Re: [CFRG] How will Kyber be added to HPKE (9180)?
Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 24 November 2022 15:36 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E89AFC14F734 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 07:36:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZN9tY4FZ69K for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 07:36:54 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1b.welho.com [83.102.41.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50582C14F72F for <cfrg@irtf.org>; Thu, 24 Nov 2022 07:36:53 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 666002283C for <cfrg@irtf.org>; Thu, 24 Nov 2022 17:36:50 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 9nZOJVN2UO1h for <cfrg@irtf.org>; Thu, 24 Nov 2022 17:36:50 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3A07F28A for <cfrg@irtf.org>; Thu, 24 Nov 2022 17:36:49 +0200 (EET)
Date: Thu, 24 Nov 2022 17:36:48 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/EZckc2WJGkCUzHK3mJORCIyGw4w>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 15:36:56 -0000
On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote: > Hi CFRG! > > Background: we are working to add KEM support to Certificate > Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which > will eventually be 4210bis). We are planning to accomplish this by > supporting HPKE (RFC 9180) as a new message protection mechanism in > CMPv3 and hoping that we can inherit Kyber more-or-less for free once > HPKE supports it. > > Question "how": How will Kyber be added to HPKE? I assume there will > be an equivalent to section 4.1 that defines KyberKEM with its own > Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and > AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1), > but making use of Kyber internally? The Kyber2018 paper [1] figure 3 > defines an authenticated Kyber exchange that looks like it should > easily fit into the existing HPKE APIs. In other words, will > supporting 9180 now with abstractions around those 4 functions allow > for easy drop-in of Kyber later? Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth* interfaces is optional is to allow for KEMs that do not allow non- interactive authentication, like the post-quantum ones. In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap is CSIDH (not to be confused with totally broken SIDH/SIKE), and security of that in both classical and quantum settings is subject to debate. I guess whatever authentication referenced in that paper is interactive authentication, which is not possible to use in HPKE. > Question "when": is there already a draft in the pipeline for > adoption? When do you expect RFC publication? Presumably not before > NIST final Kyber spec? AFAIK, there is no draft yet. However, the relevant registry is "specification required", not "rfc required", so publication of RFC is not a precondition. And while I do not know about HPKE, I think at least some registeries interpret that I-D is sufficiently stable documentation to clear the bar (and such interpretation is not unjustified). And technically it would be possible to reference the pre-standard Kyber version 3.02 (sic) to get some codepoints registered, even if those codepoints will probably be incompatible with the eventual final Kyber standard. -Ilari
- [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Karthik Bhargavan
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… John Mattsson
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? John Mattsson
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Orie Steele
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Kampanakis, Panos
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Ilari Liusvaara
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Peter Gutmann
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Peter Gutmann
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Richard Barnes
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Bas Westerbaan
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Orie Steele
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Thom Wiggers