Re: [CFRG] Kyber 'interactive key agreement'?
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 04 August 2022 16:38 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0601C15A722 for <cfrg@ietfa.amsl.com>; Thu, 4 Aug 2022 09:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.418
X-Spam-Level:
X-Spam-Status: No, score=-1.418 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmmtcEqa_7AF for <cfrg@ietfa.amsl.com>; Thu, 4 Aug 2022 09:38:41 -0700 (PDT)
Received: from mail-oa1-f41.google.com (mail-oa1-f41.google.com [209.85.160.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93732C15C500 for <cfrg@irtf.org>; Thu, 4 Aug 2022 09:38:41 -0700 (PDT)
Received: by mail-oa1-f41.google.com with SMTP id 586e51a60fabf-10bd4812c29so101217fac.11 for <cfrg@irtf.org>; Thu, 04 Aug 2022 09:38:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6h6A0wYUM58g4j5mQP4kr5zkzOOD37z47P7QB0yFPYw=; b=fHQyap0DorY8Tma7g6yvYHfPCcyky7P6AldXb9fiqDJx5PJrqtVwHLr9nXoQffAwmw ceqxhB9zAXY0NFRpdKlXHb7inEGoJsBy6USUyQNseqUuM+1nf8IUlFYLIkNnGEyyN2Z8 Bs5OpUwIUARZke0AD2FdwNruTUT2QkM6HWLLlQ0vF1XjHLncnqE3GKNY0T69qbUI0SMf GAk918x0uH3SD5jlw9DaiGAUqd1F1qz1HJhCiZNwkoI7RSBssxZeNNrYNMI1PXI9/9xv kyabHscTlmuofNbQjoxpzeZZRJJR1bVq/xXLxMxqDlzZ1yyBbeKfm6xB/gqzWClRtFKi KaLw==
X-Gm-Message-State: ACgBeo23EOvYUzoW1rNyV/3W4K1/iAPaGP1dEpPAhnc+c84/yoQfYyue 9LOE3uSsa/caSZxdmPubE+zw27UXhEEzBlsW4e0ABQp1vzg=
X-Google-Smtp-Source: AA6agR4W5CaL349LcHsrJoRMmp34ziec/BI0rRMfjRUTvQMPiT7Wd9z9wy6hok0tr1Rnpq+Xpr7N8IEX4orNgnzBIz0=
X-Received: by 2002:a05:6870:9590:b0:de:27ca:c60c with SMTP id k16-20020a056870959000b000de27cac60cmr4897824oao.108.1659631120728; Thu, 04 Aug 2022 09:38:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiW0=xcFMz=PihjWydK9HWjg34pJskszZPF8L3nvJTc+A@mail.gmail.com> <CAMjbhoUYi4gg=asrgW5D6jxQC4RATK0piZP-bi-+kwFhPUEMmA@mail.gmail.com> <CABzBS7mK92M2ome+taYVjDcsi_crsjHttm8d63NN0gcO0xF3Hw@mail.gmail.com>
In-Reply-To: <CABzBS7mK92M2ome+taYVjDcsi_crsjHttm8d63NN0gcO0xF3Hw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 04 Aug 2022 12:38:24 -0400
Message-ID: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com>
To: Thom Wiggers <thom@thomwiggers.nl>
Cc: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000068c7d805e56cfbb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/7a00B5ha99r1Xxykg_RiJ7C6bms>
Subject: Re: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2022 16:38:45 -0000
Having discussed this in other forums, it appears to me that the fundamental problem here is that we need more than a ten minute introduction to PQC algorithms before the protocol development community can fully get to grips with what is going on. What I thought I was hearing was an introduction to the Kyber algorithm. It now appears that what I was actually hearing was an introduction to applying Kyber to certain types of TLS like key exchanges. Hence the disconnect since at this point my only PQC concerns are for Data at Rest. That is not going to stop me adding PQC algorithms to my chat clients but I am doing that because I can, not because I really need to. My primary PQC concern today is that people are creating a lot of Word, Excel, Powerpoint etc. documents whose contents are likely to still be sensitive in 10-30 years time. My secondary concern is for chat clients using Signal type key exchanges. What I am seeing is a LOT of incomplete, handwavy statements that suggest there is a problem using Kyber in legacy protocols without giving concrete examples. And when I look at the code, those issues disappear. TLS is at this point probably the most used key exchange scheme in the world. We have spent over a quarter century securifying it and optimizing it all the time working within the context of RSA and DH type schemes. So it is really not at all surprising if such a closely optimized system with such a vast amount of legacy baggage isn't a clean fit. 