Re: [CFRG] Call for adoption: Hybrid KEM Combiners
"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Mon, 19 February 2024 08:47 UTC
Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9621BC14F6A8 for <cfrg@ietfa.amsl.com>; Mon, 19 Feb 2024 00:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="hL6G2q85"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="CwVctC+q"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-kJ_8_U-r73 for <cfrg@ietfa.amsl.com>; Mon, 19 Feb 2024 00:47:14 -0800 (PST)
Received: from m4-bn.bund.de (m4-bn.bund.de [77.87.228.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42017C14F6A6 for <cfrg@irtf.org>; Mon, 19 Feb 2024 00:47:13 -0800 (PST)
Received: from m4-bn.bund.de (localhost [127.0.0.1]) by m4-bn.bund.de (Postfix) with ESMTP id BB5AC280E16; Mon, 19 Feb 2024 09:47:10 +0100 (CET)
Received: (from localhost) by m4-bn.bund.de (MSCAN) id 4/m4-bn.bund.de/smtp-gw/mscan; Mon Feb 19 09:47:10 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1708332425; bh=67Lib6N4DAYxNCMgBpTOe7dTFJjKaK/5Z3C645JyyfI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=hL6G2q85wZ49knx7yEZ5jfoBpAOk0v1/mM5k0XID1fEMqIdAqtjKkpv3sljPvmdBt 9CdvXhPanE4Yv6pVhwkAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1708332425; bh=67Lib6N4DAYxNCMgBpTOe7dTFJjKaK/5Z3C645JyyfI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=CwVctC+qiPHkiri6pinR2hDSANQAyP9tilBJLlw+PRGhKpHiKxeY1Sjpy68/8nhzb 5yM9RMU/Eh44pFgKVlnp1F39Ej348rwaQRkIB3WzUgdkfavOpgQSEI18JN08mx+E7K azBxho0IyjSAEWSnk0XquTS8gIkxsQnZm65OKUDDep/lT2Mj9nwamasJnsTciFWvnV GwDgTP8HPo2fkyet3yOty1HHZOpwKu6b2766XfMm3Oi5qfc4enLpUc0I+nEK3Nj5A1 3XXfLJERH7D4CHj4amkCBv4+zBDH/P7qdpIh48q39aEygUMyOfSD4rLY1b3P41G2tw nIQrkvqy899Jw==
X-P350-Id: 2e98ac4a5b64c752
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>, Mike Ounsworth <Mike.Ounsworth@entrust.com>, "Aron Wussler (aron@wussler.it)" <aron@wussler.it>
Thread-Topic: [CFRG] Call for adoption: Hybrid KEM Combiners
Thread-Index: AQHzW1XSJm8s+/xla8zXj5i2m5yGqgHLPPlssNEHjFA=
Date: Mon, 19 Feb 2024 08:46:52 +0000
Message-ID: <4341fe61620343f8a4b6d43a6895ac06@bsi.bund.de>
References: <CAOjisRyCU+nhJm+x-UxEUjEPAPxH6e-Sa+TkwgYYBDcAx_a93g@mail.gmail.com> <ZdIhou0UPo2YH-hx@LK-Perkele-VII2.locald>
In-Reply-To: <ZdIhou0UPo2YH-hx@LK-Perkele-VII2.locald>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A29C6E36755607360
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29B8016555607360
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JYR_uBprVVDX3B2oBrO9RPvM2Qo>
Subject: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 08:47:19 -0000
Dear Ilari, let me try and give some guidance specific to the mindset and content of draft-ounsworth-cfrg-kem-combiners. Inline, see below '[SK]: ...'. Best Stavros > -----Ursprüngliche Nachricht----- > Von: ilariliusvaara@welho.com <ilariliusvaara@welho.com> > Gesendet: Sonntag, 18. Februar 2024 16:26 > An: cfrg@irtf.org > Betreff: Re: [CFRG] Call for adoption: Hybrid KEM Combiners > > On Wed, Jan 31, 2024 at 10:28:50AM -0500, Nick Sullivan wrote: > > Dear CFRG, > > > > There has been a lot of discussion on the list over the last few weeks > > around the topic of hybrid KEMs, including discussion around the topic of > > where we should go as a group. There seems to be significant interest in > > this topic from around the IETF and in broader industry. We (the chairs) > > have decided to open up a research call for adoption for a topic in this > > area, described below. > > > > The standard context for the group applies here as always: As part of the > > IRTF, the CFRG is a research group, producing research documents relevant > > to the IETF and broader community. The CFRG does *not* publish standards > > and does *not* dictate cryptographic choices to IETF working groups. CFRG > > documents often come with concrete specifications for parameterizations > > relevant to groups within the IETF. Recent examples of documents of this > > style resulting from topics adopted by the CFRG include RFC 9497 (OPRF) and > > RFC 9381 (VRF), which provide a thorough overview of the topic along with > > concrete parameterizations that can adopted by protocol designers. > > > > The CFRG has a full docket of important ongoing work, so it’s important to > > ensure that any work the CFRG adopts at this point