IETF Logo Mail Archive

[CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt

Mike Ounsworth <Mike.Ounsworth@entrust.com> Sat, 26 November 2022 02:24 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52A03C14CF0C for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 18:24:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwbK-AOTZJbt for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 18:24:48 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32F29C14CE56 for <cfrg@irtf.org>; Fri, 25 Nov 2022 18:24:47 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2APF3uln009027 for <cfrg@irtf.org>; Fri, 25 Nov 2022 20:24:45 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=2MSByJl2RhkK8XPQQyM2D1vnJQTUFZK4RdXVFh8nnbA=; b=QiY7puaheVJa0qmZH+j8MuHmqOHjZUleFwjnp8feXEq/ZN5CaGrHUHu8UNe950RsKN5g exs3hSlJSSYFgdtTfhWDdp3ug4o50UK8GQjKQQ1aTv72NGbTiOnoBep9MzGbj0JctoeM 0DWvWz3i9+Qs8GRPcz4Gn8GpSlHzynIy0SOt88cwwaCV4X/mnjWSI3SOaR4i9X75nn8d z0sbaLgKc3PvwJn2L5mIcv0pnfVQL++dlk/C20It6DU0sThiKVOVRLz/v52XnjKwrN95 eFrSGIrngdG1GBlVsTgYSS+fp73IE0kuvO1IB4vCfMsn2oPt/eYqGXn28ObusxQOZC2x QQ==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3kxvq6ywyw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cfrg@irtf.org>; Fri, 25 Nov 2022 20:24:45 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UJXFtWwFO0LTE63amWsz6jCATUTI1k68wLQCuhgd+K2SaUeAGkBJmenQQKD86sRjob4QfKJgFm1HZPSpnHqc/PI3FQMEfL3iLfMAHo4EXa5H2FMJbdfwRSTChNfeLQxuoB7CzBbSo9Br2oXfddr99Jeea0wQ4+VFrBnx7ZTwGDAzlmCARHYGTNz1f37xuCPD6hibakrCgnMB7FXs4PkCLrqaOe3usmfqgNMO4SDvJTXGZAQCTWlCWg1UdDc7tgj7gOS4cnW/yLLG+gtjGs7JPRbXy+FiJmWNDecaTjoqRneEeUCZqAyYcPpSSz/lx7uZnybX4BB7oEremFO8N/AiPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2MSByJl2RhkK8XPQQyM2D1vnJQTUFZK4RdXVFh8nnbA=; b=aVq18fnmWau5N2YXYU83UzXWJAObHNdc59K49ZfhqthjcJjkV9jW9i1aG9/0CvamvOPOv7yCJXWIFfQtUDfuSamkUHo+uq/A+QztUm2DqHLDMyE4dPVTbDNUb9yRhRYKlTpo1bjznb2g73V9vx7YgjD28wgy6+ooWY5Kb7Ib99NDhLDg6xzHPRnEXKostUMEUpdWAjnlGorSWy3xR10KQ0zduHJehMdjpmUrj/Kmsl2bk7TTq6eeJInat5Q9XvH2tzO0eouesDEcrvyByCVOsAQgcOTGNEwnyKNCF5gy2QFCyWdMsN6QrMcJUNyuRX7mwFsqx9nYxP2zwRLaelDL/w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by MW4PR11MB6959.namprd11.prod.outlook.com (2603:10b6:303:228::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.17; Sat, 26 Nov 2022 02:24:40 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%9]) with mapi id 15.20.5857.019; Sat, 26 Nov 2022 02:24:39 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
Thread-Index: AQHZAT2+M2GObc38jEOGbetYv86SMK5QeQnA
Date: Sat, 26 Nov 2022 02:24:39 +0000
Message-ID: <CH0PR11MB5739B3970AACEED27E94C7519F119@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <166942925722.40317.11729364720866332715@ietfa.amsl.com>
In-Reply-To: <166942925722.40317.11729364720866332715@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|MW4PR11MB6959:EE_
x-ms-office365-filtering-correlation-id: b9d6c734-1184-4f12-0caa-08dacf555f00
