>.
[MAEA10] "A Comparison of the Standardized Versions of ECIES",
2010, <http://sceweb.sce.uhcl.edu/yang/teaching/
csci5234WebSecurityFall2011/Chaum-blind-signatures.PDF>.
[NISTCurves]
"Digital Signature Standard (DSS)",
DOI 10.6028/nist.fips.186-4, National Institute of
Standards and Technology report, July 2013,
<https://doi.org/10.6028/nist.fips.186-4>.
Barnes, et al. Expires 9 November 2020 [Page 28]
Internet-Draft HPKE May 2020
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>.
[RFC6637] Jivsov, A., "Elliptic Curve Cryptography (ECC) in
OpenPGP", RFC 6637, DOI 10.17487/RFC6637, June 2012,
<https://www.rfc-editor.org/info/rfc6637>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>.
[RFC8439] Nir, Y. and A. Langley, "ChaCha20 and Poly1305 for IETF
Protocols", RFC 8439, DOI 10.17487/RFC8439, June 2018,
<https://www.rfc-editor.org/info/rfc8439>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[SECG] "Elliptic Curve Cryptography, Standards for Efficient
Cryptography Group, ver. 2", 2009,
<https://secg.org/sec1-v2.pdf>.
[TestVectors]
"HPKE Test Vectors", 2020, <https://github.com/cfrg/draft-
irtf-cfrg-
hpke/blob/d1dbba6a0ff837cf13432e5ec810d232ec5a6062/test-
vectors.json>.
Appendix A. Test Vectors
These test vectors are also available in JSON format at
[TestVectors].
A.1. DHKEM(Curve25519, HKDF-SHA256), HKDF-SHA256, AES-GCM-128
A.1.1. Base Setup Information
Barnes, et al. Expires 9 November 2020 [Page 29]
Internet-Draft HPKE May 2020
mode: 0
kemID: 32
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: d3c8ca6516cd4cc75f66210c5a49d05381bfbfc0de090c19432d778ea4599829
skE: b9d453d3ec0dbe59fa4a193bde3e4ea17f80c9b2fa69f2f3e029120303b86885
pkR: 10b2fc2332b75206d2c791c3db1094dfd298b6508138ce98fec2c0c7a4dbc408
pkE: 07da186c37d11e92d924fd1a75aff87d11860dfd59ea940429d8b874de846a33
enc: 07da186c37d11e92d924fd1a75aff87d11860dfd59ea940429d8b874de846a33
zz: 79f0c71200a133c4e608a1d2dab5830e54ba7ee71abd6522cfc4af6ad1c47ac2
context: 002000010001005d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: e7a85117b9cac58c508eeb153faab0a8205a73d4fca1bb7b81d1a4b504eb71f8
key: ab86480a0094bfe110fca55d98dccafd
nonce: 4a5fc401e6551f69db44d64d
exporterSecret:
eb9570b621c3894a182c40ee67ed9d71bcfb114e2315b2ceaaade6454fa21291
A.1.1.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 30]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 4a5fc401e6551f69db44d64d
ciphertext: 1ae0fe213b0c230f723d057a9476a5e95e9348699aec1ecfe67bd67a69cb
63894b5aed52332059289c44c4a69e
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 4a5fc401e6551f69db44d64c
ciphertext: 00e8cec1e413913e942a214fd0d610fdcbe53285491d4e7bbfff51c11b40
1c9e150cac56757e074d923d0de840
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 4a5fc401e6551f69db44d64f
ciphertext: 244862294f4036de67304d9f24da1079f4f914c8ffc768999065c657dda4
0c0572c0d04e70d72cf3d150e4bf74
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 4a5fc401e6551f69db44d649
ciphertext: 4acf4661c93dc673a6d6372167f2a356c13e430e61a84ebc1919bf26dbc7
d0132c7a54f9698094ddae52ac8e8f
A.1.2. PSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 31]
Internet-Draft HPKE May 2020
mode: 1
kemID: 32
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: 1f68f688b24c27f825012d40efa4fb33e033d717d569047a702c3ef5a64bde64
skE: 8ad4455d6eda442a9731ac224c9f8a468f489c77e3871cde9ebdd12e9027bad7
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 6f61735fee57c59ce6489d80a11d77b7b2f9e9fddc3cb0bff0cf5a982ce7f344
pkE: 97adf1e077a6ae6f98e3eb4bf09743eb989a8e2d1c6013009b6629f701e70b75
enc: 97adf1e077a6ae6f98e3eb4bf09743eb989a8e2d1c6013009b6629f701e70b75
zz: d81e257a13d4081e0a91f68ecba8d517ca907a9061f463bf11b5f7b200f60a3f
context: 00200001000101535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: c8fe7dd0ddc92d4d0fafb8b5c44ef049a94d12d0952472fc8b3f153d89a5585b
key: b5a7f8235cd2513056fce3b58df2eabe
nonce: bdc674179679e243d134faab
exporterSecret:
d71ee6abf3b3439203946824aa302ea6f7099cdee02f1b6c29c3165809d15c03
A.1.2.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 32]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: bdc674179679e243d134faab
ciphertext: eb4fc6ffed9fca50793bbddc9754805d219ec8a987ceb4838e644e12a8c1
a86b69a44cb3353399471008b9ea47
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: bdc674179679e243d134faaa
ciphertext: de242daa1d77832292c81e5a8c9b8f534a5de656437af16ebb497b0c6382
8d80d37f7043e95b24acd44a0489ac
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: bdc674179679e243d134faa9
ciphertext: d2ad57dc8006b4b451a470a96babc5e85e6690f2a4a28566a3b393962dc6
8ba2907d91f9705aa007d58dfc0195
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: bdc674179679e243d134faaf
ciphertext: 2d9f83c5c40e73d32e60438bf216dc9e87bc45518a175cbf9cd47d10417a
beeac1e5ba9ff5db1c9e4d14861bcc
A.1.3. Auth Setup Information
Barnes, et al. Expires 9 November 2020 [Page 33]
Internet-Draft HPKE May 2020
mode: 2
kemID: 32
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: 41ee53399ebae982cd067fefa138b6b401cea1a7ef428fe9d6bc90e903a88f6e
skS: 55799581f14ec785dbaa11857700adf78f842a51b5ae6a4b4e5a4d99c66e5793
skE: 367299c0da446bfa8f3b41382c58b1b77fdadb5cf056d1fe94d6ab0b8741a184
pkR: 777b10479021ffb3d21ff7ad0d7ff1a27220f6203e729826a71dc1dd7f77ed27
pkS: 2bba172f178cf852e8670e574fdcdd62d8dcfa063548d3424d84f3e403f4e64c
pkE: b6c5c1515f6aebcde4e78ed492672489d1cb7c9256935dd1514eede9ee956a59
enc: b6c5c1515f6aebcde4e78ed492672489d1cb7c9256935dd1514eede9ee956a59
zz: 806664f6a174c0f72a64ec3e671a9c584388c2dd40f5b0eec4def8e69d549b7a
context: 002000010001025d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: e4ceff245d1e1781b54191a2f4520ccc8523d59244c975309975e69afe61b896
