IETF Logo Mail Archive

Re: [CFRG] Kyber 'interactive key agreement'?

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 04 August 2022 16:38 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0601C15A722 for <cfrg@ietfa.amsl.com>; Thu, 4 Aug 2022 09:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.418
X-Spam-Level:
X-Spam-Status: No, score=-1.418 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DmmtcEqa_7AF for <cfrg@ietfa.amsl.com>; Thu, 4 Aug 2022 09:38:41 -0700 (PDT)
Received: from mail-oa1-f41.google.com (mail-oa1-f41.google.com [209.85.160.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93732C15C500 for <cfrg@irtf.org>; Thu, 4 Aug 2022 09:38:41 -0700 (PDT)
Received: by mail-oa1-f41.google.com with SMTP id 586e51a60fabf-10bd4812c29so101217fac.11 for <cfrg@irtf.org>; Thu, 04 Aug 2022 09:38:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6h6A0wYUM58g4j5mQP4kr5zkzOOD37z47P7QB0yFPYw=; b=fHQyap0DorY8Tma7g6yvYHfPCcyky7P6AldXb9fiqDJx5PJrqtVwHLr9nXoQffAwmw ceqxhB9zAXY0NFRpdKlXHb7inEGoJsBy6USUyQNseqUuM+1nf8IUlFYLIkNnGEyyN2Z8 Bs5OpUwIUARZke0AD2FdwNruTUT2QkM6HWLLlQ0vF1XjHLncnqE3GKNY0T69qbUI0SMf GAk918x0uH3SD5jlw9DaiGAUqd1F1qz1HJhCiZNwkoI7RSBssxZeNNrYNMI1PXI9/9xv kyabHscTlmuofNbQjoxpzeZZRJJR1bVq/xXLxMxqDlzZ1yyBbeKfm6xB/gqzWClRtFKi KaLw==
X-Gm-Message-State: ACgBeo23EOvYUzoW1rNyV/3W4K1/iAPaGP1dEpPAhnc+c84/yoQfYyue 9LOE3uSsa/caSZxdmPubE+zw27UXhEEzBlsW4e0ABQp1vzg=
X-Google-Smtp-Source: AA6agR4W5CaL349LcHsrJoRMmp34ziec/BI0rRMfjRUTvQMPiT7Wd9z9wy6hok0tr1Rnpq+Xpr7N8IEX4orNgnzBIz0=
X-Received: by 2002:a05:6870:9590:b0:de:27ca:c60c with SMTP id k16-20020a056870959000b000de27cac60cmr4897824oao.108.1659631120728; Thu, 04 Aug 2022 09:38:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiW0=xcFMz=PihjWydK9HWjg34pJskszZPF8L3nvJTc+A@mail.gmail.com> <CAMjbhoUYi4gg=asrgW5D6jxQC4RATK0piZP-bi-+kwFhPUEMmA@mail.gmail.com> <CABzBS7mK92M2ome+taYVjDcsi_crsjHttm8d63NN0gcO0xF3Hw@mail.gmail.com>
In-Reply-To: <CABzBS7mK92M2ome+taYVjDcsi_crsjHttm8d63NN0gcO0xF3Hw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 04 Aug 2022 12:38:24 -0400
Message-ID: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com>
To: Thom Wiggers <thom@thomwiggers.nl>
Cc: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000068c7d805e56cfbb7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/7a00B5ha99r1Xxykg_RiJ7C6bms>
Subject: Re: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2022 16:38:45 -0000

Having discussed this in other forums, it appears to me that the
fundamental problem here is that we need more than a ten minute
introduction to PQC algorithms before the protocol development community
can fully get to grips with what is going on.

What I thought I was hearing was an introduction to the Kyber algorithm. It
now appears that what I was actually hearing was an introduction to
applying Kyber to certain types of TLS like key exchanges. Hence the
disconnect since at this point my only PQC concerns are for Data at Rest.
That is not going to stop me adding PQC algorithms to my chat clients but I
am doing that because I can, not because I really need to.


My primary PQC concern today is that people are creating a lot of Word,
Excel, Powerpoint etc. documents whose contents are likely to still be
sensitive in 10-30 years time.

My secondary concern is for chat clients using Signal type key exchanges.


What I am seeing is a LOT of incomplete, handwavy statements that suggest
there is a problem using Kyber in legacy protocols without giving concrete
examples. And when I look at the code, those issues disappear.

TLS is at this point probably the most used key exchange scheme in the
world. We have spent over a quarter century securifying it and optimizing
it all the time working within the context of RSA and DH type schemes. So
it is really not at all surprising if such a closely optimized system with
such a vast amount of legacy baggage isn't a clean fit.

'Zero round trip' is not really a thing in existing protocols either. What
appears to be a zero-round trip protocol is in fact an interactive protocol
in which the initial stages have been craftily hidden in a different
infrastructure. That is even the case in S/MIME and OpenPGP. Alice does not
simply send a message to Bob, she first interacts with a PKI to get Bob's
public key. That type of legermain is exactly what cryptographic protocol
architecture is all about. The only thing Kyber changes is that data
objects end up being too big for a single ethernet packet because the IEEE
is lame and won't give us the 64K frames we need.


When it comes to timing, I remain convinced that nobody is going to have a
Quantum Cryptanalysis Capable (QCC) machine for at least a decade. But I
also agree with Russ Housely that we absolutely have to start work now and
with some urgency if we are going to deliver a PQC internet in time.

Splitting this discussion into 15 minute presentations across a series of
IETF/IRTF working groups is not going to work. We need to have some forum
that is focused on applying PQC algorithms in the abstract before we go to
deployment.

The correct approach to applying PQC in TLS may very well turn out to be to
create a completely new TLS key agreement. If that does turn out to be the
case, we will get there a lot quicker if that option is on the table at the
start rather than spending four or five years trying to make it work before
anyone is allowed to suggest a clean start.



On Tue, Aug 2, 2022 at 3:51 PM Thom Wiggers <thom@thomwiggers.nl> wrote:

> Hi Philip,
>
> The most common situations I've found where KEMs don't work as a drop-in
> for DH are when you want to do some authentication scheme.
>
> For example, consider the OPTLS/draft-tls-semistatic proposals. In OPTLS,
> the client sends over a g^x as usual, but the server takes that public key
> and directly combines it with its long-term DH secret s to compute g^{xs}
> (which OPTLS uses to compute a MAC). That's precisely the DH operation that
> KEMs don't give you. To do OPTLS with KEMs, you need an extra round-trip:
> the client needs to first receive the long-term KEM secret before it can
> send back an encapsulation.[1] KEMTLS/draft-celi-wiggers-tls-authkem uses
> some tricks to do basically that, but avoid the round-trip.
>
> Ephemeral KEM key exchange in TLS (1.3) doesn't have this problem, because
> authentication is done via signature. Plain old signatures are generally
> non-interactive (putting all of the additional PQ signatures baggage aside).
>
> DH is amazingly symmetric in its operations, and it seems to be turning
> out that this property was a big gift.
>
> In some discussions with Trevor Perrin about Noise protocols it seemed
> that there are two obvious ways out of this mess (at least for Noise
> protocols): an extra round-trip, or adding signatures. Of course, adding
> either to a protocol that did not have them is kind of a bummer.
>
> Cheers,
>
> Thom
>
> [1]: This was first discussed, as far as we're aware of, in the master's
> thesis of Wouter Kuhnen (OPTLS revisited, section 6.2)
> http://www.ru.nl/publish/pages/769526/thesis-final.pdf
>
> Op di 2 aug. 2022 om 19:58 schreef Bas Westerbaan <bas=
> 40cloudflare.com@dmarc.ietf.org>:
>
>> This might not look like it is a drop in replacement for ECDH,
>>>
>>
>> It is not. But for TLS it is sufficient: client generates a keypair and
>> sends pk. Server encapsulates for that pk and returns the created
>> ciphertext.
>>
>>
>>> [These routines call indcpa_enc, indcpa_dec which have rather different
>>> signatures. But the external interface is drop-in as far as I can see.]
>>>
>>
>> Don't use those.
>>
>>
>>> I did a search on 'malleability' in the Kyber paper and found nothing.
>>> So perhaps a clarification of the terms.
>>>
>>
>> The term you want to search for is IND-CCA2.
>>
>> Best,
>>
>>  Bas
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>

v2.23.0 | Report a Bug | By Email