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k+LIOK6UIsaep8dVFRaim/PMyBbhPZgfz2DHFuwJ9/dxkZx7GJUhRXhOWJZ7Ix2gmGjaWkmmAXYewCjYI/G6W6zWZPEwKFu1Ro0WznCOX52jOBQHMWlridOhLO9x/Q+33aJ0XRp1A+Opo0x25zrIH9XW3knMy83sK5SG5MssiCMOc0sDexCld0cR3A6nypbou/ChyDx0m15JrYO7nw9IeIK1bW+4/PbrToXNiIxSYkWcbt25+OqYgb4hIX2ckzbkdJHa2uarKMrNhvt+zL7Y97l/Z37GB/Cod1l4bL4x5F5gvVTTCV2GPz6cEEIXo059TK8QNii2lz9p3VB0HBgyDya6c+JSaAERhjE9rc0OX+unC9gd0L5WLF6A5vHcAWbvy+pi/21ngbm/zylAKrCGXLrVbUY+8oD/aK2JaWHilA02cTKgC7+GOfBv13f8gMLxJE7RAQ72X9ZyEtXhPqSJ+W9ed4fb+UsNTnInUxrZXkQHTtqr4PEtNwvsSwwlFJXHljO57vKYwLimiSqEBv31FUFcqFuU45dUTvQkvmN1sp/hQEP3fQ70t1/R3MLVttAnuwM+3d1v8BMGqAYUF2yqzFYRGEfRVMxhrvVfVVJRfeJVRVrWaidqFifVBNAJPelueU2u7Xt97fde0aJ7hqknxPWLn57BfpSfexPgJuqLqJY0lgipVVcuZ1bthLP5CIEE62WQhPumtUklwRWkr7+NYgQtZmaDWR6yiAY9L+oA2pI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(396003)(376002)(346002)(39860400002)(136003)(451199015)(8676002)(478600001)(86362001)(38100700002)(966005)(9686003)(8936002)(41300700001)(38070700005)(2906002)(7696005)(66574015)(26005)(83380400001)(4001150100001)(71200400001)(53546011)(76116006)(6506007)(5660300002)(64756008)(66476007)(66899015)(66446008)(66946007)(66556008)(55016003)(122000001)(6916009)(33656002)(15650500001)(52536014)(186003)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /hAsIdWv8oIKG456ZcBHJLctgvz9xzql77v8PMX4cJL1YXRplBdIfF9vyCa/AzvghaO/1W093rJ4qpVsELXRWcmRAzNBpLdHiND52CCrEm9Du3B+4Ts2f/PaWrL/Yv4RVRps3xE5KRcCUQLHtZFRb491j5BxxraaiPW8MTk01vzwKY93BFQINz05K0VClAy/ULNhXrSBo/paItmhwpBiapoTTcwE9eECTHAv6y5G8kbqc6pzw05LQdJnYyGwn71K4G/jkBtya9okQGc5LpU6OuJOx+NaZKy0jQAujuS7dR02TOyBGJBxhHjsL+kWYqAe7Mq54Q5QIzTeVFyuGfIy0v+PYsjLFY1btKz1H7sJsZ7OgLD2zD5kT1lReIYB18ea2v3N1iQrXLI94n9T9KRjU2R+tpoJXfFOBSfu/Z2q5ufft6AKF0vzq9lq8dT87whOoYGV2+HG+Khh8XWxJ1aM8FRIAX5Wg8wcHGCNyplV4cRbJ8/G7royS/A8dqAig1q5iglYE+VMdLzpbB+mGeZtGkCXIKxTXPtb1zEo72yU1XAli+KBowXxXV5CUGESNnJANxiCLzgLJs8kNBhXE328HlghAYCcyGGFC9GJBFTw2SuCB3ML7QeO8wRa8WM04/GmBjs/k348ONA69FgMfps2FdeQe8bemwgi/sLTjTdY5XiUmO0ct1O5K/431Tk6t8kZzo68t8u8XrCwLYTmFZK2hN+pkFFSDG24PyRR3vpYHmLti+qwbZJEonqdz8RgMjQz7h6kDs3OAdBdahWRBpyp0RO1PNgWuvg7GrpCUpAvmxFaM8LFXaIExzybnobfqSRl0yxx2p4vn5ERWFpdzcjcgVUXd3FPrYMXnvv6GAXDB9wMvfcbCOOE6awQtPBh9DiJqqA0LDBw/35Ti+zqtaYQ/h2MsTLrDwtZj0vQtOIXlg0e3Ra/pxuiRj/8sANqaAoAIa63y+yh55cAgN/eMHjnNJ/FF+0+aOcJpOtUmzyfDbMLsGUp0v7KVcgP5jMze0PekZmIzcT4cp4mTREPwLo7FQMVZZe5ouqFvq0m1XelYTEDSX8fvZHi5I26L1uLZTsv53D4F5NyX9O4k+oQ3Jk5F9hp6pAOkdcxp1x5lVkaDnrIwC1gUmilLWnUM847yAOR4ZrBzpKiHfNShhtZyB6GmrrTeWwzXczod437KjgfwyBlWESkIaJj/WQVW2DoHrPw5uU9IBLgHKJ+uZWcMcGcmw4b5r+YTHBmeKrPpb0oXCKhs0D+1LplbAj9Mu+3mrezW4V4IUpe8tlIba3rCNKjeiyOvmQ98fssAZnK1GThgfbz06XEtnbH84GAIPq9bD2MF/bxOhQWNiJiK2lQCUbP/Ic7Qg3T3wUmQ6/BE2EkBzZLHV/jlfnqEgNs8tqbmN8DVm5T54Bi/FGe1wbt+Ryu+epbM4Wk8QXClHXpdx5kl1erO2lyEhOOakxETM+MU3Vif5e7BYRH1snscCxwWOCjdXN6C/B5OtllqbswFoCagLY+6sohGJIVPyddmmrnsS6GnbVhusjbV80h9Ct2Zg0iN33Fw14aqtx9w3D4M18HZ9Uh5rx97/8xO6uMZC0sayjiFFB198xqqCuRZeaxDvqh7g==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b9d6c734-1184-4f12-0caa-08dacf555f00
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2022 02:24:39.8730 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vJQ9/C5VLZ5DYQsrZx3rwSGqblTEA51fUT9RT0z3P86W+JXj8NN5zPUGPGK27Fl/YUmVqsjO3vewqd1RYoo5/S9BQZFkpxpwIze2uEL6mDs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR11MB6959
X-Proofpoint-ORIG-GUID: rkTAl4hD5ITZ0X_RQLQLB_cmTjATK4sZ
X-Proofpoint-GUID: rkTAl4hD5ITZ0X_RQLQLB_cmTjATK4sZ
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-26_02,2022-11-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1015 priorityscore=1501 impostorscore=0 mlxscore=0 suspectscore=0 bulkscore=0 malwarescore=0 spamscore=0 phishscore=0 mlxlogscore=830 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211260016
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6zEeaYSpSANuuLkn5orbF6dcbvU>
Subject: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 02:24:53 -0000