key: df3a747864781866dac633f56b101cd9
nonce: 94ef1cb07771719d1bf62d15
exporterSecret:
3f6b2cbca577b5842d57dffd6be0be512afa19adb16f09085c57014032c87609
A.1.3.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 34]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 94ef1cb07771719d1bf62d15
ciphertext: 483a276f138d5b33f2d32c4345c109078fc203716e2f9f16ffa991510cc4
f60df8583fc0133cb1ddad93b1a6b9
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 94ef1cb07771719d1bf62d14
ciphertext: 347263ce760a935e3d1d85fb30377b54c6c77ed5d29458cdef341071be78
29424d3901b061ad36090bcb9d1338
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 94ef1cb07771719d1bf62d17
ciphertext: 7a4dd7aa889668797f264c73b5a675400bbea5437589e85a2fcd3595a211
d7cd09399fa70b3907e1a4198aaa8f
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 94ef1cb07771719d1bf62d11
ciphertext: 0b24f93f5f3301ad4147a35a2da898a817b5e95623ad849b85cbebf832d3
204657adf1b88201a39b62247a1251
A.1.4. AuthPSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 35]
Internet-Draft HPKE May 2020
mode: 3
kemID: 32
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: 2fe8ef0b6fdf5f8da2b43472ca05bc324f7e6aabd9e2b65b2dfa5b892f832a20
skS: aede8f90d017a796c2dc73f3674168837a0ca0afaf3577b6aeeb784dc0b31c49
skE: 84a883acd803f41ea16ec23e81ebe3af3cff34fa3c6b50616d67511404d3daa0
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 09171abdb6c6c8833791cb29357e39c2dbd5d6a7c1ed726f77bbdca5eddf397a
pkS: 92bf662e7ae5fda99130c32334f556803b00a419bb726386017c1fe217fb0e3d
pkE: 96fefa84ac1222b735cc60cbd396cfe9303c36d3ac3e46920867b8fef6453e20
enc: 96fefa84ac1222b735cc60cbd396cfe9303c36d3ac3e46920867b8fef6453e20
zz: 0619ce18b92e56d8aa45e21e3db5a4106a7b3f4a640b9c73cd404c33a63c578d
context: 00200001000103535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: d2edc245ee148829587fe394de1a74dd84072169db5fa58bd840c773dfb51e7f
key: a8f14e6db85577e0185343a6842bb2da
nonce: 4e77fea157276c67eee96eb4
exporterSecret:
9e9eb41a697cea5dc9b56cb3ac052cfb0c0ab4ca79125bb9a2add7df99d17680
A.1.4.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 36]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 4e77fea157276c67eee96eb4
ciphertext: 07d4728a9d239425e493cbdbff32d317f76823e4b0b4c12d8128a79b776b
61f7d01bcaf6d07bc1265225766553
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 4e77fea157276c67eee96eb5
ciphertext: f820deea546cdc9f911aa6a6834ebfccf9775ff64997f5a8f704eed9dc6e
90b88b9a935b58c574fbe3a449ed91
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 4e77fea157276c67eee96eb6
ciphertext: ec0873cfac98eaa3ada7a9c9d69831fb530cb140f427b991585336fd3579
7c01367c53e3a154682e58c1f75338
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 4e77fea157276c67eee96eb0
ciphertext: 4392ee0bf464ee58565e6e48b2b92444ec913b2a7e72520352008f1b0405
d8eb17c2a2f25715bc9bb216794b72
A.2. DHKEM(Curve25519, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
A.2.1. Base Setup Information
Barnes, et al. Expires 9 November 2020 [Page 37]
Internet-Draft HPKE May 2020
mode: 0
kemID: 32
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: 0a2737d281922bdd223db035c4c0b4154179f338e20dd45b3cb6e801bc078229
skE: 43f15e4141a3532e03d5b974ab4dae83c8e3b460ab0ecdfb5b38451ef35ade1f
pkR: cd965e8af97e58598b02ebaef2d376e430a7a744fe64b58ac37c0ad8a026dc02
pkE: 0298cbf0d065c0c4d5fad9367fdae4350d2ca07b66936c70f9d8a61a64271707
enc: 0298cbf0d065c0c4d5fad9367fdae4350d2ca07b66936c70f9d8a61a64271707
zz: fd311e3b861d9ce5ddb89a37bd5b76f5d08f50a10ce4499ffe8aa8934e7222bf
context: 002000010003005d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: faf0773568a55c251d1d9590e88f8464fa544271c178f90f4c177e9cfaad152a
key: 954b77e7b3e5db38142f19cda6ace6948e154aa2bc1a193ac90f89565364512c
nonce: f49ff6240b6d611a2bf9af90
exporterSecret:
2e9eb4e338775bc70dd4f5bf1b6f2d0d4565472456cc8b70baa631841e6085e2
A.2.1.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 38]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: f49ff6240b6d611a2bf9af90
ciphertext: 744b9a6332791b799d6f2160697bf2c127df9a0bd35e708ea3d0e165b0f1
180fe9f7a863b7624f14584c6d12c8
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: f49ff6240b6d611a2bf9af91
ciphertext: 7f95fb427ec720e03f5b9f29b56f9f78c065ac3538469ecdb9672cb2a077
d7d42ff85f9ed7e58bfbf14502b1a1
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: f49ff6240b6d611a2bf9af92
ciphertext: 143f13b9130768a2f31c418b251cd2320ce0ab25eeb711894f57fa5468ba
ac30a89af146db36506d80ff15f687
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: f49ff6240b6d611a2bf9af94
ciphertext: 6231544225e67367b0384da833d4c286ae1cf752ef87eb7511e9c1d3c94c
97df03e0dbebd4d3dd74c753e4bd11
A.2.2. PSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 39]
Internet-Draft HPKE May 2020
mode: 1
kemID: 32
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: d9fc87b82f8a33f645dee49ab3945609b670addfa723daa4c56a0c2a84f0e800
skE: d390185c18ec0450f6457e198a41578cd3352c663bc699ee9d05dd94c458b30a
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: e0040bc38b3c4f6adf38c8c320ed052ba4978d6d1434bc5c0a9b621565f35b07
pkE: 6e3f42494e8559f9fd4ac7de6968d5f2d5dc9384ed5d2ca1c6fbfaec1df60a26
enc: 6e3f42494e8559f9fd4ac7de6968d5f2d5dc9384ed5d2ca1c6fbfaec1df60a26
zz: 5af485df917bb1ed84f8e81fa052d7a8ea691ef1f79497580f527a13d25303e5
context: 00200001000301535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: fba87fa024ee0f262e6cf3d67fe4906b5b29f22a0dbc88d0935122ef2cc88d1a
key: f2f2678f9f4b374583f489ba96e55bb9f2f8e6e0907fb3f5c5ad195227d3ebf4
nonce: fb7ee240dbc798e289d2257d
exporterSecret:
adb177cf73b15b540274b21c1bca954e2747cf89248fb3bbf6b49bcfe0916afe
A.2.2.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 40]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: fb7ee240dbc798e289d2257d
