IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 24 November 2022 18:31 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A77C9C1524B0 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 10:31:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k7H9Rk4JbtTR for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 10:31:21 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27637C14CE4A for <cfrg@irtf.org>; Thu, 24 Nov 2022 10:31:20 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AOBBx5C009555; Thu, 24 Nov 2022 12:31:16 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=HBQOgfi4d6VtUy9uptBMtR3PEC/ewAKinFFNNTT+n4Q=; b=HtOCj7rTsRAAs673AbgaMt0rCjrRhc1sj4vO+I8wpD6jWCh4v/XaHfz5M3JcoUbbbuQs D5lceEFqrwDno+/oHWccUxPesZP23V8+NvdRlII4nstHtvmfJilnXsaldAeICtY6hdLF QKPJhAMVTh4P+5aEWgU/DvxAx9a2pWOsgUdZQWyi+a0ArIOz+DLQdaeTDSknKSYs9kLH GwJJgpzsBXat9ixXmG48JA7k3g1IPxgop3zqMqwn5gHdueNSIAROwZhz/4r277mUVEAR jhNlMFvAhme7wv1hyzLEVvRCLQYAkECKH9REsxXDRQoyPBlvjtW/1twS4dSCDPO/XpZi sA==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2103.outbound.protection.outlook.com [104.47.58.103]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3kxu0tusc9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 24 Nov 2022 12:31:15 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fgwB2ygeQ7qy+RwdhU/APuThOFIhZLCTccUh1M1EF2A/bKyLimB7NC69o1J5q37bKEOX6cCjcLPP04ZH64Pq1FMsJUwxZstLiYHj+S/ys6aLO7UyZujmEid0jIJGQvaIHV1SNpG2/Ds/h3+01hFYO4ptLgLYel8QXK3eZb/CQCMZDlRnNxhjOHupYY9wryJhcyCEcA5N9lT5i6rdmc/EP76ltWK07hww7MuDYFIf3Swm6CliEs6kRI2A1nI28wm6rnI/YpoXXivze3YJ4/v96EgAg7H10XCNNMdQajiBkQkrLMMnC7O2LMhYfCO4XZC8GcXC1ENzYqRW70OurVHkmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HBQOgfi4d6VtUy9uptBMtR3PEC/ewAKinFFNNTT+n4Q=; b=iqYrzK86RMvRcnQzCJXAXbN7AmA6Z/08jiH0e44Y0+FA17neSZTJoKSC8AMCPPEEr3Rly+z0U4TqwAv0d8xuDNeMSJ+EAktMzpS/KJ3/hm/mqsnuxVNkrUhmam4VGvTzQWXuKq29hYrW/196LKr/XRxO6vJVo/9UnCtIQpt8Acg2XFERmtrziaou0x4fQFTaJUbb7DDSF8dXRIiLz1U6nRwClQnAUK87AYiSltL7BL8Zi0EFLB74fZbYYytvawInCm5zikSR1cVvCAlA7djXB4LqtnXiwrPBJO5ekV4rwgYHiHFcvlFWQxWIYQoi4BeF8a/cwehYPrLiIGBgpnE/fQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by SA0PR11MB4766.namprd11.prod.outlook.com (2603:10b6:806:92::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.19; Thu, 24 Nov 2022 18:31:12 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%9]) with mapi id 15.20.5857.019; Thu, 24 Nov 2022 18:31:11 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, Neil Madden <neil.e.madden@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] How will Kyber be added to HPKE (9180)?
Thread-Index: AQHZAC7Yjzr8jIOCaUuZnt8T9BtJu65OXlcQ
Date: Thu, 24 Nov 2022 18:31:11 +0000
Message-ID: <CH0PR11MB57397983E338A31423A792499F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald> <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com> <HE1PR0701MB3050EDBDAFD56B3742FB0164890F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB3050EDBDAFD56B3742FB0164890F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|SA0PR11MB4766:EE_
x-ms-office365-filtering-correlation-id: 47527178-0b2e-4fe0-e35b-08dace4a0ffe
