IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 25 November 2022 18:17 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9D8BC14F6E7 for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 10:17:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoea4xtuCcvt for <cfrg@ietfa.amsl.com>; Fri, 25 Nov 2022 10:16:56 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55E77C14F6EB for <cfrg@irtf.org>; Fri, 25 Nov 2022 10:16:55 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 010E6C3F74 for <cfrg@irtf.org>; Fri, 25 Nov 2022 20:16:53 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id jTIWWhd77H8V for <cfrg@irtf.org>; Fri, 25 Nov 2022 20:16:52 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id CAF87292 for <cfrg@irtf.org>; Fri, 25 Nov 2022 20:16:51 +0200 (EET)
Date: Fri, 25 Nov 2022 20:16:51 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <Y4EGk8pNIzMmAmdz@LK-Perkele-VII2.locald>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald> <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com> <CH0PR11MB5739444E17F33F29F6CB71689F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <CA+_8ft5SxUjEMuWXACd_yF6H5DUwBYFA=VeGXeOzSFhdNw_NvQ@mail.gmail.com> <CH0PR11MB57396EC3AC2E028CC187E44A9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <0a5ff423dc904171bcfdfc8423edf3ee@amazon.com> <CH0PR11MB5739E0AB4BA9F60D43B8653E9F0E9@CH0PR11MB5739.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CH0PR11MB5739E0AB4BA9F60D43B8653E9F0E9@CH0PR11MB5739.namprd11.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/G2tKHez7rOCvIUBMlTcKSX24Qas>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 18:17:01 -0000

On Fri, Nov 25, 2022 at 05:47:19PM +0000, Mike Ounsworth wrote:
> Hey Panos,
> 
> Yes, CMP does those. Those cases are fairly straight-forward to port to KEMs.
> 
> Here we’re considering, for example, when a client (aka a certificate
> holder) sends a request to request, renew, or update the key in its
> certificate. Those requests are authenticated with the certificate in
> question.
> 
> rfc4210#section-5.1.3 describes three message integrity protection
> modes:
> 
> - PasswordBasedMac
> - DHBasedMac
> - Signature
> 
> I believe if you have an RSA key marked with keyUsage:keyEncipherment
> then you just cheat and sign with it anyway.
> 
> The answer seems to be that to do a KyberBasedMac, we need an extra
> round trip (possible separate HPKEs in each direction?). That would
> add an extra round-trip compared to the three message integrity
> mechanisms above, but since revocation / renewal are infrequent
> operations, probably that’s fine?

Maybe this is too naive, but...

Have CA send handle and encrypted MAC key. Then subscriber can send the
message together with the handle and MAC using the key sent by the CA.

A possible issue for using HPKE for the first message is that HPKE might
not have any KEM suitable for the key in certificate (e.g., key is
Kyber512, but HPKE does not have non-composite Kyber512 KEM).


With regards to number of round-trips, I do not think any even remotely
reasonable number of round-trips has any significant impact on latency,
especially given this is asynchronous operation.



-Ilari

v2.23.0 | Report a Bug | By Email