IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

Orie Steele <orie@transmute.industries> Thu, 24 November 2022 19:03 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF30FC14CE57 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 11:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tlZ1ymrInZq for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 11:03:18 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5864DC14CE4D for <cfrg@irtf.org>; Thu, 24 Nov 2022 11:03:18 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id s5so3589665edc.12 for <cfrg@irtf.org>; Thu, 24 Nov 2022 11:03:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=C3tF+rRNmiwUxYBbjdBDz6JFQQqheZ51GfOZlKCOb+s=; b=eLz2IhrMVB02qEkRGaXaTcohL4u43ArGOp4QEl8l/x678uy2Jk7A6QIIWX0Zx8CpbZ I/xgk7t9aQclO9RDzwEMX1NPoYKvqQqTm6YVSQ5g91n5uCceOsoxj+GmGoY+j/ScMa8k D38oI3Jp/mlAuqMRJnS9hDMzMEr+nQFNGhhvFN+UuYIsNxMnnwAkGdkXT9SWVoX/GG4j UazW+uA1tRDUWcDlbnmYxBJI62Rfb7rvpUYmK51QpL/HATvRf3Nw2gXRCVdkVtIvKucB PK8pvTa/ydVCy3tm887i0KbQPlX2ZuOO0dyO4OM7SR9b2GkjXzisb5igD2ir0hGO3a8d jIHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=C3tF+rRNmiwUxYBbjdBDz6JFQQqheZ51GfOZlKCOb+s=; b=DDDLoDAcmZru/uaPuaw7/InBMXtCm8rK0gZ8xeVqYhEG+ZW/BVmSyODhBAnHc5rgMy Om3uqID8r1ClME3yaM76ZRiB0Ws+0cMP3zceMP4byWMgEJa6pCo9G15i9mugHqLV85yl b+dgdeF46vXW1FBzDv6R6fGDPrUGTfoP33el1cCulrtzpAdntoTqJ7nuTzVsE2V4K/If 3VkE3RNGt5scVu1oeLN1HnPK8P/FbSROG1xFYCRu1TvFb7/3R3yWyEyikP4RD6rliA+v 4MZw0Y90tB1wVJ08w2SoLqSJEnMAXywE8hxX3TSG3XGgt+c+m425Tqtjqqe2+jMS8KOT 6ErA==
X-Gm-Message-State: ANoB5pm1lDb1uQonhZUqa3V+sHeqLS4ROBt0GtU/c/fQ/Pac+CVWfFVd +8Wx4HnYqdSZoZLZKNe2LrtIFb2cmrEmke+M8+bQWg==
X-Google-Smtp-Source: AA0mqf7WO6VYEmtwHFUNDIMwYwA7/NVvPKVa5Jjr2nUc1ioGXpKrNICL3gyldUq1JRLFzuTgbd5I0Vv8I542AcfhDQs=
X-Received: by 2002:aa7:c6da:0:b0:469:172:1f38 with SMTP id b26-20020aa7c6da000000b0046901721f38mr29152369eds.195.1669316596634; Thu, 24 Nov 2022 11:03:16 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB57397983E338A31423A792499F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <DFD28D47-6007-4536-9DF8-61CAE03E0BE9@gmail.com>
In-Reply-To: <DFD28D47-6007-4536-9DF8-61CAE03E0BE9@gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 24 Nov 2022 13:03:06 -0600
Message-ID: <CAN8C-_KwT8M6-8_xA5mCCHrDWja3s1tH-RQjGz5eskYhNaa63w@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: Mike Ounsworth <Mike.Ounsworth@entrust.com>, CFRG <cfrg@irtf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c2b07905ee3c0e84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/E9anoH0XIPOED1LnqM11XsOTxo4>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 19:03:23 -0000

I think I'm hearing there is no way to build something like ECDH-1PU with
KEMs... Right?

https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04

OS

On Thu, Nov 24, 2022, 12:40 PM Neil Madden <neil.e.madden@gmail.com> wrote:

