IETF Logo Mail Archive

Re: [CFRG] [TLS] X-Wing: the go-to PQ/T hybrid KEM?

Filippo Valsorda <filippo@ml.filippo.io> Thu, 11 January 2024 16:08 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E630C2FEDF6 for <cfrg@ietfa.amsl.com>; Thu, 11 Jan 2024 08:08:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.704
X-Spam-Level:
X-Spam-Status: No, score=-2.704 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b="smt9WqKS"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="cYQTKAxK"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZlZpQ-pnO1Pf for <cfrg@ietfa.amsl.com>; Thu, 11 Jan 2024 08:08:26 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E470C151540 for <cfrg@irtf.org>; Thu, 11 Jan 2024 08:08:23 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id C17245C0136; Thu, 11 Jan 2024 11:08:22 -0500 (EST)
Received: from imap51 ([10.202.2.101]) by compute1.internal (MEProxy); Thu, 11 Jan 2024 11:08:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1704989302; x=1705075702; bh=borT0OoSEf 7zKu1Vea0ugcV/R6IRYw28HRCf5ePA0JU=; b=smt9WqKSyZAk3vBrfGnM+NPyZK S/TxIZTfxeJ8D3tYYVUNTBTfks4jJkxUPB56zWFPQMNqVeWZ02C7eW0DzUScMrUi /yyxuC62dXXGLkxrZvPwRP3NyU1IxPsX+mEFkQLMC206P3aLDG30U0WxQfC94kdB eZ1/WkrI5QWNQZv9TUE4KcDKrQDevvIX3rU+Sy5YV9m5BhCv1CWGVJRgOtz6/qpu Sc/1b3qnYJdRug2RyKUI5pa3p31mR/T7Sl99gskjVeXIU16kpyPRgXjaNdP1DW8Q 2bY05aqWFTjI36OY8vicubNRw/Nco2hmxbO9RuiudwQ8nb8gKD1fDV6PmEDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1704989302; x=1705075702; bh=borT0OoSEf7zKu1Vea0ugcV/R6IR Yw28HRCf5ePA0JU=; b=cYQTKAxKoIrZucsch2UP8OkwWcY8BdqJQOr2D2eXE1Wp 3dGq25Y+Ty9G48231Wd6WsYXQNqAoG8U4G36oKx8bMqrdHoZEYxIuZlG2cvvx4z5 Lbybd2L+0OCb45HGctwzGwPXy0JM/RjSIJr/vz0nVmKBwLSwcfagyYo3MYsyDcXi Yptx6AnLphFWS8XT3l28r7unGuCptPN7WjG7jDN4u7Le8h0iCvWHU0vI/3ED7Uec OgkqOab9E4WAYa7LwQkdkeYsM6zxWBTFxpmQPnGxG2NuAaLUBdqkqo0LR/RTP2MX +IyWEWRlmXtuev+fkRkppL//o42xj/+b+duPLOTsAg==
X-ME-Sender: <xms:dRKgZVQTNYtzz6L9m5tWIVKurTpaIoNQD3FibccD_aBkV9hkyyT0Qg> <xme:dRKgZezOXOZgyRRosy5RDB9RMr4iV2xNSyr4RZDlfMD7dit4q9BETGIl2bpBawv2f InwCkj2owrVjwvAjw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrvdeifedgkeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsegrtderreerreejnecuhfhrohhmpedfhfhi lhhiphhpohcugggrlhhsohhruggrfdcuoehfihhlihhpphhosehmlhdrfhhilhhiphhpoh drihhoqeenucggtffrrghtthgvrhhnpeevgffgheetudeuudeuffetgfdttedvtdfhudfh tdetheevkeelffegteffkeeuieenucffohhmrghinhepfhhilhhiphhpohdrihhopdhgoh druggvvhdpghhithhhuhgsrdgtohhmpdhivghtfhdrohhrghdpihgrtghrrdhorhhgpdgt hhhrohhmihhumhdrohhrghdpthifihhtthgvrhdrtghomhdpshhprhhinhhgvghrrdgtoh hmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepfhhi lhhiphhpohesmhhlrdhfihhlihhpphhordhioh
X-ME-Proxy: <xmx:dRKgZa16XNil5qOi7J6eJWsfpZNbn1RZ3JdG4G7Ch1zvJKYAmohfEA> <xmx:dRKgZdAV95cTXAm35fBGRnIw_bZl-rIruaKBXcpo8Bffj4CYpgKGUg> <xmx:dRKgZejt0Gm7BmzxaTAErBjuKR36DGmZ59UUqfggYTnf8FNTThKNjw> <xmx:dhKgZfvm51miIqx4pKgmkqLk1gZUFziXe8nsz87_aty5LGxZ4JdZQg>
Feedback-ID: i2e91459c:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A4159B6008D; Thu, 11 Jan 2024 11:08:21 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1374-gc37f3abe3d-fm-20240102.001-gc37f3abe
MIME-Version: 1.0
Message-Id: <00f2e59a-f4d3-49e9-abd0-b6eb9b137e92@app.fastmail.com>
In-Reply-To: <CAMjbhoWZxsLFH6yBc0hdx3t3SohurXGkfMzouoxGXM92HBR_dw@mail.gmail.com>
References: <CAMjbhoWZxsLFH6yBc0hdx3t3SohurXGkfMzouoxGXM92HBR_dw@mail.gmail.com>
Date: Thu, 11 Jan 2024 17:08:01 +0100
From: Filippo Valsorda <filippo@ml.filippo.io>
To: Bas Westerbaan <bas@cloudflare.com>, IRTF CFRG <cfrg@irtf.org>, IETF TLS <tls@ietf.org>
Cc: mbb@fc.up.pt, karo@cupdev.net, Peter Schwabe <peter@cryptojedi.org>
Content-Type: multipart/alternative; boundary="9f43b7642c3242c3b443874e3260ab7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AS5zuvEq_lfeHCfLVQF9OSgeyEc>
Subject: Re: [CFRG] [TLS] X-Wing: the go-to PQ/T hybrid KEM?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jan 2024 16:08:31 -0000

This is excellent, especially the explicit decision to make concrete primitive choices, which allow the scheme to be both secure and efficient.

I have an implementation at filippo.io/mlkem768/xwing <https://pkg.go.dev/filippo.io/mlkem768/xwing> which passes the test vectors in draft-connolly-cfrg-xwing-kem-00, Appendix A.

By the way, I really appreciate specifying "derandomized" versions of the functions for testing. It solves the problem of "randomness from the sky" <https://words.filippo.io/dispatches/avoid-the-randomness-from-the-sky/> while providing a clear mandate not to expose the random input in high-level APIs. I would love to see this pattern adopted widely.

As Bas already mentioned, I suggested making sk = `concat(sk_M, sk_X, pk_X), to avoid the pk input to Decapsulate and mirroring in a sense the presence of pk_M in sk_M. We've learned with Ed25519 <https://github.com/jedisct1/libsodium/issues/170> that designing APIs where key mismatches are possible is dangerous. In this case I *think* there would be no security impact, but it leads to questions like "what is the expected behavior of Decapsulate if the ML-KEM pk is invalid?" (This change is again cheap/possible because X-Wing targets `ML-KEM-768 and X25519 specifically, which further validates the team's decision to make concrete choices.)

2024-01-10 21:13 GMT+01:00 Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>:
> Dear tls and cfrg working groups,
> 
> With ML-KEM (née Kyber) expected to be finalized this year, it’s time to revisit the question of which PQ/T hybrid KEMs to standardize, and which to recommend.
> 
> # Status quo
> 
> For TLS at the time of writing there are two PQ/T hybrids registered: X25519Kyber768 [1] and P256Kyber768 [2]. The former has been deployed widely [3]. Both are instances of the hybrid-design draft [4], which use the simple combiner ss_ECC || ss_Kyber, which is suitable for TLS, but not for other applications such as HPKE, as it’s not IND-CCA2 robust [5].
> 
> For HPKE, there is a different KEM called X25519Kyber768 [6], which uses a different combiner that mixes in the X25519 ephemeral key, by using HPKE’s DHKEM construction instead of raw X25519.
> 
> There is also the ounsworth-kem-combiners I-D [7] that informed by [5] proposes the generic combiner
> 
>   KDF( counter || ct1 || ss1 || ct2 || ss2 || fixedInfo, outputBits )
> 
> From a security standpoint that would be suitable for HPKE and TLS. To TLS it is somewhat unattractive as it requires hashing the typically large PQ ciphertexts, and adds some extra hashing in the conversion of the ECDH into a KEM. On the other hand, for TLS it would be nice to have a KEM that is also suitable for HPKE, as HPKE is used in ECH.
> 
> From a usability perspective, ounsworth-kem-combiners requires the user to make several choices: which KEMs and in particular which method to use to turn ECDH into a KEM, which security levels, which KDF, etc.
> 
> # The proposal: X-Wing
> 
> Let us introduce X-Wing [0]. The goal of X-Wing is to be *the* go-to PQ/T hybrid KEM for the majority of use cases (including TLS and HPKE): no need to make choices, or understand the subtleties.
> 
> X-Wing aims for 128-bit security, and for that combines the time-tested X25519 with ML-KEM-768 [8]. X-Wing uses the combiner
> 
>   SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 )
> 
> Here ss_X25519 is the plain X25519 shared secret; ct_X25519 is the ephemeral public key; xwing-label a 6-byte label. Note that it doesn’t hash in the ML-KEM ciphertext. For a generic KEM one cannot leave out the ciphertext, but in the case of ML-KEM we can, assuming we can model SHA3/SHAKE as a random oracle. This is proven in [0]. The gist is that FO transform in ML-KEM makes it “ciphertext collision resistant”: even if the underlying lattice problem is broken, it’s infeasible to create from one ciphertext another different ciphertext with the same shared secret.
> 
> # Not final
> 
> We would love to hear your input: X-Wing is not final. For one, ML-KEM itself might still change (presumably only in minor ways) before final standardization. We think the CFRG would be a good venue to standardize X-Wing — do you concur?
> 
> Best,
> 
> Bas, Deirdre, Karolin, Manuel, Peter
> 
> 
> PS. We want to mention explicitly that we see value in the kem-combiners and hybrid-design drafts as generic safe methods to construct hybrids for those use cases where X-Wing would not suffice.
> 
> 
> [0] Spec: https://datatracker.ietf.org/doc/draft-connolly-cfrg-xwing-kem/
> Proof: https://eprint.iacr.org/2024/039
> [1] Full name X25519Kyber768Draft00. https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/
> [2] Full name SecP256r1Kyber768Draft00. https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-kyber/
> [3] https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
> https://twitter.com/bwesterb/status/1734586155868287457
> [4] https://datatracker.ietf.org/doc/draft-stebila-tls-hybrid-design/
> [5] https://link.springer.com/chapter/10.1007/978-3-319-76578-5_7
> [6] https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/
> [7] https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/
> [8] Following earlier deployment of X25519Kyber768, despite targeting 128 bits, we use ML-KEM-768 instead of ML-KEM-512 to hedge against advances in lattice attacks.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email