IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761

Mike Ounsworth <Mike.Ounsworth@entrust.com> Fri, 12 May 2023 13:44 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75F63C14EB1E for <cfrg@ietfa.amsl.com>; Fri, 12 May 2023 06:44:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5x3sQMDNw2PK for <cfrg@ietfa.amsl.com>; Fri, 12 May 2023 06:44:42 -0700 (PDT)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0F23C14CF15 for <cfrg@ietf.org>; Fri, 12 May 2023 06:44:41 -0700 (PDT)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 34C3Ne6D002195; Fri, 12 May 2023 08:44:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=WMLcrjAM+1ryFQsWS/YF2XTxkD3D0kT1ThIZr9UMSb4=; b=Jy6fH3lqrkG/9xe9+lZMqmCVwUECQAq71Tf1zUkgyJPp7PX29ghRIQm4z6p0nClOuCGg bisZDZZFwAb9iYhQeXg63llUyBA8/OGFc1TtVZh+EcI9fcFvcRy5kneyKcoD058f7J0o 6ujcuWafcGT5H75xMuB10NEaVOMUjgmAwHCJ4A+WfqG29mFAlhLhpXMMrSdy+809fsM/ gyvby0lWAiSCFL/h/JZsRvK/qhFJKhI46lEZFEg2u8bSxN5666swGwCZeZbGKd52ofSu qh0voLRt0Sx6v9NuUyMsLGnGUp+eZ7ii0x1Qbr0+bWDkltFH65c1722amj+DZkckwUiE dw==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3qf7usqmsp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 12 May 2023 08:44:15 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VpTdeAGSQf4fr7OwON1dtmn+nGCIGAu3/mJ6SBhWvbCpQ+54kMXvoPXM+PEfVweGI53tRfmHqAUW4M1GHoiNNCA2E+Wpe5Olz+xcYMpJiSDN+rKfTeGTiVBYoPZDrLogMNzxY6WRPbB59XcFJg5oUPEf8qDgyPz+L8HwbtWSBCjB7JBWOKTIlpfwsGM4aYsxH96wQFYaJtUdKdnrESa/RFU4ejZPGefN2B8GZKIDLQU0vyU1yPXmhvbvmR17UVPVJJXZSRzGKuvhayJGHAVe2Y4Fv7mgrjp+OteSj7iHWLjSFFRn2IMZbDAxiKhOT9YHR8SRyFVdEzrN1xUesgxbhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WMLcrjAM+1ryFQsWS/YF2XTxkD3D0kT1ThIZr9UMSb4=; b=alwT/59d6SNGkXDhgRuucvV8a5pxWCCKyEG4UzqbKPQsPE8M2O3iaJWD1NwjTZOGTt419sWolPNn/H+ibaopN3yzqvzVC+E9rZzFDQjD0bAOLt6M8ZhRJSTle/EXYlEqwXR995uano/4AIqUVGWFSl3xbLOOadFiPC5zl+8u46vwaK6gC+FNrI2ktT6ZdVA0YdhHcttuN546UY1BkSpqCDVQp4eAcEfv1riAnlj9QuK9yFK9dDktFqTVr2ky0kHZlwA86d6N6vd46q8LLC8q6xtywtzJpC4neTcfFwdT+iCAzxJfTTidWYf312aHjdBtXA5Q1RLiPaGL57dVwwXT5A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CY8PR11MB7060.namprd11.prod.outlook.com (2603:10b6:930:50::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.20; Fri, 12 May 2023 13:44:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::6f08:9ebc:8857:74f7%6]) with mapi id 15.20.6387.020; Fri, 12 May 2023 13:44:11 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Orie Steele <orie@transmute.industries>, Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [EXTERNAL] Re: [CFRG] Streamlined NTRU Prime: sntrup761