ciphertext: 6195d5f07881a2ce18b0b0bfdd5573570bca3c85ebfe46a90f6c0dfea853
6607556457f46dc5cbfade0860af40
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: fb7ee240dbc798e289d2257c
ciphertext: 5429ab8e9abaf28dc17f8f718ee16597c2ede60eabdfa83465c6400d01bc
3ee602965d97e17de04b8b2e6c5fed
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: fb7ee240dbc798e289d2257f
ciphertext: b38ed602dde69e86f841f86762ca903dc61760c6bc80587a3fbd2c601234
18d446c8c136a6de9e01ff90714c6d
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: fb7ee240dbc798e289d22579
ciphertext: 88f59e40b44fd7c8d78846fc6a7bfb1d926217c309b4fbcd1d12a1a4f81a
9147943828dfaf2aa292da1a2557dd
A.2.3. Auth Setup Information
Barnes, et al. Expires 9 November 2020 [Page 41]
Internet-Draft HPKE May 2020
mode: 2
kemID: 32
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: 877963e68a4566f1b5288dc2a90d43a3378dc91a8b8bd0b82a056cbb5d00da2b
skS: 123e50b6d7b4d867b5d7e7dfea050a5f8a724231f4c510a85eca81a33bcd7f4f
skE: 5cf743372f26b2de271f5ffa859f82f5d0e9c2b67ce27843ce23947eee56062a
pkR: 0cbfc21809b19ac7170fac26b82b782fb93abb2863fc6e98eb3b103a3ff06b08
pkS: 96d4517062bd034b1416e2e34f534a99566b7a2f230af60263bd9949e9062920
pkE: 8330db3fc4c1d027582f11760620404b9f1c54673d95e65d6368b868f008a043
enc: 8330db3fc4c1d027582f11760620404b9f1c54673d95e65d6368b868f008a043
zz: b54fae67eb84a10f0a806ff0f6d2a14f7e1cd0df2999e5dfaddb2c1743c8fd37
context: 002000010003025d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 3e1ce250d829206d52269ee6aa0751db9f9e652fe86732347b30ac202a5f7d57
key: 55df035baceee1f8a4978e8f9e7fa9e9874e77ae38fc073a88539d651fbe324c
nonce: 2299e07956f1139c29ada886
exporterSecret:
3679ee6ead22aa73c4100a566ef03054cbd7495985a1d9419a9084c9723d8b47
A.2.3.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 42]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 2299e07956f1139c29ada886
ciphertext: b6ad165f780d080b3cbaa1631a68bcb34ddbee05287a08f094bfb8c27ecf
9ffb5c3fb8c9f4e900a6e8d4288291
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 2299e07956f1139c29ada887
ciphertext: 10973fcd96f1ad80608933dbad1b4eb8fcef67bff6a191c059406d20b2ec
65572d11bd0adae546e395499f8a8e
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 2299e07956f1139c29ada884
ciphertext: 555ef7aad531a6f408874194751c8c97b314feddf064515b309a650cba7d
1a502c963f566810f784864a718f5b
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 2299e07956f1139c29ada882
ciphertext: 07acdf32be09d94aef3b46814d993150520534a7e8eb70a238a677e1da27
9cd2911255ad6c740ab3fb0ca7b17b
A.2.4. AuthPSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 43]
Internet-Draft HPKE May 2020
mode: 3
kemID: 32
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: 8fb4161e1c10167ea42102f183f1c8b7a2b0f78fa3da7608962f1bb912239b48
skS: 8aec40900c4f3cc4b41ff7731794be32586dfb071827798d5f3502324de35804
skE: 34c9a993a628f4f0a31c9426a0614113e37abaebd8dfd8c1cb7fd1f81b2b5ff4
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 42c5a8da45cbf754476ffa53efba8f99228ec7d0ec5a42ad6de0b20a9f0e5100
pkS: 183916ee13bfe81ac65c950b160ce592093b2e82ba986d1b2fa1dc8b85ef0b2a
pkE: adf5d04089b87bf0bbddea2a4afc8b233b2c84d592480e6a42ae37d9047ae861
enc: adf5d04089b87bf0bbddea2a4afc8b233b2c84d592480e6a42ae37d9047ae861
zz: 462c4cb9e3f2e5fe306407a3d83fbab109fbfcb9ae2f0c907872bba316ed218e
context: 00200001000303535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 8c6ddabbb4de438d936cbcffce1d8863807e77ea84c4e2ed89c48008a8f200b2
key: 5a97c5379909006e26e418986461050980730e660c6b742d3ba2c479aea655eb
nonce: 43914a79a085d008b4d57e2b
exporterSecret:
21079400d4f4d2681972da4058bd80101bfb835410dc324ee5b728650f800dd6
A.2.4.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 44]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 43914a79a085d008b4d57e2b
ciphertext: 6f29d2f8de3391cce245c13d60e824c30a9d312e3763f93aeed26d68d8b5
3f56a52591a58b4058279ce50bae33
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 43914a79a085d008b4d57e2a
ciphertext: 2d8696f79ee6ee4b535b5b2e5a4a92c495c0f7e83a30457328db73a53b11
3671e72a93db707bb758ea00750d90
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 43914a79a085d008b4d57e29
ciphertext: 2ecb5612ea793f10d9f6789adbe1d015d4c4ca41478cd084d42e2b22a5d2
7f54ec139aa63e812f9bab12794fd1
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 43914a79a085d008b4d57e2f
ciphertext: 142d3aafbd7204feb783d90ce5cc9cf6b431229b05a8c5e48e672dab4ed7
d8b864a02d22ef9ae4b7d48f64ee0d
A.3. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, AES-GCM-128
A.3.1. Base Setup Information
Barnes, et al. Expires 9 November 2020 [Page 45]
Internet-Draft HPKE May 2020
mode: 0
kemID: 16
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: 8ce3034248a152ec76086ce59f96f70b8b30d34223013b91f0c1b72db8f65491
skE: aa40ae4c159a0b05d999dfb58273798f848660c037e8950cd053f85b4331b114
pkR: 04cea2c9b90f4699d30742f6e98e560fe658a6ed44aa6e762f8178284e241627291
44a84be182319f44a97a56a56ef36c5af2f6c6035e2824b7e1c70c87ca73fb8
pkE: 04a475670b8b2caa8ebd061d60841f0fab440ff3e47ffadb57e12d930defdae5458
1411dc5ae829252f39c21aa13a90fc1cdf7cf8267aff2d21bf4bc2344ef7c1a
enc: 04a475670b8b2caa8ebd061d60841f0fab440ff3e47ffadb57e12d930defdae5458
1411dc5ae829252f39c21aa13a90fc1cdf7cf8267aff2d21bf4bc2344ef7c1a
zz: f8ebfc5aa173226b1f74008e96851b888e03e5f200f346dd4ecb3483772714b6
context: 001000010001005d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 30c1c027ec32ede4ed3f9cbe008826e6bf9c0774acb1621f0bc992816e6d34c8
key: 6b29fb48d602a77c490730dfd8db1c32
nonce: 347a3181fd00871872150e20
exporterSecret:
2ac910bbcad401f286dfd6b42ce0344dfb30eefe689909e3a0f9e3f50488cb94