Hi CFRG!

How to combine the output of two KEMs into a single shared secret is coming up in a bunch of places: 1. anywhere that's doing KEM/PSK hybrids 2. anywhere that’s doing Post-Quantum / Traditional hybrid KEMs (TLS, CMS, OpenPGP, JOSE/COSE, etc), and 3. anywhere that’s trying to replace a static-static DH with KEMs needs to do a KEM in each direction and combine them (see my recent thread “How will Kyber be added to HPKE?”).

At TLS 113, Douglas Stebila presented draft-ietf-tls-hybrid-design and a discussion ensued about whether KDF( ss1 || ss2 ) is a sound choice of combiner with Stebila saying “It’s fine” and Nimrod Aviram saying “But we could do better with a real Dual PRF!”. As far as I know, this debate is unresolved, so I think we need to document the standard way of doing this with any applicable caveats because people *are* doing this. This draft hopefully is not groundbreaking, just giving us something to point at so we’re all doing it the same way.

Disclaimer: I am not a cryptographer. I would love critique (I’m willing to offer co-authorship) to tighten up the security analysis and the statements about where this construction is and is not safe to use.


---
Mike Ounsworth

-----Original Message-----
From: internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: November 25, 2022 8:21 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________

A new version of I-D, draft-ounsworth-cfrg-kem-combiners-00.txt
has been successfully submitted by Mike Ounsworth and posted to the IETF repository.

Name:           draft-ounsworth-cfrg-kem-combiners
Revision:       00
Title:          Combiner function for hybrid key encapsulation mechanisms (Hybrid KEMs)
Document date:  2022-11-25
Group:          Individual Submission
Pages:          14
URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-00.txt__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPM6QP7PQ$
Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPnNK1zOA$
Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ounsworth-cfrg-kem-combiners__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHP6-WELQQ$


Abstract:
   The migration to post-quantum cryptography often calls for performing
   multiple key encapsulations in parallel and then combining their
   outputs to derive a single shared secret.

   This document defines the KEM combiner KDF( H(ss1) || H(ss2) ) which
   is considered to be a dual PRF in practice, even though not provably
   secure.  This mechanism simplifies to KDF( ss1 || ss2 ) when used
   with a KEM which internally uses a KDF to produce its shared secret.
   RSA-KEM, ECDH, Edwards curve DH, and CRYSTALS-Kyber are shown to meet
   this criteria and therefore be safe to use with the simplified KEM
   combiner.




The IETF Secretariat


Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email