Re: [CFRG] How will Kyber be added to HPKE (9180)?
Orie Steele <orie@transmute.industries> Thu, 24 November 2022 19:03 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF30FC14CE57 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 11:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tlZ1ymrInZq for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 11:03:18 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5864DC14CE4D for <cfrg@irtf.org>; Thu, 24 Nov 2022 11:03:18 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id s5so3589665edc.12 for <cfrg@irtf.org>; Thu, 24 Nov 2022 11:03:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=C3tF+rRNmiwUxYBbjdBDz6JFQQqheZ51GfOZlKCOb+s=; b=eLz2IhrMVB02qEkRGaXaTcohL4u43ArGOp4QEl8l/x678uy2Jk7A6QIIWX0Zx8CpbZ I/xgk7t9aQclO9RDzwEMX1NPoYKvqQqTm6YVSQ5g91n5uCceOsoxj+GmGoY+j/ScMa8k D38oI3Jp/mlAuqMRJnS9hDMzMEr+nQFNGhhvFN+UuYIsNxMnnwAkGdkXT9SWVoX/GG4j UazW+uA1tRDUWcDlbnmYxBJI62Rfb7rvpUYmK51QpL/HATvRf3Nw2gXRCVdkVtIvKucB PK8pvTa/ydVCy3tm887i0KbQPlX2ZuOO0dyO4OM7SR9b2GkjXzisb5igD2ir0hGO3a8d jIHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=C3tF+rRNmiwUxYBbjdBDz6JFQQqheZ51GfOZlKCOb+s=; b=DDDLoDAcmZru/uaPuaw7/InBMXtCm8rK0gZ8xeVqYhEG+ZW/BVmSyODhBAnHc5rgMy Om3uqID8r1ClME3yaM76ZRiB0Ws+0cMP3zceMP4byWMgEJa6pCo9G15i9mugHqLV85yl b+dgdeF46vXW1FBzDv6R6fGDPrUGTfoP33el1cCulrtzpAdntoTqJ7nuTzVsE2V4K/If 3VkE3RNGt5scVu1oeLN1HnPK8P/FbSROG1xFYCRu1TvFb7/3R3yWyEyikP4RD6rliA+v 4MZw0Y90tB1wVJ08w2SoLqSJEnMAXywE8hxX3TSG3XGgt+c+m425Tqtjqqe2+jMS8KOT 6ErA==
X-Gm-Message-State: ANoB5pm1lDb1uQonhZUqa3V+sHeqLS4ROBt0GtU/c/fQ/Pac+CVWfFVd +8Wx4HnYqdSZoZLZKNe2LrtIFb2cmrEmke+M8+bQWg==
X-Google-Smtp-Source: AA0mqf7WO6VYEmtwHFUNDIMwYwA7/NVvPKVa5Jjr2nUc1ioGXpKrNICL3gyldUq1JRLFzuTgbd5I0Vv8I542AcfhDQs=
X-Received: by 2002:aa7:c6da:0:b0:469:172:1f38 with SMTP id b26-20020aa7c6da000000b0046901721f38mr29152369eds.195.1669316596634; Thu, 24 Nov 2022 11:03:16 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB57397983E338A31423A792499F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <DFD28D47-6007-4536-9DF8-61CAE03E0BE9@gmail.com>
In-Reply-To: <DFD28D47-6007-4536-9DF8-61CAE03E0BE9@gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Thu, 24 Nov 2022 13:03:06 -0600
Message-ID: <CAN8C-_KwT8M6-8_xA5mCCHrDWja3s1tH-RQjGz5eskYhNaa63w@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Cc: Mike Ounsworth <Mike.Ounsworth@entrust.com>, CFRG <cfrg@irtf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c2b07905ee3c0e84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/E9anoH0XIPOED1LnqM11XsOTxo4>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 19:03:23 -0000
I think I'm hearing there is no way to build something like ECDH-1PU with KEMs... Right? https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04 OS On Thu, Nov 24, 2022, 12:40 PM Neil Madden <neil.e.madden@gmail.com> wrote: > Right. As others have said, if all you have is a Kyber certificate then > you are stuck doing interactive authentication (as far as we know). If you > care about non-interactive authentication then getting into a situation > where all you have is an non-auth KEM certificate would be a bad idea. > > (If you were going to do what I suggested then the public keys for the KEM > and signature scheme should be combined and thus you’d have a single cert > for the combined algorithm rather than separate certs). > > — Neil > > On 24 Nov 2022, at 18:31, Mike Ounsworth <Mike.Ounsworth@entrust.com> > wrote: > > > > John Mattsson said: > > > > > I think that is a good idea. But I think the construction should > probably be: > > > > - Add the recipient identity to the message. > - Sign the message with Dilithium > - Encrypt [recipient ID, message, signature] with HPKE-Kyber > > > > > That is probably a good solution for CMPv3 > > > > I disagree. > > > > Take for example a Kyber certificate trying to authorize/authenticate a > request to the CA for its own revocation, key update, or cert renewal. All > you have is a KEM certificate; where do you get a Dilithium key from? > > Of course you could create an ephemeral Dilithium key, but a signature > from an ephemeral key is fairly useless. > > > > Some PKIs will always issue pairs of KEM / Signature certificates, but you > don’t get to assume this in general when designing the certificate > management protocol – this will be especially true if TLS AuthKEM takes > off and demand for KEM authentication certificates skyrockets. Plus, if > you’re using CertA to authorize management operations for CertB, then you > have to strongly establish co-ownership of the two certs, which may be > possible in some PKIs (for example if the CA has a consistent DN structure > that strongly identifies both certs as belonging to the same entity / > device / hardware key storage container, whatever