A.3.1.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 46]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 347a3181fd00871872150e20
ciphertext: 64974c8d8307c15588c4cbc39888abb7daa5debc6eed2942522bb459c177
f1d41c0ba8fb988509502840a1155f
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 347a3181fd00871872150e21
ciphertext: 0ae15506a0a749e1bc22709019dcb726f8b6e27879d091e9d30c5cd1600e
37602c11b7fe29a9299a84104603d7
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 347a3181fd00871872150e22
ciphertext: 04a7f0097660ff8fb968ac10c5e88bb39b0b24b77b2a0b7b139cc3fface8
82d540d3e874a0cb248fd7b7868b36
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 347a3181fd00871872150e24
ciphertext: fa0cb0114408aafea87145bce7ad80caa73c4f2e75009193700f5f358929
841d7de7af2375bf538b7021e625cf
A.3.2. PSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 47]
Internet-Draft HPKE May 2020
mode: 1
kemID: 16
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: 323c91c1fdb3de3c19d2efdcb08383573987a826383bacd7e53e3b47b83009bb
skE: 559f14988c9696cba734cbbe65f5be6ad80936b2b0b09a42637060dd2f2eabcd
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 0494def2a8ac76f8b6801c53cde72b8c0dbe4874d09e966154f46523ff1bc6635ea
3ddcbe06e4d714f8d3b56549e699941a9a0752ed307a888a8c6ed9858bdf1f6
pkE: 0442b4481553f81a349b6e6d818bc8b1a98fac95d90fdd5b9c38eb5fa6c43eb1938
0bccb234d6771eac9d6fde6406d210ac2508ea112363fab5c13f940683146f8
enc: 0442b4481553f81a349b6e6d818bc8b1a98fac95d90fdd5b9c38eb5fa6c43eb1938
0bccb234d6771eac9d6fde6406d210ac2508ea112363fab5c13f940683146f8
zz: 4832712586db709f9f7db84349a2ce04efe11aa4f824c34a88963d6d43b94057
context: 00100001000101535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 73922c96909aab9c4f5e9d57e0cbf7d321443a7cf7ead1fdbe38af54317af2e5
key: 61a7dfc6a5eb7a84cd9fc3caadefb9cb
nonce: 2fd7b8ee053eb831e122320c
exporterSecret:
fba725a6e3f9b1d0e2ce6630488613823890d6cbcf0c98aa5494936104200517
A.3.2.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 48]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 2fd7b8ee053eb831e122320c
ciphertext: 492ab3aa89ba33252bdfdbce4e4f7a23d0695504c488c929c274679f0489
9ad082ed6d86f1b1eb29890752ee6f
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 2fd7b8ee053eb831e122320d
ciphertext: 970114ed6dd7fb8344869547fc562a20cc1455c4842d37ae1b7b09af7575
56ab7f4e2c83df4ad39cdcca4457ec
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 2fd7b8ee053eb831e122320e
ciphertext: f035ba5dd833449db4caeca2551fee2125f7504fdaca2817b2070d05c108
727d2d0c80c0580b05d393728a531e
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 2fd7b8ee053eb831e1223208
ciphertext: 4c057faac0cb511a983ee755aca841ffb318a0fad7aecf298d4369aac227
1dc2593a534e0307e8708f30841590
A.3.3. Auth Setup Information
Barnes, et al. Expires 9 November 2020 [Page 49]
Internet-Draft HPKE May 2020
mode: 2
kemID: 16
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: eef04d3fc02f18a062e08a9f8360543dfb8ebf4e56816bf4187b46d38a2b461b
skS: 6a99366d689f03edb7853ef7becf089ad88fe1ce5f7e7a417ec3f27f4b7e738d
skE: 262a94df44d1c8512a58230d6668c136c44725272a120e36eaac7a66f7a4a651
pkR: 0488b9f57ddc29f4a217105136c840c6885600a7513026bf5f63153c6aeb721c03d
ca83bd1c41fbe3b9f4356c2987b85e4a9804116a6c49f368a7d78a922b0aa1d
pkS: 044cc663be95914919bc00ab7adc0040cfa91fd414d95e181ee8ac3958f267c130a
b1e6381475e0b1db5e0287a1c92b9fe2f3554e45a8aee77b561e01be3648dbc
pkE: 0423485e66ed4b9588897084890edfe6d9231970fa205033d0052f1717df3a38913
e19582e91594a515e3585c4169e13f747eb3d6e3d6fa6e85b444a2e098e204f
enc: 0423485e66ed4b9588897084890edfe6d9231970fa205033d0052f1717df3a38913
e19582e91594a515e3585c4169e13f747eb3d6e3d6fa6e85b444a2e098e204f
zz: 8636eba180c99b1928fb5b26567127d63d32d0adfa1f7498d4fc865d0bbb75de
context: 001000010001025d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 8af9fb4c52dc530a9b1ecd6fb03f42fe73033ea92ac25fd9e0121ff107424470
key: a5d872aa51960fb036354655a43f1744
nonce: c1010a9a308a1269e56a34c4
exporterSecret:
8c53501a3e6a156f17b4e5004ba83eedcf20749bb4019d9f2647a984b8b5945f
A.3.3.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 50]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: c1010a9a308a1269e56a34c4
ciphertext: d64fd203f9eaacad9c5d5bfa02b85bcc56ecc647a7e22dfdd41e848c6eb1
7cad015bb3876e04848e3397917cea
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: c1010a9a308a1269e56a34c5
ciphertext: e52ad5e01ad414243512e6fb754874c627cffa5636b9410dd7c90215b623
3cbf10baa61eaf2e7916a7df482355
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: c1010a9a308a1269e56a34c6
ciphertext: b3bfc4d5ff816be531a9675ea788d62cb24d9c1e8aa1d50396dda0e2d68d
579cb2ab4f349055bb87b8b9859232
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: c1010a9a308a1269e56a34c0
ciphertext: eb279949e754e837ab43cbfb1fd926614f834e0e736ffafcfa6202295b72
485506dfa07902e7eb0f16f2f4131c
A.3.4. AuthPSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 51]
Internet-Draft HPKE May 2020
mode: 3
kemID: 16
kdfID: 1
aeadID: 1
info: 4f6465206f6e2061204772656369616e2055726e
skR: e646ffe3cb25b225f861eefaca510c4ae30ec8cdd553c92e256f99964050db01
skS: d318c373e5695f682a12f05b8665f86ca826437e6999dcf65c4a30e57312b884
skE: b23e72f9ed8d928145eca9064a646e04d85053ebf04d0d208aa402ff6dad6d4b
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 044fc24b2c9aeea57d5526c92c80086253466da4c8dfe480df8306d7486738384d2
1e1c0fbfa48a2fd7e8b13df5c5de741ab7fe4b44202d88038c509fdb7f2bb40
pkS: 04b7fdb991a4dfc4c97fdd6d0bff3f58f823022340b065e0851e4efbad47e54e3a4
b8b0a13f7c90d47cd261fc988c1091ecf536979d4aee01949ea1186c28dbc73
pkE: 04694e64c16bb5d570b8ea3488fa38f6f025b765058707bf1784bd23e50bb6fa54f
a7b9cd5727aa3127dd636ac711b67c14cc5e85a899cd6eebe5abe1d0d0fb7b0
enc: 04694e64c16bb5d570b8ea3488fa38f6f025b765058707bf1784bd23e50bb6fa54f