Thread-Index: AQHZhMx4vM5py6eOwkOEF19VeMClt69Wn0OA
Date: Fri, 12 May 2023 13:44:11 +0000
Message-ID: <CH0PR11MB57396AE5BFC2FA681425A7BC9F759@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <871qjm4ikm.fsf@kaka.sjd.se> <CAN8C-_LmurEBGA-e6YjNd2W0f+1gajqoSAq-F-fHOugbJO0xBg@mail.gmail.com>
In-Reply-To: <CAN8C-_LmurEBGA-e6YjNd2W0f+1gajqoSAq-F-fHOugbJO0xBg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-Mentions: paul.hoffman@icann.org
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CY8PR11MB7060:EE_
x-ms-office365-filtering-correlation-id: c8bf85d3-a6d0-4ce4-c71c-08db52eef7c2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lDR6XDgBoCHrePrM5z3pTk7KXzKQB7crKcsvM2sShf+iYabTmi7W+Wf/rIjwjOWJS3SZurL4wnjm/9vEqBg5zFS9oBIz8KE95bMfL35uOBoX1ov86QD7wAcqVNPtY3PODC1g7BubeTIeBMfrCmhpKw9BzyszvvX2R816iuqq9N4PvgYzI2zDG8NF14y5slnQYtWB7XXlMrWuBvPaIMm9wqbZrU135vrTZ+IDbXtvEN71bnQSJP/8t+bLZOZgAcQguwdJs/wA6hDqPALBwtmrE0+BkERFBRrGz++WoRuTNkVB3hq94qsyAJvDR6bvp3oPYwB3Mnoi7WFGEJJjVc/bb6RLy+W8WeCwkXuQyaJ2QbtlRkFNn3vELW9f/lXnJkXyMBrhuNWxxVZFb5NscGNK+w5m4LpREk9BaXjQCmzKdvIOzTQ8eY9MOgjNbTenMnULNAG/KsBFm0TR+uEz8VFl8veo94Ot3PU4LCUgzw3c5uyLuq3sCbYcoYiReXKAurwvnM0bnrD+PhtjKLOX6UebgRfOWiQz7uSiRtyNCpJSl/Fx091ytRwhiYxG9ctREUgRh1tKKBX3PER+SchKM61XL8uJoVveH7xT7ij1kvlkWqg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(366004)(346002)(376002)(396003)(136003)(39860400002)(451199021)(7696005)(86362001)(8936002)(8676002)(71200400001)(966005)(38100700002)(166002)(53546011)(38070700005)(186003)(2906002)(55016003)(5660300002)(52536014)(26005)(478600001)(6506007)(33656002)(316002)(9686003)(66946007)(83380400001)(66446008)(110136005)(4326008)(66476007)(76116006)(64756008)(66556008)(122000001)(41300700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qYqJGNLiXQojWb8CXq0VDT9PPd0OH+VKrDbWHGfzJbi91pY9KlI0OxD7gLFnhR373JjsbG0WXhZwEjFZVtBJEpxYTpx2Z6zijORZYR+dAQIBMy5fkAmKnWokCVCbiHIRAmQ+IzEAkdMDywok1aLs1pDtIq7cH9KEZM7SOBZlRBTG++H7DDXIYkWZD5biTaBDPIYejWJMeBcSLSgGNKwzh0LfenVnUHfnZOsouTxrH+B4BJoGWFwCujvVYs9WTCOfNqmGeW13WO7hi+GB/S6Wf5KTzmFfhQa7wm81OyZBKsu8A3wVMHMJbS4LEGJxfknY6tKW6sFdnQfsogfcAe6R5NjXNlgO+P4iF+skovV+zuaEt+C/zYxeIqsZjUXisUeZ/LN2kQCDJmPWwa8dZhGw3okEVvE2gMZ/1rLr0mtTVYY0c6y2jJW6571b71ZHzM8kKD65KXxHvp8+DtoeTFQNvXQz1tK3LjgWcpmVDLLMtkzkogBBpZEMCySmomunRxY7w/bzN4xSbBb9MLIJv2ld3n6IuE+oG1EqgkP9puRBLTXfUfyaN8OlQ3iXbAZmlWWRpmQPflx7BWlGbbnuGsZ9IPONR3JJq8iB9RTweCrfsCIgRfczOBfIxiUKkLgeGp/N2sOjhpROT0oLXNNxejRIbZ4ha1OniN3edRiEKvsrUJMSi0YINng4u5ecjs899njV6fWLTo2n7ojVv/CCERo4aXZRTdc3J8n1NW508FkFVu/+NRbTQMk+4JrRRleM2J9MZuJJ65VqYzrQZ7et64D0Gs0VagYUpXj8DkCPN8RrF/eqYpIn+xXLWvnjmyu8hWRoCASmsANYdnPqXU2Jw5aMHxK6fPBJCDtjcn3lzYvliSYIEp07VzCg+f7/QtQuJ/uS7IcDz66+AVEdQjJ7juaZs9poUjBKpTgqHYIj86gY97fI2RLU8qxwnJRbgpBFulL46wU6l9hkM4ND3KHaUtbeKOMmMy3wGyhjd4/MrXg0g6sOZlKFSKhOL8XbZOXjBGiObji0K8WJDK5pVnpNqyN0ZeE616X9ip2SnGYLiFaUEaDIPWkjfqnhMo2r5TjlwHL1qOiTosPBlEk1por4osCtvPPHP9vWq6LVZ6c/PLgXBN7rksjX7BMoMTb49/hcHD71+il3KhIont9BJk3YHJjVgs3wJl+Pn5AbXa+kxuBDawYTA72dkDksyPJMaptyRJsBgfthsrosjfmdD+Oo/kmoYQeITYOtyBUtJ1KpMZWWH9j3YcxBVMc0zjRZRLGsPZztKa5stjessrGvB1FbN9eM31KaF3AK8tse2ROdHmFKjrWIxObFcLEAwxaY8+qVOALk9nS5U9bAfo8FFe61Ce05C2/znLw9yAjt8CoQO0NrbOuCJH6+WQjAlFZBNz9q7bV4eoeZgfWDye+G3QIhthG545RLm7KrQNLb3byGqsq+NIE/LsfXfLZ2WqsqxhUhcBQpy+Oeop2CnCdkJVSN6h0jP8QPno0pFdO/4oYn7FoHNqzZQlGjk0m8SEt4G2F7PIg6LCUuP+l2XqLe2pMFRrGabJ0ejd+BwsCsCFA7b+9mOWHgaP/iWRXnEltudrvP1Vm3VPtDBjHOCLLpYpHe7YllUg==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB57396AE5BFC2FA681425A7BC9F759CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c8bf85d3-a6d0-4ce4-c71c-08db52eef7c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2023 13:44:11.5461 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SbQrc6mdDIA3Uz84MIMg3N5cd75oBiBwX8l2vyItXsf7Y32rz9qAm/6PkBjLB8sEe74yb8IJ/583W5c8vmdBOQbz21PBTGGGzq6YSAa/Btw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR11MB7060
X-Proofpoint-ORIG-GUID: T8k6ZMNJmaTYgolBmDjhlwoRk6GdHzYE
X-Proofpoint-GUID: T8k6ZMNJmaTYgolBmDjhlwoRk6GdHzYE
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-12_08,2023-05-05_01,2023-02-09_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 adultscore=0 mlxscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 spamscore=0 phishscore=0 suspectscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305120115
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Fwk8ZngowmpWF_xP11yil5bZ2V8>
Subject: Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 13:44:46 -0000