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0SpfdYOtg+5zOGuffbu5AQkJwFobk1ZNgJADFlg8pUwG+dh9g+i7FisxxKjaMtWxar1Kjfi3OrkXXbslKs7pTv5KApg0XaAiU+79FYWXJ4x7WwWGxkPzRuhAnOD52ajh6JrIxHEC+NE+Fp/jITyEbbQ3QTX0hLMDk4X1Rok9ipIBXbzkQbUVI1fTYSC9MxvS48FAxOqIl/oSLwu97chnFbZkSD388UKx3AkYBXCzZ44mZ7c6rIdx8Q/nG8T7quEzPdtNLwcry5AVRNpz++ISkssSqtvKVHtZXCCzi4ytBzQtkrA2SoJc6ErgkIUBNqyF77uZ7fnuD5ajR8ZGBICICg5nzdYf7Yx/M4x7UWK9eEaMyVd+25clZNQ+DeAH6dVt0WAwQYHP22A7YJmdefwkVgK26uv1Wt2qN8m7efr15WkZCKGXw8AnMASVudHfGakFC+90wONyFwdbxlc/oNAsNe/UAOyQeIMlIEbF097L8ZuVrXMfyby3pQk1UaN2SEUnGULEoE9O6AkyNE9FV0HTiKO6CM55XMUKWo53dKYudXvmTM6UXrvQi7qRyi/Gp5GIW+92vJzWoHCn+cSriEO0P+R8SbNDn2+lBj3Gs18zUa9+53W3JrxDm0xXzp3tALnlooomM68b4A0yAJYJ//kuLvhf6Z4nwWVskYpZr16vR0RdPJQGIDSiIUjdOwOyatKwN7ncmH8Agok24eNNte/QSw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(136003)(396003)(39830400003)(346002)(366004)(376002)(451199015)(38070700005)(33656002)(86362001)(55016003)(71200400001)(7696005)(110136005)(6506007)(478600001)(26005)(53546011)(52536014)(5660300002)(8936002)(66556008)(41300700001)(4326008)(66476007)(76116006)(8676002)(64756008)(66446008)(2906002)(316002)(66946007)(38100700002)(9686003)(122000001)(186003)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wQGhNbqR7iVI9fb64jtuhXItb3VN4yS9DR4VFb/iVsLlaylXe+jJl0vGTFqZf2BE4pbZbuq2HWeAqEs2vF4gTK9eeTJ65dHqWELcjXsaWf0a5oGqBNgKkd3yM8We7eijv7S0ZR/7OvmCePb/PwqZ114kYAtWfdt+96wqZ/78OjMpyGpmcFw2qZwbFo4ag9of8SoXCoNsLlvP4tOg4cVEET171jP7xHer9l6rmZuwzk3LT4QgRMo4B1TBXb3AuCurfUfaR/l/xkbTagibafxQ2+ABpg13iWQY55yOLoXRW/Oe6OtJzUP2sdNUJUOYs6tF4yKzMV3HweheZc5udwH21mShpIlbJI+IMbIvrFFfmy5sVJ6q5LrvdqZsKxedQLxtTUHxJRJpbYjEgpjk1P6vOZK2tcra/HD/KM43Q9gExZ0T7Qpj+bNTj2v1yWiqwjVXjLDmWdIEl6jr7WufwO3LIVCy2AkRdeY+PLGiOn5eA7OiRrOVnQiIv64IJFf3UHdQb6BvCgXxTJtKvbUp8NbDIQWMNS2TQibdKmb/sLGU7uzozED6EDTwh55VgV0wDGw5xIrjYF3qtTBp2Nj+PKHlAeFkVf3Duf0/vpK+W6Ya7tM0udNz1LvQDTAZ48A2oZ1uQk3jz5T9C+eO1M3fChiv3iqBIMqoNwDVfhLRVMvZ8rOKeEDYpBywx4zUGe1CUb0NMKpl0I/WtJPzM5OXhNswSX8MUMNOrtXrPdniY9k7+DHDup3s8l/K+3yknXzUYG/WYNQCQSdplCLtI9OYI9JgHSlJlkmyCDejyW3FRTpu0wjRcm/gzVPkNtEGpaLLOvsGZGKbAAYaIi9zI9Pfipe9kJl7E4GPwG+rextgBwnOdzXpMqPj2fnGRlelDN989XxT+O6fvlFqlM6qDFSWtcgpHsRrUAmlCO5PPUOFkAqvtH4NAT0Qpuu3+V8W1KY7B6BwM1VsHjMUY9zuS8d1JZu0dejUUNc5eub7T6e9kftvsQUFNRb6giPon++5A01uTGD9ZPvLZDOXeo8hMxW9oVinN+UAgt0XttC2vO1CeJrh3NfZMkjZ96PpXTJ5Z04mGS0ogRZyZGY6g6nvTMJOmB9UQ4HSZHyGztc4fD87ZOMNKGizfc4UFzkh3K1wSb//yOecxJv+ct/7kJN8XskTmN1V0ImDOKwgu8toG93F+bumv2dLCGKqmOVFksf2xSL3O/Am4byynCk82cOD98MgfGkXylyYzX1QX/SlOm0h94R63BoXoERbh4AUB8TOTFhYoOAholECZyLloWs+S1zStwXhn3BK07GqvbvHNyzaHx8tvmVut5LoDdoxBdaKSgDpi53x4TsB/h056FcE8T9/iiwakncEivb6wZpoSXdwHpcyl1GxBA4eQZ3bOdu6luy/S3lYqfwXMX5M2ewRAim9EASTKwGYbWuBgH7enou1E1/NdWBSxtrx+6fG4v+du1dvEY4DrKUQNCb7qywz9ynJ9GvB/dSqaF6T0If16kD/Lj1aqbMdOUCzvp9e4AB5z2eSMxV7+5sQNCVx53b4BwBXwITwosxfUN3n1mJtVbwkXYoFeXiOeumMigbVrZ0s9IMBo6mM
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB57397983E338A31423A792499F0F9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47527178-0b2e-4fe0-e35b-08dace4a0ffe
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2022 18:31:11.7455 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QFa/kZTAQI+ie35PrDYuoW/ARnceMjloB1IDFZP0CLEC/4+qT+BajESoWBCuHyK1llijVR6e7XoGe4tAptyChRCzIgz67R8rkLZCeFqOnec=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR11MB4766
X-Proofpoint-GUID: 4-uKIX9oYNohRK718XM9_mk5VujXmAJA
X-Proofpoint-ORIG-GUID: 4-uKIX9oYNohRK718XM9_mk5VujXmAJA
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-24_11,2022-11-24_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 mlxscore=0 adultscore=0 spamscore=0 impostorscore=0 malwarescore=0 mlxlogscore=966 phishscore=0 suspectscore=0 clxscore=1011 priorityscore=1501 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211240138
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6s1zaymWi5uMDIYBC4h6KTH7Eys>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 18:31:22 -0000