aligns with the charter > > by offering necessary guidance (for network security in general and for the > > IETF in particular) on the use of emerging mechanisms. > > > > With that preamble done,* this email starts a three-week call for the > > adoption* of a work item within the CFRG to produce an informational > > document exploring how to safely combine KEMs. This document > > * Will use draft-ounsworth-cfrg-kem-combiners as a starting point for > > describing generic combiners > > * Will include an analysis of the non-generic combiner mechanisms for > > specific KEMs outlined in draft-connolly-cfrg-xwing-kem and other published > > works in the area > > * Will describe the security properties and trade-offs of various methods > > of combining KEMs > > * Will provide concrete instantiations of hybrid KEMs that are relevant to > > IETF protocols (potentially similar to X-Wing and Chempat-X), including > > pseudocode and test vectors > > I think CFRG work on hybrid KEMs is very much needed. However, I do not > think draft-ounsworth-cfrg-kem-combiners is a good starting point. > > Some of the major issues with that draft are: > > 1) It solves the wrong problem. The construction in that draft looks > like a multi-key KDF, not a KEM. Protocols usually integrate the KDF > rather tightly, making replacing the KDF very difficult. Whereas non- > exotic asymmetric confidentiality can usually be replaced by a fixed- > parameter KEM (exotic uses are usually pre-quantum anyway). > > (D)TLS 1.3, COSE, JOSE, CMS and HPKE are all that way. [SK]: The construction is not a KEM it is a *KEM Combiner* that is instantiated by picking a suitable one-step KDF from NIST SP 800-56Cr2. So IMHO it solves the right problem by building upon existing functions. There is no need for protocols to replace already integrated KDFs. The composite KEMs that are offered in draft-ounsworth-pq-composite-kem illustrate this. To be precise, the resulting (combined) shared secret that results from e.g. id-Kyber768-X25519-KMAC256 can be fed subsequently into your already integrated KDF. > > 2) The uses of that draft in various protocols have picked all sorts of > combinations of algorithms. Supporting that in crypto libraries is a > PITA. Much worse, the protocols use it in slightly incompatible ways, > which is just about impossible to deal with in crypto libraries. > > Considering how important crypto libraries are, this is very bad. > > 3) It labels its slots as IND-CCA2 KEM. It is not safe to just stuff > ECC into such slot. I don't think there is any widely known > IND-CCA2 KEM construction based on ECC (HPKE introduced its own one). > And using such would lead to goofy hash duplication. > > It is very bad to offer crypto tool that will just be widely misused, > even if that misuse has no practical security impact. [SK]: I would like to point out that we propose a KEM Combiner that is CCA2-secure as long as at least *ONE* ingredient KEM is CCA2-secure. We point that out at several places in the draft and give arguments in the security considerations, e.g. - Abstract: "The combiners defined here are practical split-key PRFs and are CCA-secure as long as at least one of the ingredient KEMs is." - Section 3.2. k_i construction: "Including the ciphertext guarantees that the combined kem is IND-CCA2 secure as long as one of the ingredient KEMs is, as stated by [GHP18]." - Section 6. Security Considerations: "Our construction can thus be seen as an instantiation of the IND-CCA2 preserving Example 3 in Figure 1 of [GHP18], [...]" IMHO: We propose a very robust construction. BTW: I think the widely known method of producing an ECC-based IND-CCA2 KEM is described in the 2001 paper of Cramer and Shoup, "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack". That paper is also cited in HPKE (RFC9180) and (I believe, judging based on https://www.shoup.net/papers/iso-2_1.pdf) ECIES-KEM derives from this. > > 4) Because it is generic, it needs to deal with all sorts of badly > behaving KEMs that hopefully nobody is using. This makes things > slower and more complex than needed. > > E.g., KEM that does not resist ciphertext second preimages. Or > a KEM that does not resist re-encryption. > > If version based on draft-ounsworth-cfrg-kem-combiners gets posted, it > should have major warnings not to use it for any protocol work until > published as RFC. Incompatible uses are really bad. > > > What multiple protocols actually want is a set of fixed-parameter hybrid > KEMs, constructed from ML-KEM (or sometimes other PQC KEMs) and ECC (or > sometimes RSA) And any such can be optimized for both performance and > simplicity (usually the goals do not compete). > > > > What I think CFRG needs to cover: > > a) Protocol-universal KEM combiner, accepting KEMs, ECC and RSA as > components, with no unneeded degrees of freedom. > b) Presumably based on NIST SP 800-56Cr2 (apparently some want that, > it doesn't really add complexity and haven't seen any conflicting > requests). [SK]: This is actually exactly what draft-ounsworth-cfrg-kem-combiners is doing. See e.g. - Abstract: " This document defines a comprehensible and easy to implement Keccak-based KEM combiner to join an arbitrary number of key shares, that is compatible with NIST SP 800-56Cr2 [...] - Section 3 KEM combiner construction: " In Section 4 several possible practical instantiations are listed that are in compliance with NIST SP-800 56Cr2 [...]"# > c) No unneeded complexity. If key can be elided, do so. If both key and > ciphertext can be elided, do so. [SK]: I assume you mean *public* key here. In general, you must not elide the ciphertext. This is what Giacon et al "KEM combiners" tells us. > d) Number of recommended pre-made instantiations for real-world use, > complete with test vectors. The rest is NOT RECOMMENDED for use. [SK]: Actually this is on our Todo-list for draft-ounsworth-cfrg-kem-combiners. > e) How to use ML-KEM as a component (simpler/faster than generic). > f) (Possibly how to use NTRU prime as component). > g) How to use ECDH as component (it is not a KEM). > h) How to use X25519/X448 as component (ditto). > i) How to use RSA as component (yes, apparently some do want RSA) > j) How to use generic KEM as component. > k) Description of security properties of all previous (sometimes those > seem to get a bit funky...) > > Details for each algorithm class (except generic KEMs) need to be > worked out anyway for the recommended instantiations. > > The actual instatiations will presumably look something like what is > in this PR: > > https://github.com/lamps-wg/draft-composite-kem/pull/11 > > (I think ciphertext is needed for RSA, even if IND-CCA2 proof would go > through without...) > > > > > -Ilari
- [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Aritra Banerjee (Nokia)
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Stephen Farrell
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Dan Brown
- Re: [CFRG] [EXTERNAL] Call for adoption: Hybrid K… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Call for adoption: Hybrid K… Ira McDonald
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Russ Housley
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners D. J. Bernstein
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Santosh Chokhani
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Orie Steele
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Chris Barber
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Deirdre Connolly
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Aron Wussler
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Aron Wussler
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Flo D
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… D. J. Bernstein
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kousidis, Stavros
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Bas Westerbaan
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kris Kwiatkowski
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Ilari Liusvaara
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kousidis, Stavros
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Ilari Liusvaara
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kousidis, Stavros
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Watson Ladd
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Peter Gutmann
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Watson Ladd
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Peter Gutmann
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan