IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 24 November 2022 15:36 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E89AFC14F734 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 07:36:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZN9tY4FZ69K for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 07:36:54 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50582C14F72F for <cfrg@irtf.org>; Thu, 24 Nov 2022 07:36:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 666002283C for <cfrg@irtf.org>; Thu, 24 Nov 2022 17:36:50 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 9nZOJVN2UO1h for <cfrg@irtf.org>; Thu, 24 Nov 2022 17:36:50 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3A07F28A for <cfrg@irtf.org>; Thu, 24 Nov 2022 17:36:49 +0200 (EET)
Date: Thu, 24 Nov 2022 17:36:48 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EZckc2WJGkCUzHK3mJORCIyGw4w>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 15:36:56 -0000

On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:
> Hi CFRG!
> 
> Background: we are working to add KEM support to Certificate
> Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
> will eventually be 4210bis). We are planning to accomplish this by
> supporting HPKE (RFC 9180) as a new message protection mechanism in
> CMPv3 and hoping that we can inherit Kyber more-or-less for free once
> HPKE supports it.
> 
> Question "how": How will Kyber be added to HPKE? I assume there will
> be an equivalent to section 4.1 that defines KyberKEM with its own
> Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
> AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
> but making use of Kyber internally? The Kyber2018 paper [1] figure 3
> defines an authenticated Kyber exchange that looks like it should
> easily fit into the existing HPKE APIs. In other words, will
> supporting 9180 now with abstractions around those 4 functions allow
> for easy drop-in of Kyber later?

Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
interfaces is optional is to allow for KEMs that do not allow non-
interactive authentication, like the post-quantum ones.

In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
is CSIDH (not to be confused with totally broken SIDH/SIKE), and
security of that in both classical and quantum settings is subject to
debate.

I guess whatever authentication referenced in that paper is interactive
authentication, which is not possible to use in HPKE.


> Question "when": is there already a draft in the pipeline for
> adoption? When do you expect RFC publication? Presumably not before
> NIST final Kyber spec?

AFAIK, there is no draft yet.

However, the relevant registry is "specification required", not
"rfc required", so publication of RFC is not a precondition. And
while I do not know about HPKE, I think at least some registeries
interpret that I-D is sufficiently stable documentation to clear the
bar (and such interpretation is not unjustified).

And technically it would be possible to reference the pre-standard
Kyber version 3.02 (sic) to get some codepoints registered, even if
those codepoints will probably be incompatible with the eventual
final Kyber standard.



-Ilari

v2.23.0 | Report a Bug | By Email