a7b9cd5727aa3127dd636ac711b67c14cc5e85a899cd6eebe5abe1d0d0fb7b0
zz: 9b880502e7179714a0b00328d7d005768561e7f2298e6d52b71d6bee356b6af2
context: 00100001000103535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 689afd96d86da261a3b2c20eb78379e73d867de0dd9754d0992b2d7d2c0904c5
key: 6e8677b2d99afd2a3ea1040f3712cb84
nonce: ef405eb8f9c29f15f7927f36
exporterSecret:
ee804fea20f91550e63129acb7cced2f4f553a20fb31778ccc8ac4e03de7cbf2
A.3.4.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 52]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: ef405eb8f9c29f15f7927f36
ciphertext: f3a737bf395649b497651bd1be77b51ae37ef1ffbcb10e6c91563048546c
f3788c7c9544e91be5668840b9295d
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: ef405eb8f9c29f15f7927f37
ciphertext: b69a519bf35246d2e1e88a597557bf1603a9e7e433a56413ce03d125159a
021209bb65595ae9e8a9a74edda6de
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: ef405eb8f9c29f15f7927f34
ciphertext: 4e4758c5d4f324d5618d19207c14a2abfe9057415cf764d28749bfb1fefd
2e6cadebae943efb3382522a39c05b
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: ef405eb8f9c29f15f7927f32
ciphertext: fe1ee1416faef36103a5970cd7b4b435381f91de7d09f540c0b8bc1e40c7
a037b143b05f54cfd5dffc26b09e6f
A.4. DHKEM(P-256, HKDF-SHA256), HKDF-SHA256, ChaCha20Poly1305
A.4.1. Base Setup Information
Barnes, et al. Expires 9 November 2020 [Page 53]
Internet-Draft HPKE May 2020
mode: 0
kemID: 16
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: 92ef45282082dcfeb7fbe45df7b7219a8ad6d04107854da9e0c24c5fec995907
skE: d529d27f3f516374cffa738c32c42911de67b0a8e2d2c57a9944cd9ad83ae3e0
pkR: 04b557e4dc4d085424bf3b7db2d06da3a49d8250e9466bf5a2a386af3ed773c8cd3
e2720a0115f1e0735aa0f8e4921eadf5a6168733126895db328d4aca63774e9
pkE: 04f89bdd9a29e59bfabf6ea6fc890467b19a72eb132fefc25c507528f1de9766009
684970917bb01c3a18111d12989580c78856ccd0558cda541e42b62f165c767
enc: 04f89bdd9a29e59bfabf6ea6fc890467b19a72eb132fefc25c507528f1de9766009
684970917bb01c3a18111d12989580c78856ccd0558cda541e42b62f165c767
zz: 6754f2f2e4bf83c07edae7c3127b118e00262f8606d5af329dfadb93ff2728bf
context: 001000010003005d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 3124bd770b176e77a832c8e4090bdab9ca1f1c27bf2e95db875151745433d69f
key: dec7c88f4d0a3716355a9ef8d7cfb99f26d4cc3286fe9589c2de5d83cfd1915f
nonce: f12fab01ef1837996f90e12d
exporterSecret:
34de33c174ce13b57f5e22b6b464b78a69abcef1ca5613e448732289602bbdc8
A.4.1.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 54]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: f12fab01ef1837996f90e12d
ciphertext: d1cf208440ca32057ed511b9baaa817b8036bb3e9ab4e4f1c729187ef6af
53d4a9e0bfb25404cb336efe28ee3d
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: f12fab01ef1837996f90e12c
ciphertext: 6f948abb01565f095d39819194a7076e85c33919882d7b6bc54e1814b275
5a50d814c6c6ca725b2b4f8b802099
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: f12fab01ef1837996f90e12f
ciphertext: 455593d46404c2178a1e7a05431ad37ca35a3e2d43bf478952a2920a9c6e
fd1971624025344e0d9be6ad8bc7ec
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: f12fab01ef1837996f90e129
ciphertext: 2fb5e7c44622de8549ee563a5aae857ffeb54a317b383c177d7aa0125e8b
67a4544eb008ea3966358aaf9f5edf
A.4.2. PSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 55]
Internet-Draft HPKE May 2020
mode: 1
kemID: 16
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: 654ab19fdc95b8656cee07eeba21d837bdb965c4c10d3efd9023086b2ae324e4
skE: d64fe9010d3fd32114f5e60f326c60f782fa3ff56f71b9452e8d91a6f426a4cc
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 046ecd02480c6a5db13f3803e2d8182bb132fb8ad3ad26e038f50a9b1a2538d5a37
49795d4219789d539289ab91219e024b4ca43315153969437e8e7a1f1dc9e4b
pkE: 04ecae08130ce757348c5c1677553856e9b40249e65717a3765d9bfbb4cfcf8e805
12358941b6281dc64ebe783a21453e5e85584cea0a9471d0fb90a257ff8926d
enc: 04ecae08130ce757348c5c1677553856e9b40249e65717a3765d9bfbb4cfcf8e805
12358941b6281dc64ebe783a21453e5e85584cea0a9471d0fb90a257ff8926d
zz: c5421af7160bc5ba08d2892020d2ef9c783aacfead0202b55f9a03c6224afb5b
context: 00100001000301535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: f72737c4c9cd2a79d82eee9c692f4faf2da53aa6a2495d1152f7d3e7bbebb9cb
key: 35286da66cce19bd9bc93f288904e23ff879d9320d32052a431d5bb29b98b651
nonce: 182f818b070636ab290b7336
exporterSecret:
b965c0577224e819d38b13f7f4890bd15d41ce3af550f1b7cd564a1bfa307ba4
A.4.2.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 56]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 182f818b070636ab290b7336
ciphertext: 090ff66743ffe31efd8f631df5d3d9d4348ef607d043d5b7f2a616e243db
f6b35b57d17b35302cbb4eb265df07
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 182f818b070636ab290b7337
ciphertext: 68a0dfaaf7f891571f283a118e5593ff7b86c6760eb8577dd9a92bca77ae
8b3ac8a71b28dce9f91189f1b36fa8
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 182f818b070636ab290b7334
ciphertext: b227afa2dd3864137143fe617e6dbf157a2ec4b9aeeb376af53b3deaefc5
594d95c67c3f5f7ecbb38c5357175f
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 182f818b070636ab290b7332
ciphertext: a7691b3d044df3248fd4fd6abcd3c30589a49bebd8e127c0c15e65f2db30
6f9c4f8565ab815292582bed84c888
A.4.3. Auth Setup Information
Barnes, et al. Expires 9 November 2020 [Page 57]
Internet-Draft HPKE May 2020
mode: 2
kemID: 16
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: 6134a52f8fb5d0413db51e54cb2eeb0b3ebabdcf291a18287542fd2ff8ccbb46
skS: d0fb888fcb2ae75f226bf076c9eb1945de61fafab67007f88f5fdc396c4c37ee
skE: f6a76c5f517811aee1bd6d296cc140ec14002b578eb8f52ca7ddbb0ce8184d8d
pkR: 04b12759de146e8bf8bfa8f8c1d5c79de6bc04d55f9289d7dbca3d6f7f452f57ffc
