Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 05 August 2022 18:28 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEF11C1EC013 for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 11:28:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.005
X-Spam-Level:
X-Spam-Status: No, score=-7.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjBCbXVJz5Ib for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 11:28:46 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20B47C14F75F for <cfrg@irtf.org>; Fri, 5 Aug 2022 11:28:45 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 275GESwg009045; Fri, 5 Aug 2022 13:28:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=ByjCCteNQPueqni6k4WIFgDldxby7TZ8mm4eUySlK6E=; b=LL3qADDrlZcx11EBapQGZ61P4w3FYh4fCqevJ37ExSM3TCEDO3g0scnZqErNmYuozXZb NXpZyT4ra75ewxhpp62LVNJhn7VgJ2RyF37tDmHCdzVxDgsQJC2wvSA2VnPCCVKYM6u7 A8lLltLqdEs2bEIuQH8tJ4B2J9P/HBZqZlMzgPWGR6qD7F0ELL2XVcvMqUGupLtr7xBr PmBwjhgwRxS28Ac95EA3JAjw6PKgbjdB/sDmbm3s2NRjuJVqfbeOaN4jdxcin7l7c/tn xy7B8wAYQOnECssc5eMHldjpKi+i4SZipjHbIxtTyIpNRHXAuGnzo97+a21jmEy6rOr3 jQ==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2104.outbound.protection.outlook.com [104.47.55.104]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3hn1b3bqxf-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 05 Aug 2022 13:28:43 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CDLDh1TkXMZjKK+G6FS9sQPF3CLV2hdC/apISSz53CXC5keAue0ZeYpSDXUtBp1XNSB9U4xnA3vjrxTmd3r2BFsdT5Ru8GTIbeh7Vga021cIpjU88kTckrIWFKs76GANO7/tZcs5Bc5fGORAZTGNjPcZ7rI/AiZQhrDUwzxt7Upn636TJ0OMrBtGmr0h08LQ0pOKCLelborp/uVB3jJbFQcAWSNBuBDVWzffzuvyoBVjPCZtnRYeMKpQoZt93YTtKHXrGVYHH4UuAMooeMDaCn8WJ4QW20E15WRTzd6v/iIrw1q/wVxq6U5QvEc37dyKK4INDmKZdQDGpvoVbTg40g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ByjCCteNQPueqni6k4WIFgDldxby7TZ8mm4eUySlK6E=; b=VvpMdHjaWEPAu1HooUMCS0cbSCpa28DznSC15b1trAsL1ZkxgIBlvNky5CORt9xNnURiFNCJLZtbrH45Y+kuRVxK3KOzcURJKNgNpMOQeVxnh1JOAtjBmJSwJwaTmsFcAoqYmdm996FYt9rTkeRAUgIAtex6d0GbmUSwIQnl8IMiH05arYLfFS4LNrHPWSqf5CXspzZ2sVIFzFZYfNX4MalEThI/xTdB4DJy4W1sZILWMYV91pemHuSv2d6QeHPmyoSzpsi735UL6auya461Ja3s+SjA/mt5kBTeQMvaegQNk4L8fYOfNR6pONBFrXjI9eGysIrQHL4Zm+B3HEG+GA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by BYAPR11MB3143.namprd11.prod.outlook.com (2603:10b6:a03:92::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.15; Fri, 5 Aug 2022 18:28:38 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::ed02:6e67:98f7:f33d]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::ed02:6e67:98f7:f33d%8]) with mapi id 15.20.5504.016; Fri, 5 Aug 2022 18:28:38 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Tim Hollebeek <tim.hollebeek@digicert.com>, Thom Wiggers <thom@thomwiggers.nl>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?
Thread-Index: AQHYqO3jOx4zS4/2+UKSFn0EAuao462gmhcAgAAGGsA=
Date: Fri, 05 Aug 2022 18:28:38 +0000
Message-ID: <CH0PR11MB57396FFA7D67708076682F409F9E9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com> <5CD18980-6C52-4CCA-8EF0-F7C45D1CB0F1@getmailspring.com> <CAMm+LwjfWGWR2StRtQGbahcyq+L+CGHdmsu7ZVHO8PyCnepDFg@mail.gmail.com> <950A7700-0514-416A-A0BC-43C9CB85628B@ll.mit.edu> <YuzUV9OyBUhlFTwt@LK-Perkele-VII2.locald> <CABzBS7nG-i6kmcvLT+Sr2s1D0m+quhPnUWeajpXc6o7fBw47wg@mail.gmail.com> <CH0PR11MB573935F7A00290145B50E8BB9F9E9@CH0PR11MB5739.namprd11.prod.outlook.com> <DM8PR14MB523735BF8559A1B6DB04C648839E9@DM8PR14MB5237.namprd14.prod.outlook.com> <104ACB77-C264-4605-A650-E5CFE2A2ACBB@ll.mit.edu>
In-Reply-To: <104ACB77-C264-4605-A650-E5CFE2A2ACBB@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 50f9e80c-d20a-490a-705a-08da771050af