> Right. As others have said, if all you have is a Kyber certificate then
> you are stuck doing interactive authentication (as far as we know). If you
> care about non-interactive authentication then getting into a situation
> where all you have is an non-auth KEM certificate would be a bad idea.
>
> (If you were going to do what I suggested then the public keys for the KEM
> and signature scheme should be combined and thus you’d have a single cert
> for the combined algorithm rather than separate certs).
>
> — Neil
>
> On 24 Nov 2022, at 18:31, Mike Ounsworth <Mike.Ounsworth@entrust.com>
> wrote:
>
> 
>
> John Mattsson said:
>
>
>
> > I think that is a good idea. But I think the construction should
> probably be:
>
>
>
>    - Add the recipient identity to the message.
>    - Sign the message with Dilithium
>    - Encrypt [recipient ID, message, signature] with HPKE-Kyber
>
>
>
> > That is probably a good solution for CMPv3
>
>
>
> I disagree.
>
>
>
> Take for example a Kyber certificate trying to authorize/authenticate a
> request to the CA for its own revocation, key update, or cert renewal. All
> you have is a KEM certificate; where do you get a Dilithium key from?
>
> Of course you could create an ephemeral Dilithium key, but a signature
> from an ephemeral key is fairly useless.
>
>
>
> Some PKIs will always issue pairs of KEM / Signature certificates, but you
> don’t get to assume this in general when designing the certificate
> management protocol  – this will be especially true if TLS AuthKEM takes
> off and demand for KEM authentication certificates skyrockets. Plus, if
> you’re using CertA to authorize management operations for CertB, then you
> have to strongly establish co-ownership of the two certs, which may be
> possible in some PKIs (for example if the CA has a consistent DN structure
> that strongly identifies both certs as belonging to the same entity /
> device / hardware key storage container, whatever the PKI administrator has
> deemed to be the definition of “co-ownership” for that environment), but
> requiring PKIs to be able to determine co-ownership of certificates would
> be a departure from current requirements of the CMP protocol where
> mechanisms exist for all cert types to self-administer.
>
>
>
> ---
>
> *Mike* Ounsworth
>
>
>
> *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of *John Mattsson
> *Sent:* November 24, 2022 12:01 PM
> *To:* Neil Madden <neil.e.madden@gmail.com>; Ilari Liusvaara <
> ilariliusvaara@welho.com>
> *Cc:* cfrg@irtf.org
> *Subject:* [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)?
>
>
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> ------------------------------
>
> Nail wrote:
> >Isn't there a straightforward generic construction of an >AKEM from a
> normal KEM plus a (PQ) signature scheme >that could be used here? i.e.,
> run the KEM and then sign >the encapsulated key? Obviously this would
> produce quite >large encapsulations, and a "key-pair" for such an AKEM >would
> then be two key-pairs encoded into one (with a >covering self-signature
> to prevent tampering). In principle >this seems doable?
>
>
>
> I think that is a good idea. But I think the construction should probably
> be:
>
>
>
>    - Add the recipient identity to the message.
>    - Sign the message with Dilithium
>    - Encrypt [recipient ID, message, signature] with HPKE-Kyber
>
>
>
> That is probably a good solution for CMPv3
>
>
>
> Cheers,
>
> John
>
>
>
> *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Neil Madden <
> neil.e.madden@gmail.com>
> *Date: *Thursday, 24 November 2022 at 17:00
> *To: *Ilari Liusvaara <ilariliusvaara@welho.com>
> *Cc: *cfrg@irtf.org <cfrg@irtf.org>
> *Subject: *Re: [CFRG] How will Kyber be added to HPKE (9180)?
>
>
>
> On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
>
>
>
> On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:
>
> Hi CFRG!
>
> Background: we are working to add KEM support to Certificate
> Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
> will eventually be 4210bis). We are planning to accomplish this by
> supporting HPKE (RFC 9180) as a new message protection mechanism in
> CMPv3 and hoping that we can inherit Kyber more-or-less for free once
> HPKE supports it.
>
> Question "how": How will Kyber be added to HPKE? I assume there will
> be an equivalent to section 4.1 that defines KyberKEM with its own
> Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
> AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
> but making use of Kyber internally? The Kyber2018 paper [1] figure 3
> defines an authenticated Kyber exchange that looks like it should
> easily fit into the existing HPKE APIs. In other words, will
> supporting 9180 now with abstractions around those 4 functions allow
> for easy drop-in of Kyber later?
>
>
> Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
> interfaces is optional is to allow for KEMs that do not allow non-
> interactive authentication, like the post-quantum ones.
>
> In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
> is CSIDH (not to be confused with totally broken SIDH/SIKE), and
> security of that in both classical and quantum settings is subject to
> debate.
>
>
>
> Isn't there a straightforward generic construction of an AKEM from a
> normal KEM plus a (PQ) signature scheme that could be used here? i.e., run
> the KEM and then sign the encapsulated key? Obviously this would produce
> quite large encapsulations, and a "key-pair" for such an AKEM would then be
> two key-pairs encoded into one (with a covering self-signature to prevent
> tampering). In principle this seems doable?
>
>
>
> -- Neil
> *Any email and files/attachments transmitted with it are confidential and
> are intended solely for the use of the individual or entity to whom they
> are addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. Please notify
> Entrust immediately and delete the message from your system.*
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email