d68f37fadc1369d50b2fc7b1a896389ce5b4275a0bfc39d02430e7ebed2fa0c
pkS: 043283361eca4cb9965c487d5c4b31bc79baf264a415e90d7de2cfb8e3049cb76bd
345583d2f9da7ae558be5eac05d3f0e47783cefb765a87d124615724a7651fc
pkE: 04440cf592ffa724cf469663c0f27dfbf09be3dcf011fcafcc4cf263ec550ce5aba
e55a0ee6bdc175b69b26cfd00699a817d077073cfa36f1d845d8287191a0f0c
enc: 04440cf592ffa724cf469663c0f27dfbf09be3dcf011fcafcc4cf263ec550ce5aba
e55a0ee6bdc175b69b26cfd00699a817d077073cfa36f1d845d8287191a0f0c
zz: 9627ac86436a3d42569b0a00f18efb4006ed933c447c1e2380b31bc9aecfd5bf
context: 001000010003025d0f5548cb13d7eba5320ae0e21b1ee274aac7ea1cce02570
cf993d1b24564499e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: b46be90bfbd29ef1a494d6f48b02f548841625406e9fdcbd4ae7a9e3e53a9b60
key: a4ab15a3cbb9022efa58cca16b64474f3e45ec970329dc480a2b26e554659d75
nonce: f2e0d1dc7385f8f3f9276f7a
exporterSecret:
c0c5b279430b59303f6a0c19b66270fc63a041c4e2452d014abe75e9861d6605
A.4.3.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 58]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: f2e0d1dc7385f8f3f9276f7a
ciphertext: b93f4121badc0913b2c06454ed93544c4f2d6f8202c1efd02918d4c1dc13
65989a4daa98f3002c8af88c42cf77
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: f2e0d1dc7385f8f3f9276f7b
ciphertext: 941d2999f70921defc2602fbdfa5b39cdae5e6fe00b606a15d9adf0d2685
d9adf1ba85fe37060c6981cc2eff74
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: f2e0d1dc7385f8f3f9276f78
ciphertext: 8dd3b4c153a1915e94efbecc709e808975d5244b383d4d2d16266a8b4ead
2940a389c63958da3c166537d08ef7
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: f2e0d1dc7385f8f3f9276f7e
ciphertext: d02b7216ca3cb394d18b2f650959a90f933b7df79705fb8655156fd409af
9136343b951afdf6ca311a262235d0
A.4.4. AuthPSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 59]
Internet-Draft HPKE May 2020
mode: 3
kemID: 16
kdfID: 1
aeadID: 3
info: 4f6465206f6e2061204772656369616e2055726e
skR: fa9d5864d5746d01f498aa4138753c12a56b45d55a2ec83217e1e0a87589374a
skS: 3bc0afdb8584331079ddfa1deba03d55503325c9dcc65884afa627533288117e
skE: 20349a95c704604cf6ab5ec4a948beac097820ab30aa83676bca1b9f591dfc04
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 04dfdd4fd2bcc00498b61bf3ff2bfdfafedae70ff884a3a0508c526c91f8559d0b3
d98e2429a1861e2001c6b63c5361eff69a5e4fe54d8e95febad40068c45062b
pkS: 04383fe5c1e93324c270dc27e80b8b8526a0063802663a9d5c3f5bbb5c09152a9a2
0978a56f7755b13786b8a7634281d0f9a9e6c92e19fc4a4ee96fe2a26fd4406
pkE: 04bc728d4d1fc38a773441745873c2f4673f4d9023b58b268592d0c745943793f62
1f44fa0641b2eda59bcdf3c353a8a54e799775927584cc180e250c227abda4a
enc: 04bc728d4d1fc38a773441745873c2f4673f4d9023b58b268592d0c745943793f62
1f44fa0641b2eda59bcdf3c353a8a54e799775927584cc180e250c227abda4a
zz: b84782558607409251469490e8674ec2ee7ab068be5aceddf386aedf82ab7838
context: 00100001000303535aff74a3119261af116227072152ed4bb4de6308609d770
601639c3b7804be9e3cec2bd4e7128a963d96f013c353992d27115c0a2ab771af17d02c2
528ef3c
secret: 5a2f7424272c3a08447d0f39e0e72a63d61fcdc981366dc2471324f622d342d2
key: 887108061056f6a32d9b4975fc046bac7b4adc14c5d59784e59c4fe2d41b5744
nonce: e55905e6adfdbed7b4872717
exporterSecret:
0e0cac5418a81a5752f9033043eb0aefa9523c5570d29d56b62ec22bdf11a56d
A.4.4.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 60]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: e55905e6adfdbed7b4872717
ciphertext: 89916dbb7dfef2af85d7b3a922f56ff97ecc877f12bde824f82338a2f4c7
e4ab1c8d5125497bf2e535148422a6
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: e55905e6adfdbed7b4872716
ciphertext: 466d17fdf8f9af9db5e2711b4b6df621410586102a540bb530d28dd16fee
7adf184b6e6eee2b9b28e469e169c3
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: e55905e6adfdbed7b4872715
ciphertext: 3604a0d53adbf9e384a3633a06d3ab25ce37af8463823ed2723e29432d40
7716238bdbdd31d1a89fb8fa538469
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: e55905e6adfdbed7b4872713
ciphertext: 26d3a8ff6f5ec2b214bb6faf5fd7a2d72c81bb99295ce5db7a4cdde6f10e
7d9ca64d155202acc05fb5d816765e
A.5. DHKEM(P-521, HKDF-SHA512), HKDF-SHA512, AES-GCM-256
A.5.1. Base Setup Information
Barnes, et al. Expires 9 November 2020 [Page 61]
Internet-Draft HPKE May 2020
mode: 0
kemID: 18
kdfID: 3
aeadID: 2
info: 4f6465206f6e2061204772656369616e2055726e
skR: 01b3e33a2cf926ef496fff7e86a3743c23a9797c3bf99af8366ce22b3b0940fff1f
1934e4d0bd539e130bdc3ff5991d37bdf45fc73529fe9a2e00e138d376610c26a
skE: 00252116681dacf4e707e9881aff5496942a36e74185347df21ab9d647dfe2a910e
325b027ac3114335c038589d86a6a1a665498a5a6ea687ad5ddbd4258f273e2e7
pkR: 0400ec315d49eee4579d51967cb9cf2a848d918059769f530f0fcfb92342bbf00b5
61a55dc58fae5f8ef0fcf53e86514600b09787dc886afbbd682feb5cd3d1b3e671800be3
c0358bf880ba2435eada8a1d5ea3585ea920c29ae39a5cb035de057721b8fc07d0666d46
a6be634b257427404a19c7ebface8fa37da857bbef6fe04622d9627
pkE: 04018cb8773e67d760392738f6c623e7ec6c67f9b3ecd2fdbcea912e794abe74bc0
9c7453cd34c03066af58b699a0151d96411737ebca94bbc29c1c9085c7d2f43793a0191e
ffdb3b5f428059c7db5508d8bb3597df0477098e7578231570b7e9fb85696391c1117aec
6c5ea34dbfc34c535fbd42c350246bf093160e89463bb0ea650e36b
enc: 04018cb8773e67d760392738f6c623e7ec6c67f9b3ecd2fdbcea912e794abe74bc0
9c7453cd34c03066af58b699a0151d96411737ebca94bbc29c1c9085c7d2f43793a0191e
ffdb3b5f428059c7db5508d8bb3597df0477098e7578231570b7e9fb85696391c1117aec
6c5ea34dbfc34c535fbd42c350246bf093160e89463bb0ea650e36b
zz: e1dfc9abea0a02ec20bef7159cf2cd9049618bbbfa4c4182ce4ca85d95b20cc02e4c
b50697a33c002c34d8de230b694ced34538d4f79afd2bcc981480d684759
context: 001200030002008ca13b5d680259cfa265de13dd24f257083c9403c01a8aa33
20b9195c8d1d812a58e72ff3dd3cf71dc81b21c354f84e9ca6863d5fd871711e356ed9bf
5f1e0d0a4f3eeee6a7c7854f42e3cd9a44e51d2e6319ad0961f0684a97858591766f738c