x-ms-traffictypediagnostic: BYAPR11MB3143:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XjeLqU15jNRHZqhOLaVkp46K+Iq3z92hq8hYZYSQS81Z14Y1IT7z31pGwM1ftQOjywa/vxdogJzFXgCTftuWnA4QjsBpX3TkPbyjc9c5AsZK4qW9/Bc7Sq/qw1yJPZTm6R5Cmj4oBgzSW+wK44wbFueaLSyCGBhvBojFhnI/YglC1DcdGRH7kHnyXN3ob7Xjpwb6f+VdAYHDCrJF4BNFgcAmlV5cJD5bhiutZzXVB2yDcKdmdqzB5xFq8mJK7s6KIu3mybIu0ePlMlGcBiY57Rb7yPsLoZ7Sil9gG6kp3wU9xiX7QD7mDzjV75bgZ3foE//bOTwT/upO8MTDDlvLcQ9N7B35gpPdUX+CgxskQR7WcBBH89dnTrnd3Xo35o5gBionDSJrIYMX7BEy8hjbu6K4k/1y9mkNpD+DH51yj6HGiU5BpeTJWTmummoblSK+qMXhkdic27qZSsE0vVLE2CRMaoiKBiRuVuS5NMQ6LknNbKZbMiSaf5B9OdAumrTeB5S/0dioKMHTvI95sXaGkyhigfQMK+z/N7qnMmxlOIT17H9nP87qLLsY/dqTlIp1OjtcHanGTQ0iXPccUwuFUTQvpe08UiNBPLhS2jE0ySpGGNOINN7sZX7ReTB+Vpxy0GjIOAVvDWsBP6rJVpvRHbKqWBs11JeCbvHFz67UTDfZS6eqacb/B9R0eThGTcWJzfxIiDdQ0MSPAeO0VabFgwiNtzNb9ZZm0HJdw7LJ5O7nN8Yov/yqILeH14UR8o/loeGKiaAA22nqSh61XqiXiP5oJo6Z2Na/g4sbXzXcaBXxHNKm9UDH6Dvac2C9DATg
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(136003)(39850400004)(346002)(366004)(396003)(376002)(41300700001)(71200400001)(5660300002)(2906002)(83380400001)(66446008)(166002)(53546011)(478600001)(110136005)(966005)(122000001)(38100700002)(8936002)(4326008)(33656002)(186003)(64756008)(38070700005)(8676002)(66946007)(7696005)(316002)(66476007)(66556008)(52536014)(9686003)(55016003)(6506007)(26005)(86362001)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bRi7smC+Qz0U7lBYDq2UUd6p/5o8YrQ86Ja/xrxSS1H/LfUXB6+uecYQSC3r4prOws35eKAMlOewSOueS8NABD++RfkLryOUmknihhjw9HFjg68ogyv4Ob9cuH/GAIT9Y/oa8d3fhsY54oYKZvPx4uHg0CO1/I6BR41BtXGBGbs4bTien6F5d1OH/l8pIXDSX/SeaEAHzVOxZiJIVkIvhKMwCEEoZAT41oNDHZOWX4SZc5ghrHKqnHMjyFFmxt/UGxxzWM/uTgmiA6asMJx5Vdn1rt2TTqG+kaxXVLWQ7to5f6h5LHo2slF1ax/nBb2cdmL7XdJRzYr6QaXrRsgSghBYzdpSMkfNEchzUcG7HSiqI08srZHZ3yI6DLoV2JOTnd0RTmSDFbB1QbrzPVa8yTxoqXMXxrj5ulw3/Yslvm7ceUuWpQy9qnzdHRecfEcjzWwF2qyyy0WAweK1Kg+3LaHL+n7P6iLFO2nm8s/ups/8+RVenITNveuz9wXyUvAK0VM3RFdIt/1lCYwN+8DMcSsvuvngRxWNSkpG4E5eGHNPmowsQs2lYjhSUK+eTRCMrse6njNISoQ64sUCDpRL9OvUYX3b+VMVU/FxVUSc9eyDSKlVC7OGiZnC9F7+Mai0ygujyOThiYt9aQflY560rQMW93XRSWsk+kZsK48qWG/aLnQCKt6MlfjYn4hhdf3PiKsIiXKE738KcDpejGhUU2bFNlF1zuRJdQuueonpXTbTxTha9Z9Aag/MXp4Aj2fV4vBNn3tAodZo7+hi7Eki9exPmrEeT+leizTv7tI/GIYFn9heYitU4INa1EgsAjHXGreosG6AQ1nT4J+l2yzJwBdiVF879UIKtGKwNp9FnLcpjZYtkqB1pvX7vlS4I72lqwROvGXm4ZgcA9+6h21nHVGUdI27a4DtvfUSKxLKPZBUokV63p7BTNNNkFhBcNq1DIAuvCXj+NY+XEfI9SK9TzD6faGkLPtPPc4y/GImOWHYv3bY77Wg11LzfARoqmiCAElvk2n0PZHBN9vsDv+K5945kj0ZUqoX8c/py0pXPar4F5TEM0u4wmAKbq/H9qgqYR3bAVbupZDIgB5CyukuYrIg0OUXs+KmH/veoUifHZKMYTBtF04SUeN3kQY3CTp0K1eZ6oU2AD61IsfjYWCwQ6zq5Ye7YltRsddrikhi5jGuN1f8eQlAeSRtnqEtq6UNTkoV8IYiZcMqe9rGkzOXN8ixO1dJRA8evSUAjBJ9zOwmSRshxINpZZvSJH6mkUcBWeaxEKOwQsLXaUNLI2as14ffNGGO8feG3YW6+fFTmWJsM3sEot2X2lY/+uC4t301MUc27VDAvQ0m/cpPGb5Ryf7h6Y6H8MqBdZzLodoi92cJQqwJbBOguSatN4zrkxVz7GiM4UGrsqFVf2f3fiM6Vi61q1jNear0okWb32mQ0UMD0CjUY4s9ljMB1BmxgLlwC8eUXNpNAunyrjVTVgg0qteGE8NclmkIygOhuszp7UjlIJpJO8iLu92L7FHoJVZjM1XYYWMRn4FY+sD9JNgbZl6IfBBaq+5geNG/0uiEFpVOlh/6PRK1RMlfkrT65GAq
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB57396FFA7D67708076682F409F9E9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 50f9e80c-d20a-490a-705a-08da771050af
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2022 18:28:38.2734 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y9C4BfbKP7NOKmhp0xRSOwH5HRD4gjqWZHWbKDsAVFEhDZ9FeoyyZyNgw2GL009Wbu3PdSXibBrPA3uGhyWYnqVmrlAxS93CJrN4Q83xuA4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3143
X-Proofpoint-GUID: hOcpgNPTmOGE1pd7pm83NxAqBJOpspGW
X-Proofpoint-ORIG-GUID: hOcpgNPTmOGE1pd7pm83NxAqBJOpspGW
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-05_09,2022-08-05_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 mlxlogscore=999 bulkscore=0 phishscore=0 priorityscore=1501 impostorscore=0 mlxscore=0 suspectscore=0 malwarescore=0 adultscore=0 spamscore=0 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2208050086
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_LlliBC5G4lW7NXzoTE2v0Foikw>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 18:28:51 -0000