the PKI administrator has > deemed to be the definition of “co-ownership” for that environment), but > requiring PKIs to be able to determine co-ownership of certificates would > be a departure from current requirements of the CMP protocol where > mechanisms exist for all cert types to self-administer. > > > > --- > > *Mike* Ounsworth > > > > *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of *John Mattsson > *Sent:* November 24, 2022 12:01 PM > *To:* Neil Madden <neil.e.madden@gmail.com>; Ilari Liusvaara < > ilariliusvaara@welho.com> > *Cc:* cfrg@irtf.org > *Subject:* [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)? > > > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > ------------------------------ > > Nail wrote: > >Isn't there a straightforward generic construction of an >AKEM from a > normal KEM plus a (PQ) signature scheme >that could be used here? i.e., > run the KEM and then sign >the encapsulated key? Obviously this would > produce quite >large encapsulations, and a "key-pair" for such an AKEM >would > then be two key-pairs encoded into one (with a >covering self-signature > to prevent tampering). In principle >this seems doable? > > > > I think that is a good idea. But I think the construction should probably > be: > > > > - Add the recipient identity to the message. > - Sign the message with Dilithium > - Encrypt [recipient ID, message, signature] with HPKE-Kyber > > > > That is probably a good solution for CMPv3 > > > > Cheers, > > John > > > > *From: *CFRG <cfrg-bounces@irtf.org> on behalf of Neil Madden < > neil.e.madden@gmail.com> > *Date: *Thursday, 24 November 2022 at 17:00 > *To: *Ilari Liusvaara <ilariliusvaara@welho.com> > *Cc: *cfrg@irtf.org <cfrg@irtf.org> > *Subject: *Re: [CFRG] How will Kyber be added to HPKE (9180)? > > > > On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > > On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote: > > Hi CFRG! > > Background: we are working to add KEM support to Certificate > Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which > will eventually be 4210bis). We are planning to accomplish this by > supporting HPKE (RFC 9180) as a new message protection mechanism in > CMPv3 and hoping that we can inherit Kyber more-or-less for free once > HPKE supports it. > > Question "how": How will Kyber be added to HPKE? I assume there will > be an equivalent to section 4.1 that defines KyberKEM with its own > Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and > AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1), > but making use of Kyber internally? The Kyber2018 paper [1] figure 3 > defines an authenticated Kyber exchange that looks like it should > easily fit into the existing HPKE APIs. In other words, will > supporting 9180 now with abstractions around those 4 functions allow > for easy drop-in of Kyber later? > > > Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth* > interfaces is optional is to allow for KEMs that do not allow non- > interactive authentication, like the post-quantum ones. > > In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap > is CSIDH (not to be confused with totally broken SIDH/SIKE), and > security of that in both classical and quantum settings is subject to > debate. > > > > Isn't there a straightforward generic construction of an AKEM from a > normal KEM plus a (PQ) signature scheme that could be used here? i.e., run > the KEM and then sign the encapsulated key? Obviously this would produce > quite large encapsulations, and a "key-pair" for such an AKEM would then be > two key-pairs encoded into one (with a covering self-signature to prevent > tampering). In principle this seems doable? > > > > -- Neil > *Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they > are addressed. If this message has been sent to you in error, you must not > copy, distribute or disclose of the information it contains. Please notify > Entrust immediately and delete the message from your system.* > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Karthik Bhargavan
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… John Mattsson
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? John Mattsson
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Orie Steele
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Kampanakis, Panos
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Ilari Liusvaara
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Peter Gutmann
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Peter Gutmann
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Richard Barnes
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Bas Westerbaan
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Orie Steele
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Thom Wiggers