aa06d9cc4ccbb55bec142df86258987e10dd94cb8ccb5fdf6dad38b3cb08124
secret: e5eff28f7429a3e95cf44a45b6a82062959b11bc9b7f85264cd34bc6de12136a
3a385b9a9bb26fce21e038e176671c8c83a12e5062a1043c4dbb6e5acfe6e748
key: f108b5f5b47e3ef03a03c2b2cba0154d53033592877a2cf5b4beaf0f7b91959a
nonce: 49dd43ca5c2d9176a5e5df2a
exporterSecret: c76c811e401260f763f540a1982346d1087e2379921aea2815b333fa
23172e78ca5ee37730bc0dde79ed658bf84b837c7c2647320e1ae3b5e4bd4eed8f30870c
A.5.1.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 62]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 49dd43ca5c2d9176a5e5df2a
ciphertext: 0ee862df2a7829b7ba67fe033cebeea80bed51cf9677c96273a83191a07c
67a7710586281bf945b36c1517a04e
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 49dd43ca5c2d9176a5e5df2b
ciphertext: cc74da50bd1add07951b184df33237fc8de6eecc3bcd5e75fc4e9eead8b6
4000e44c4290a2084582d1cd6cd987
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 49dd43ca5c2d9176a5e5df28
ciphertext: 4a7844a39f25c6a1d98b15a795fdf739b0adcb47739bd4ba923f14b16256
d5b30bbed812d512d48a1d33fb4013
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 49dd43ca5c2d9176a5e5df2e
ciphertext: 14e504245942918ae8a51419987b7a18c2e0e92cc79a6dba83af2655fbfa
8125df9572059aa64480ef860b49f2
A.5.2. PSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 63]
Internet-Draft HPKE May 2020
mode: 1
kemID: 18
kdfID: 3
aeadID: 2
info: 4f6465206f6e2061204772656369616e2055726e
skR: 017ee8d2bb7dc4766d91596bc1fa741d03ac78c729258e9118c65a2b21d9fcb4249
b3854049a384c8c3c18387ae4d94b57e11407359d62cb5de0e7c2eeded7c5ee32
skE: 009c521217c269a1c94169f6bcd3b399903ea6d385b38d51eac1fa07a4aac06bc14
4613ba531e3377a817715d987fd63229e3adcaa1e585e3fe75ea8288a486ae3a8
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 04009070038197aaa0221dc91ad4c638ce2e28ba901d9cf588f4dcec4ae243507f1
9bf14c835d442aa26a9ee6d14f69777ae92c6f3a80f29bdd24ec38972a23ce0e89a00f81
d57db61fb8f530c25fb9dd226bf57de3c914254baf5c57c2de46cded50e051531b0d5e7e
a57c26a4ab80bba58e1b862110ad67b505e8f1011e00ad3f23a0d43
pkE: 04013fb71b35ae40dded07b44ceb170eaa977f863d71fc1bfb04c3d659ed612b6e9
2a6b2ded3f279353d4cad5acb75347ce0019dc18a3d5cec356af19d426dc8e59a9b00ba5
02ddb35e33f9e55eca473e6cfebec86e4fe2411ea482bb6cd6980f61b5fb0be7f613fafc
8f63e035c9d7428ca6fa85a4b6a27d9abb2e120673adf197f33d303
enc: 04013fb71b35ae40dded07b44ceb170eaa977f863d71fc1bfb04c3d659ed612b6e9
2a6b2ded3f279353d4cad5acb75347ce0019dc18a3d5cec356af19d426dc8e59a9b00ba5
02ddb35e33f9e55eca473e6cfebec86e4fe2411ea482bb6cd6980f61b5fb0be7f613fafc
8f63e035c9d7428ca6fa85a4b6a27d9abb2e120673adf197f33d303
zz: 549640ce1478ada68bc61005c29b0fea816c5350dcd02ab99e73ec1cc0d2af7a0eed
d1367faa7d3f6f9b5892ac034a9bec13e65b8ac276eb7a3c169bb1f4ca0d
context: 0012000300020119d7c2d36b1355543d8247391c51c377929151509971ce1c3
cda0abff3f82068d844d47d7ad9b8f30f64092000c86f54b4904f7c96b6f306e8d335154
d673d8da4f3eeee6a7c7854f42e3cd9a44e51d2e6319ad0961f0684a97858591766f738c
aa06d9cc4ccbb55bec142df86258987e10dd94cb8ccb5fdf6dad38b3cb08124
secret: e3689312061fc1f9e2159bb93b4d1bd1f48d77ef52796b1e41b931bc5e37868a
c1715e33b25476412c7b9c9563aae4a827d36ea846e461aabe75c25b87812107
key: 53adaee3d7c7e87de7cc594140a85dc1d721d1f0f88af84d96d3f4d6248bbdbd
nonce: 85cce02475d9ae00f1118490
exporterSecret: 9b28e6580e93cb6621c04037f5c7b4157fa4b5d0a6d5081011668d51
c2e817539a8f14be34948f597ba8f195001066c4f6632ce556251bba0513a0b0d5476074
A.5.2.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 64]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 85cce02475d9ae00f1118490
ciphertext: 6d4cfb895172d678b06738dbcf3061048ad80b83eed4fe39b3228c7e5ee2
ae78f7a0cca0db323fd27affb0c7f2
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 85cce02475d9ae00f1118491
ciphertext: 37072bbcdd63ecdfff53c236dc099de0f3b4641a04f73a6a91e6a441d0ff
018754e6413388753e8bd8bcdd2a0f
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 85cce02475d9ae00f1118492
ciphertext: fef8048a3e13f98daae2ceb977b0558403401fc82879f6e2a81139ad269e
53c227062eb4e8630e13d98151203f
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 85cce02475d9ae00f1118494
ciphertext: 54fd5d811c502e448920675ea4216c9f8d738b1682651bc3475ec1ba65bb
e983bb0b2cabc415d63309a7999b45
A.5.3. Auth Setup Information
Barnes, et al. Expires 9 November 2020 [Page 65]
Internet-Draft HPKE May 2020
mode: 2
kemID: 18
kdfID: 3
aeadID: 2
info: 4f6465206f6e2061204772656369616e2055726e
skR: 00e4a39e9808aec7cf16708aeb13eaa70fd0bcb453534233836f3207d88c61af1c2
3a4a993687973b42d178c1789bee1656f01d463e86cad6758c79f817f680e26bf
skS: 01dd6f1ea81fbcb28da541d801edfa89e5648cc809b42cbe8b503caf6d7c5026a8b
d9ea058951b8b9eee10e095a1865ef26ef247a3e62c25062f3877ff0627711eca
skE: 0179c8ecb90db0cec33df6cf79fda902d4facfd55a1e26216e176769d149df8da12
d46f35f07c7cabd5613dc47826fc5b778f24a50381c4ed0a9b93cee969f32f735
pkR: 0400bd881c923366876ec86f5110ec695d2da0cd8b35e64adbd5a9b13fc6daa9daa
c5b38277b6cd791fd6b47deab09815492426f373ead722b2ea7257b9e110681ec1001800
806a1c5f656bb354333c001d20a7639e5749fb3bc1a209f00e512752bceffa60e771926c
e9d6972bb3abeaf6d314b09d3c0ae69452dd61db2b84a21d70402dc
pkS: 040162d338cc04cf8f7aa40bf50efdef65fd17d561a22e387e833fa71408a9a3a7e
44900964544c58ce2e3e444a4622fafdaa0ce72d39266b6aae61d01879783bd5d910063e
c49234436b959148f8220e583774298e5dbd28be96be0c4f754ac93a10306c72495a8447
2d08376547d5fec4da477d316c4f6810cd97a9e97e792a06745fbc8
pkE: 040131079c4cbd0f4ee58ccf0f6cdefc6cd29470c0502f4852b84fbcd8ebc4aa5bf
7b0591372e290fe8d204c26342e27c4b6d6a5e6f8a81339328f46062b9a606028f701f23
f3ae4a48c0f90aa716fb4953e24e56f84b14a865cfbbf6ec9ce51e43504670cd2efbba2f
c8339ae40fac6a5e1d4e18d9d076dde50c881492921d4c583428766