Uri,
> In case it matters (it may not 😉), in our protocols there are no “KDF parameters”,

Which protocols  are you referring to? If you submitted something to LAMPS recently, I must have missed it.

---
Mike Ounsworth

From: Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu>
Sent: August 5, 2022 1:06 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com>; Thom Wiggers <thom@thomwiggers.nl>; Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

Russ isn’t the only LAMPS chair who hates params, he’s just more vocal than me 😊

In case it matters (it may not 😉), in our protocols there are no “KDF parameters”, as all that is pre-defined and thus is implicit on the wire.

We do not favor prolonged negotiations (“just do what you’re told” sums it up nicely 😉). 😃

TNX

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Mike Ounsworth
Sent: Friday, August 5, 2022 12:40 PM
To: Thom Wiggers <thom@thomwiggers.nl<mailto:thom@thomwiggers.nl>>; Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>
Cc: IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

Thom said:
> Alternatively, another KDF is still fairly cheap.

At least in LAMPS-land, doing another KDF often means carrying another set of KDF params on the wire, and we all know how much Russ hates params :P

---
Mike Ounsworth

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Thom Wiggers
Sent: August 5, 2022 4:23 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>
Cc: IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: [EXTERNAL] Re: [CFRG] Kyber 'interactive key agreement'?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi,

Op vr 5 aug. 2022 om 10:27 schreef Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>:
One still needs KDF. There is no guarantee that KEM directly allows
variable-length output (KYBER does, as the final output stage is
SHAKE-256) and even if it does, that the implementation supports that
(the reference KYBER one does not).

As far as I know, the output length of the shared secrets in the current version of Kyber is part of the spec and the Known-Answer Tests (KATs); so even if it is using a XOF there, you're strictly speaking not allowed to change it.

Now, the current KATs have lots of things to be desired, and probably fix too many things. They even cover the secret keys, which is probably not great for lots of applications. Also, this all might change for the final version that NIST standardizes. If you want variable length outputs you may want to start a chat with NIST ;-)

Alternatively, another KDF is still fairly cheap.

Cheers,

Thom




-Ilari

_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://urldefense.com/v3/__https:/www.irtf.org/mailman/listinfo/cfrg__;!!FJ-Y8qCqXTj2!YH29zAtDyD-yOWR6QKKlaA2XCoZoADXubfaBaA_fd7a-TG-MU7IYsTDFzGLDIjnQcvEk71ZYLu0ui8EkYmWFBoU$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.