John Mattsson said:

> I think that is a good idea. But I think the construction should probably be:


  *   Add the recipient identity to the message.
  *   Sign the message with Dilithium
  *   Encrypt [recipient ID, message, signature] with HPKE-Kyber

> That is probably a good solution for CMPv3

I disagree.

Take for example a Kyber certificate trying to authorize/authenticate a request to the CA for its own revocation, key update, or cert renewal. All you have is a KEM certificate; where do you get a Dilithium key from?
Of course you could create an ephemeral Dilithium key, but a signature from an ephemeral key is fairly useless.

Some PKIs will always issue pairs of KEM / Signature certificates, but you don't get to assume this in general when designing the certificate management protocol  - this will be especially true if TLS AuthKEM takes off and demand for KEM authentication certificates skyrockets. Plus, if you're using CertA to authorize management operations for CertB, then you have to strongly establish co-ownership of the two certs, which may be possible in some PKIs (for example if the CA has a consistent DN structure that strongly identifies both certs as belonging to the same entity / device / hardware key storage container, whatever the PKI administrator has deemed to be the definition of "co-ownership" for that environment), but requiring PKIs to be able to determine co-ownership of certificates would be a departure from current requirements of the CMP protocol where mechanisms exist for all cert types to self-administer.

---
Mike Ounsworth

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of John Mattsson
Sent: November 24, 2022 12:01 PM
To: Neil Madden <neil.e.madden@gmail.com>; Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org
Subject: [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Nail wrote:
>Isn't there a straightforward generic construction of an >AKEM from a normal KEM plus a (PQ) signature scheme >that could be used here? i.e., run the KEM and then sign >the encapsulated key? Obviously this would produce quite >large encapsulations, and a "key-pair" for such an AKEM >would then be two key-pairs encoded into one (with a >covering self-signature to prevent tampering). In principle >this seems doable?

I think that is a good idea. But I think the construction should probably be:


  *   Add the recipient identity to the message.
  *   Sign the message with Dilithium
  *   Encrypt [recipient ID, message, signature] with HPKE-Kyber

That is probably a good solution for CMPv3

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> on behalf of Neil Madden <neil.e.madden@gmail.com<mailto:neil.e.madden@gmail.com>>
Date: Thursday, 24 November 2022 at 17:00
To: Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>
Cc: cfrg@irtf.org<mailto:cfrg@irtf.org> <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?

On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:

On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:
Hi CFRG!

Background: we are working to add KEM support to Certificate
Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
will eventually be 4210bis). We are planning to accomplish this by
supporting HPKE (RFC 9180) as a new message protection mechanism in
CMPv3 and hoping that we can inherit Kyber more-or-less for free once
HPKE supports it.

Question "how": How will Kyber be added to HPKE? I assume there will
be an equivalent to section 4.1 that defines KyberKEM with its own
Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
but making use of Kyber internally? The Kyber2018 paper [1] figure 3
defines an authenticated Kyber exchange that looks like it should
easily fit into the existing HPKE APIs. In other words, will
supporting 9180 now with abstractions around those 4 functions allow
for easy drop-in of Kyber later?

Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
interfaces is optional is to allow for KEMs that do not allow non-
interactive authentication, like the post-quantum ones.

In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
is CSIDH (not to be confused with totally broken SIDH/SIKE), and
security of that in both classical and quantum settings is subject to
debate.

Isn't there a straightforward generic construction of an AKEM from a normal KEM plus a (PQ) signature scheme that could be used here? i.e., run the KEM and then sign the encapsulated key? Obviously this would produce quite large encapsulations, and a "key-pair" for such an AKEM would then be two key-pairs encoded into one (with a covering self-signature to prevent tampering). In principle this seems doable?

-- Neil
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email