'Zero round trip' is not really a thing in existing protocols either. What appears to be a zero-round trip protocol is in fact an interactive protocol in which the initial stages have been craftily hidden in a different infrastructure. That is even the case in S/MIME and OpenPGP. Alice does not simply send a message to Bob, she first interacts with a PKI to get Bob's public key. That type of legermain is exactly what cryptographic protocol architecture is all about. The only thing Kyber changes is that data objects end up being too big for a single ethernet packet because the IEEE is lame and won't give us the 64K frames we need. When it comes to timing, I remain convinced that nobody is going to have a Quantum Cryptanalysis Capable (QCC) machine for at least a decade. But I also agree with Russ Housely that we absolutely have to start work now and with some urgency if we are going to deliver a PQC internet in time. Splitting this discussion into 15 minute presentations across a series of IETF/IRTF working groups is not going to work. We need to have some forum that is focused on applying PQC algorithms in the abstract before we go to deployment. The correct approach to applying PQC in TLS may very well turn out to be to create a completely new TLS key agreement. If that does turn out to be the case, we will get there a lot quicker if that option is on the table at the start rather than spending four or five years trying to make it work before anyone is allowed to suggest a clean start. On Tue, Aug 2, 2022 at 3:51 PM Thom Wiggers <thom@thomwiggers.nl> wrote: > Hi Philip, > > The most common situations I've found where KEMs don't work as a drop-in > for DH are when you want to do some authentication scheme. > > For example, consider the OPTLS/draft-tls-semistatic proposals. In OPTLS, > the client sends over a g^x as usual, but the server takes that public key > and directly combines it with its long-term DH secret s to compute g^{xs} > (which OPTLS uses to compute a MAC). That's precisely the DH operation that > KEMs don't give you. To do OPTLS with KEMs, you need an extra round-trip: > the client needs to first receive the long-term KEM secret before it can > send back an encapsulation.[1] KEMTLS/draft-celi-wiggers-tls-authkem uses > some tricks to do basically that, but avoid the round-trip. > > Ephemeral KEM key exchange in TLS (1.3) doesn't have this problem, because > authentication is done via signature. Plain old signatures are generally > non-interactive (putting all of the additional PQ signatures baggage aside). > > DH is amazingly symmetric in its operations, and it seems to be turning > out that this property was a big gift. > > In some discussions with Trevor Perrin about Noise protocols it seemed > that there are two obvious ways out of this mess (at least for Noise > protocols): an extra round-trip, or adding signatures. Of course, adding > either to a protocol that did not have them is kind of a bummer. > > Cheers, > > Thom > > [1]: This was first discussed, as far as we're aware of, in the master's > thesis of Wouter Kuhnen (OPTLS revisited, section 6.2) > http://www.ru.nl/publish/pages/769526/thesis-final.pdf > > Op di 2 aug. 2022 om 19:58 schreef Bas Westerbaan <bas= > 40cloudflare.com@dmarc.ietf.org>: > >> This might not look like it is a drop in replacement for ECDH, >>> >> >> It is not. But for TLS it is sufficient: client generates a keypair and >> sends pk. Server encapsulates for that pk and returns the created >> ciphertext. >> >> >>> [These routines call indcpa_enc, indcpa_dec which have rather different >>> signatures. But the external interface is drop-in as far as I can see.] >>> >> >> Don't use those. >> >> >>> I did a search on 'malleability' in the Kyber paper and found nothing. >>> So perhaps a clarification of the terms. >>> >> >> The term you want to search for is IND-CCA2. >> >> Best, >> >> Bas >> _______________________________________________ >> CFRG mailing list >> CFRG@irtf.org >> https://www.irtf.org/mailman/listinfo/cfrg >> >
- [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Bas Westerbaan
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Andreas Hülsing
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Jeff Burdges
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Mike Ounsworth
- Re: [CFRG] Kyber 'interactive key agreement'? Ilari Liusvaara
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Tim Hollebeek
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Tim Hollebeek
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth