IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

Neil Madden <neil.e.madden@gmail.com> Thu, 24 November 2022 15:59 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3441FC14F73E for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 07:59:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XL35uwUcpaaZ for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 07:59:58 -0800 (PST)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1641C14F72F for <cfrg@irtf.org>; Thu, 24 Nov 2022 07:59:58 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id x5so3065760wrt.7 for <cfrg@irtf.org>; Thu, 24 Nov 2022 07:59:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=nys2YRAZZzDuREZ9QgqqOBql6noeBQlLqjlTS9iZNHI=; b=R4qBijbY1jvwz8qcmMO0vD4aNsWw2gZSTgNAa6t2H+2in5OnY03RkQItAQO2dvPGYf NOvJiDnf0eAPHrqNQ3YGmRPfcxSzD16U9xLOMiuUGRGy+XX7oRta5Gh/CJbraLDHN129 AB4WZs8cfkLhlbxO9fHaBOL0ZtwFXQhDBlrBnA1QXGPhkLoulQyORWIw+ttBROtMEPM5 ifVhquxwsJ9PdOKfa/43PPf2X808+SuoLMuQJJ/91zqSZMEf+VxUjj6zyS/5a2zUFGH0 dmHc04jUEAcu+xaelcIM8oUGaU3FK5MJLNQgBtRc7Q686QVfnu7USrot3iaBn6P8pLep kwEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nys2YRAZZzDuREZ9QgqqOBql6noeBQlLqjlTS9iZNHI=; b=FU+0FeoHT6jA4Gvi6oOvUYBeOABK3Rv0S/H3ofrC/ktKGKDPJErs+Re7aKnrzCMlRz 5+7OC9Iw/aT/VdX/B3zaW12hhZa1EeEE453QH41WXhwW38scvrd1YlOyr7bq5frsayCf +iq4hGes4rCIa9wP6RNWy8HlDWKYF+cWJXiqhzdObVv+vLplcXyT7LM/1zT02ycQWIOE rM1hCnBbFnAGX/XAhWjtV9+C8QXdLGutGxashGFjjEx/oW0tDLSV/YiCYQMM5FR8M0FX JOBX3ATm0izyxZqALZ4ooohcxigcydupM8LgJZ35pitGL9vaSqtc2FnjfPzT84zdEdk7 jXJA==
X-Gm-Message-State: ANoB5pmmOlpOSG73jR0OW9NEDfzyib2LamjiifL/SyeZJ5mcocn/H4Eu DiLUF8CxfpTH9uJ56OtdgRQ=
X-Google-Smtp-Source: AA0mqf7qKQ++k31v9DS0cH0fbacZI1hoRu0qCOGYRD8dJwhQ3ExyptsK9sdx8/piOkCDAr254IMK+g==
X-Received: by 2002:a05:6000:1c15:b0:241:d30c:62c4 with SMTP id ba21-20020a0560001c1500b00241d30c62c4mr13117731wrb.219.1669305596577; Thu, 24 Nov 2022 07:59:56 -0800 (PST)
Received: from [10.0.0.5] (233.213.93.209.dyn.plus.net. [209.93.213.233]) by smtp.gmail.com with ESMTPSA id f14-20020a05600c154e00b003c6f3e5ba42sm7086347wmg.46.2022.11.24.07.59.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 24 Nov 2022 07:59:55 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Message-Id: <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6146D3EF-460A-4078-B021-8148AC85EA5E"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Date: Thu, 24 Nov 2022 16:00:55 +0000
In-Reply-To: <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/7nZn4ao3GcakkqvRmqfEGaYnLCc>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 15:59:59 -0000

> On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
> 
> On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:
>> Hi CFRG!
>> 
>> Background: we are working to add KEM support to Certificate
>> Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
>> will eventually be 4210bis). We are planning to accomplish this by
>> supporting HPKE (RFC 9180) as a new message protection mechanism in
>> CMPv3 and hoping that we can inherit Kyber more-or-less for free once
>> HPKE supports it.
>> 
>> Question "how": How will Kyber be added to HPKE? I assume there will
>> be an equivalent to section 4.1 that defines KyberKEM with its own
>> Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
>> AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
>> but making use of Kyber internally? The Kyber2018 paper [1] figure 3
>> defines an authenticated Kyber exchange that looks like it should
>> easily fit into the existing HPKE APIs. In other words, will
>> supporting 9180 now with abstractions around those 4 functions allow
>> for easy drop-in of Kyber later?
> 
> Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
> interfaces is optional is to allow for KEMs that do not allow non-
> interactive authentication, like the post-quantum ones.
> 
> In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
> is CSIDH (not to be confused with totally broken SIDH/SIKE), and
> security of that in both classical and quantum settings is subject to
> debate.

Isn't there a straightforward generic construction of an AKEM from a normal KEM plus a (PQ) signature scheme that could be used here? i.e., run the KEM and then sign the encapsulated key? Obviously this would produce quite large encapsulations, and a "key-pair" for such an AKEM would then be two key-pairs encoded into one (with a covering self-signature to prevent tampering). In principle this seems doable?

-- Neil

v2.23.0 | Report a Bug | By Email