enc: 040131079c4cbd0f4ee58ccf0f6cdefc6cd29470c0502f4852b84fbcd8ebc4aa5bf
7b0591372e290fe8d204c26342e27c4b6d6a5e6f8a81339328f46062b9a606028f701f23
f3ae4a48c0f90aa716fb4953e24e56f84b14a865cfbbf6ec9ce51e43504670cd2efbba2f
c8339ae40fac6a5e1d4e18d9d076dde50c881492921d4c583428766
zz: afecd208b4c8afe4edc325ad1ec4da83d5911b25054948cf6a6fe3b6f88de22febbf
79eb40fa7793c02431c4f4a2019b08c55b63bbe536f446710f0b40407d10
context: 001200030002028ca13b5d680259cfa265de13dd24f257083c9403c01a8aa33
20b9195c8d1d812a58e72ff3dd3cf71dc81b21c354f84e9ca6863d5fd871711e356ed9bf
5f1e0d0a4f3eeee6a7c7854f42e3cd9a44e51d2e6319ad0961f0684a97858591766f738c
aa06d9cc4ccbb55bec142df86258987e10dd94cb8ccb5fdf6dad38b3cb08124
secret: 10992ace2e26b84680077cb96e277ed62e22423ac9554e807b33357664be2e69
486a607916e2deaa2cadc0fc17deca089adfb1795dae25154db38ca71d76e2c7
key: c5a500e60f78fc9005f61fb8da7857c5884faf13d53ebbbf9883fbc605c36b5a
nonce: 52fb5d32f6e1f322a21ea824
exporterSecret: ed0ab2e6790caf174fdc9ac0d0322021ad7130dc1992b6b1970bf423
70245fbabf42dde1a6b7f159eeb052b7ac81071d1470e79ea8ce9552c9c4d05f183102fa
A.5.3.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 66]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 52fb5d32f6e1f322a21ea824
ciphertext: e6bbf97c7a233cbc520279b4fa0f9e5d0c5dbe14f993d7a9163c61ba3b5d
3f977a48af10cf592c4d572bb2881c
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 52fb5d32f6e1f322a21ea825
ciphertext: a1ca97d0dc69709014422b18e9797003e9d294b23ecee192f163baf58302
4d3f212f12858e8bf6d35289ba6fb7
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 52fb5d32f6e1f322a21ea826
ciphertext: c7ec1ca69653cc81b3a4ad4ab10c3ce471cd5381f8d6961d97bb6f6279d4
8352ee65f43224556d41e3c2bcca70
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 52fb5d32f6e1f322a21ea820
ciphertext: 90d3d47bbc91115742d37947c8c7b21ee267943fd500e1b937b58071ec48
cefb266fe830a12410f65fdf2b657f
A.5.4. AuthPSK Setup Information
Barnes, et al. Expires 9 November 2020 [Page 67]
Internet-Draft HPKE May 2020
mode: 3
kemID: 18
kdfID: 3
aeadID: 2
info: 4f6465206f6e2061204772656369616e2055726e
skR: 00dcca4c7aad3a047a5d0c579dce56d45a6ef7446055ef19d4295dff1b8d1586f95
e09052f733c5d1c9fa8bb7eab289cc3c5bb23e55559606a7b509d56bd660a63d0
skS: 002a28ddb89ecbb9af391e31185cdaf7a4683c9bf3f950866b73e65cae7f769a849
a792b23c65266cda967208a6f7d741ce06b9a5b206a1c670a36a02c0b2d62bbc5
skE: 00a69a328f366433eb173d1cd308627e6733d7b52d88745eb8bd63a4d4959d6ff82
389a1ead33fa9816afcb348532d78d41e1444f9f1aa945cdfc4f4bb98c8514722
psk: 5db3b80a81cb63ca59470c83414ef70a
pskID: 456e6e796e20447572696e206172616e204d6f726961
pkR: 0400475fd0db79dacda40f43684ccc8a3397689135f422388905a95f7fc4357fad0
ef3dec49c98a5aaa722457e4ee51d4eca72845b2d0580a8e77ab5086c3a9c6edede00c5b
fa1b71a8c8ba3672952e5ceebc0446df94c96cc0051faa671158d5c9c86a05797c3ca6cc
c19173b09bf2fe9b8e052f4ffecc871df03dc1da15b00cb1bfaa003
pkS: 040031d4c9313147b1b3e76ae4721a1fd12b8ff0096f5b4301e062e52d59d5cbebf
1826b424e4ce29ebf726fd67425451506f3a38fe9b5d38c967ef4f03d9b4ae55e4901449
a96bc684065b5e10e7852b43b7fbba72e3ecd3daf740c1b32289194beed37aa233c70ef8
ae5cccd2ff65cbce812135e7dc5771b37506f1671f98dede8641dd8
pkE: 04009099465afd901ba69bf88f870b57c073d334980469cc3cba70469bdfa01ee5c
b473fbfbc2b0a043ca5964aebfd98f8ac86a102807a5aaa6be5e15839781c48c7fe018dd
0ac7fb602b0481f7c9a3d8b3dba2f4f840b0a417f0aa3a03e665cc852cfd9e091662f89a
7db1f90ae3377be8dd7ab0ea1e00c524ed22002ba9a802adc66c551
enc: 04009099465afd901ba69bf88f870b57c073d334980469cc3cba70469bdfa01ee5c
b473fbfbc2b0a043ca5964aebfd98f8ac86a102807a5aaa6be5e15839781c48c7fe018dd
0ac7fb602b0481f7c9a3d8b3dba2f4f840b0a417f0aa3a03e665cc852cfd9e091662f89a
7db1f90ae3377be8dd7ab0ea1e00c524ed22002ba9a802adc66c551
zz: 2e2b048850e14fd394bd50c4958415e2383ae178ab952edb5382de5fff0418416091
b5ae209937552c3462aaeb10daebec1808e4b91590780fe1f71f2350fbb4
context: 0012000300020319d7c2d36b1355543d8247391c51c377929151509971ce1c3
cda0abff3f82068d844d47d7ad9b8f30f64092000c86f54b4904f7c96b6f306e8d335154
d673d8da4f3eeee6a7c7854f42e3cd9a44e51d2e6319ad0961f0684a97858591766f738c
aa06d9cc4ccbb55bec142df86258987e10dd94cb8ccb5fdf6dad38b3cb08124
secret: 9c4e164594f78fee0e4d831f66d27089182053d4e061b6e9ae6201e8717e7e2b
ab915484af139dbd14268ced341c368954430e146bf496fb96297fbe1e0b5012
key: eb051e3567ad0bb649352cf3b6c0a9109ec83b017e8cd4e9f38f7d0e412329cd
nonce: 03d8774ad04a46e2ce48bf90
exporterSecret: 27f9ed77b2a5716a825249280aeb8f122b79e89b7f4bc2f4ef888953
5d5818b276380aac8fc5edc795a541118c9f2e171ee98fafbb850b35ef089cb59cd1042c
A.5.4.1. Encryptions
Barnes, et al. Expires 9 November 2020 [Page 68]
Internet-Draft HPKE May 2020
sequence number: 0
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d30
nonce: 03d8774ad04a46e2ce48bf90
ciphertext: f8cccd94529f0182adc696e4ac638301d3660c9dccb1d30e293cf0d44c58
1254ef0e6c85364eef3dc308c94cdd
sequence number: 1
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d31
nonce: 03d8774ad04a46e2ce48bf91
ciphertext: e3f7c5c3de0e5fce026e6f60fbc6d4d4263ef5473004b1ae5fffcdb8a0d7
801f757f032b9b547afa0c1b5067f1
sequence number: 2
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d32
nonce: 03d8774ad04a46e2ce48bf92
ciphertext: 3ea46fc37f4941d15f524cbd5f2a91356efab2684b29ff799c180bd0b5a0
e8ec0059c203805757579d3523f8c5
sequence number: 4
plaintext: 4265617574792069732074727574682c20747275746820626561757479
aad: 436f756e742d34
nonce: 03d8774ad04a46e2ce48bf94
ciphertext: 09a2f6d90bf54d484a514d20fe4a6b6ce587282a36d253dd7242dab64efc
146356adb672546817443233a86afe
Authors' Addresses
Richard L. Barnes
Cisco
Email: rlb@ipv.sx
Karthik Bhargavan
Inria
Email: karthikeyan.bhargavan@inria.fr
Christopher A. Wood
Cloudflare
Email: caw@heapingbits.net
Barnes, et al. Expires 9 November 2020 [Page 69]