Thanks for pointing this out Orie.

First, I’ve added these two drafts to the PQUIP list (well, it’s in a PR until @Paul Hoffman<mailto:paul.hoffman@icann.org> approves it).
https://github.com/ietf-wg-pquip/state-of-protocols-and-pqc


It first glance, this DOES NOT appear to be aligned with draft-ounsworth-cfrg-kem-combiners/.

First, your security considerations is not nearly long enough considering that taking two IND-CCA2 KEMs and preserving that property through a KEM combiner is not a straightforward topic (or one that even has consensus in the literature).

Second, you are proposing as the combiner: SHA512(K1||K2) – I assume that means SHA2-512?
I see two problems: 1)This will not be FIPS-certifiable under NIST SP-800 56Cr2, 2) it’s not clear that SHA2 behaves as a dual-PRF in the way you need for this construction to preserve IND-CCA2.


In draft-ounsworth-cfrg-kem-combiners, we are currently proposing the combiner (though this will probably get adjusted in the next rev)

KDF(counter || k_1 || ... || k_n || fixedInfo, outputBits)


where k_i = H(ss_i || ct_i)

and we’re only allowing SHA3 / KMAC for KDF and H because it’s more straightforward to argue that these behave as multi-PRFs (I think; Aron, Stavros, or Falko may correct me).

If you’re proposing the much weaker combiner SHA512(K1||K2), then I expect a lengthy security consideration explaining why the reduction in security is safe in your context.

Simon, I’d be happy to chat offline via email or phone call.

---
Mike Ounsworth
Software Security Architect, Entrust

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Orie Steele
Sent: Friday, May 12, 2023 7:22 AM
To: Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org>
Cc: cfrg@ietf.org
Subject: [EXTERNAL] Re: [CFRG] Streamlined NTRU Prime: sntrup761

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Is the hybrid approach taken inline with the kem combiners work, if not, is there a reason that would be interesting to discuss?

https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!YHUpiDUpJv3dzMs7TKQZrZejrhzVbNe60wSQXNpRiz1xMSmef2TqH17jnj2E0q0flSQa4eTRYWYdeL7SvDY_8lbIPOQ$>

The draft mentioned sntru has been widely implemented, can you comment on the adoption timeline?

It is good to see the test driver.

OS

On Thu, May 11, 2023, 5:20 PM Simon Josefsson <simon=40josefsson.org@dmarc.ietf.org<mailto:40josefsson.org@dmarc.ietf.org>> wrote:
Hi

I have published the following documents:

https://datatracker.ietf.org/doc/html/draft-josefsson-ntruprime-streamlined-00<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-josefsson-ntruprime-streamlined-00__;!!FJ-Y8qCqXTj2!YHUpiDUpJv3dzMs7TKQZrZejrhzVbNe60wSQXNpRiz1xMSmef2TqH17jnj2E0q0flSQa4eTRYWYdeL7SvDY_Vu7CtWM$>
https://datatracker.ietf.org/doc/html/draft-josefsson-ntruprime-hybrid-00<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-josefsson-ntruprime-hybrid-00__;!!FJ-Y8qCqXTj2!YHUpiDUpJv3dzMs7TKQZrZejrhzVbNe60wSQXNpRiz1xMSmef2TqH17jnj2E0q0flSQa4eTRYWYdeL7SvDY_yHlvKbc$>

What do you think?

If you want to contribute to the documents, they are maintained on
GitLab: https://gitlab.com/jas/ietf-ntruprime<https://urldefense.com/v3/__https:/gitlab.com/jas/ietf-ntruprime__;!!FJ-Y8qCqXTj2!YHUpiDUpJv3dzMs7TKQZrZejrhzVbNe60wSQXNpRiz1xMSmef2TqH17jnj2E0q0flSQa4eTRYWYdeL7SvDY__L_d8Es$>

/Simon
_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://urldefense.com/v3/__https:/www.irtf.org/mailman/listinfo/cfrg__;!!FJ-Y8qCqXTj2!YHUpiDUpJv3dzMs7TKQZrZejrhzVbNe60wSQXNpRiz1xMSmef2TqH17jnj2E0q0flSQa4eTRYWYdeL7SvDY_h4TOPYE$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email