IETF Logo Mail Archive

Re: [CFRG] Call for adoption: Hybrid KEM Combiners

"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Mon, 19 February 2024 08:47 UTC

Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9621BC14F6A8 for <cfrg@ietfa.amsl.com>; Mon, 19 Feb 2024 00:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="hL6G2q85"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="CwVctC+q"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W-kJ_8_U-r73 for <cfrg@ietfa.amsl.com>; Mon, 19 Feb 2024 00:47:14 -0800 (PST)
Received: from m4-bn.bund.de (m4-bn.bund.de [77.87.228.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42017C14F6A6 for <cfrg@irtf.org>; Mon, 19 Feb 2024 00:47:13 -0800 (PST)
Received: from m4-bn.bund.de (localhost [127.0.0.1]) by m4-bn.bund.de (Postfix) with ESMTP id BB5AC280E16; Mon, 19 Feb 2024 09:47:10 +0100 (CET)
Received: (from localhost) by m4-bn.bund.de (MSCAN) id 4/m4-bn.bund.de/smtp-gw/mscan; Mon Feb 19 09:47:10 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1708332425; bh=67Lib6N4DAYxNCMgBpTOe7dTFJjKaK/5Z3C645JyyfI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=hL6G2q85wZ49knx7yEZ5jfoBpAOk0v1/mM5k0XID1fEMqIdAqtjKkpv3sljPvmdBt 9CdvXhPanE4Yv6pVhwkAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1708332425; bh=67Lib6N4DAYxNCMgBpTOe7dTFJjKaK/5Z3C645JyyfI=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=CwVctC+qiPHkiri6pinR2hDSANQAyP9tilBJLlw+PRGhKpHiKxeY1Sjpy68/8nhzb 5yM9RMU/Eh44pFgKVlnp1F39Ej348rwaQRkIB3WzUgdkfavOpgQSEI18JN08mx+E7K azBxho0IyjSAEWSnk0XquTS8gIkxsQnZm65OKUDDep/lT2Mj9nwamasJnsTciFWvnV GwDgTP8HPo2fkyet3yOty1HHZOpwKu6b2766XfMm3Oi5qfc4enLpUc0I+nEK3Nj5A1 3XXfLJERH7D4CHj4amkCBv4+zBDH/P7qdpIh48q39aEygUMyOfSD4rLY1b3P41G2tw nIQrkvqy899Jw==
X-P350-Id: 2e98ac4a5b64c752
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>, Mike Ounsworth <Mike.Ounsworth@entrust.com>, "Aron Wussler (aron@wussler.it)" <aron@wussler.it>
Thread-Topic: [CFRG] Call for adoption: Hybrid KEM Combiners
Thread-Index: AQHzW1XSJm8s+/xla8zXj5i2m5yGqgHLPPlssNEHjFA=
Date: Mon, 19 Feb 2024 08:46:52 +0000
Message-ID: <4341fe61620343f8a4b6d43a6895ac06@bsi.bund.de>
References: <CAOjisRyCU+nhJm+x-UxEUjEPAPxH6e-Sa+TkwgYYBDcAx_a93g@mail.gmail.com> <ZdIhou0UPo2YH-hx@LK-Perkele-VII2.locald>
In-Reply-To: <ZdIhou0UPo2YH-hx@LK-Perkele-VII2.locald>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A29C6E36755607360
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29B8016555607360
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JYR_uBprVVDX3B2oBrO9RPvM2Qo>
Subject: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Feb 2024 08:47:19 -0000

Dear Ilari,

let me try and give some guidance specific to the mindset and content of draft-ounsworth-cfrg-kem-combiners.

Inline, see below '[SK]: ...'.

Best
Stavros

> -----Ursprüngliche Nachricht-----
> Von: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
> Gesendet: Sonntag, 18. Februar 2024 16:26
> An: cfrg@irtf.org
> Betreff: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
> 
> On Wed, Jan 31, 2024 at 10:28:50AM -0500, Nick Sullivan wrote:
> > Dear CFRG,
> >
> > There has been a lot of discussion on the list over the last few weeks
> > around the topic of hybrid KEMs, including discussion around the topic of
> > where we should go as a group. There seems to be significant interest in
> > this topic from around the IETF and in broader industry. We (the chairs)
> > have decided to open up a research call for adoption for a topic in this
> > area, described below.
> >
> > The standard context for the group applies here as always: As part of the
> > IRTF, the CFRG is a research group, producing research documents relevant
> > to the IETF and broader community. The CFRG does *not* publish standards
> > and does *not* dictate cryptographic choices to IETF working groups. CFRG
> > documents often come with concrete specifications for parameterizations
> > relevant to groups within the IETF. Recent examples of documents of this
> > style resulting from topics adopted by the CFRG include RFC 9497 (OPRF) and
> > RFC 9381 (VRF), which provide a thorough overview of the topic along with
> > concrete parameterizations that can adopted by protocol designers.
> >
> > The CFRG has a full docket of important ongoing work, so it’s important to
> > ensure that any work the CFRG adopts at this point aligns with the charter
> > by offering necessary guidance (for network security in general and for the
> > IETF in particular) on the use of emerging mechanisms.
> >
> > With that preamble done,* this email starts a three-week call for the
> > adoption* of a work item within the CFRG to produce an informational
> > document exploring how to safely combine KEMs. This document
> > * Will use draft-ounsworth-cfrg-kem-combiners as a starting point for
> > describing generic combiners
> > * Will include an analysis of the non-generic combiner mechanisms for
> > specific KEMs outlined in draft-connolly-cfrg-xwing-kem and other published
> > works in the area
> > * Will describe the security properties and trade-offs of various methods
> > of combining KEMs
> > * Will provide concrete instantiations of hybrid KEMs that are relevant to
> > IETF protocols (potentially similar to X-Wing and Chempat-X), including
> > pseudocode and test vectors
> 
> I think CFRG work on hybrid KEMs is very much needed. However, I do not
> think draft-ounsworth-cfrg-kem-combiners is a good starting point.
> 
> Some of the major issues with that draft are:
> 
> 1) It solves the wrong problem. The construction in that draft looks
>    like a multi-key KDF, not a KEM. Protocols usually integrate the KDF
>    rather tightly, making replacing the KDF very difficult. Whereas non-
>    exotic asymmetric confidentiality can usually be replaced by a fixed-
>    parameter KEM (exotic uses are usually pre-quantum anyway).
> 
>    (D)TLS 1.3, COSE, JOSE, CMS and HPKE are all that way.

[SK]: The construction is not a KEM it is a *KEM Combiner* that is instantiated by picking a suitable one-step KDF from NIST SP 800-56Cr2. So IMHO it solves the right problem by building upon existing functions. There is no need for protocols to replace already integrated KDFs. The composite KEMs that are offered in draft-ounsworth-pq-composite-kem illustrate this. To be precise, the resulting (combined) shared secret that results from e.g. id-Kyber768-X25519-KMAC256 can be fed subsequently into your already integrated KDF.

> 
> 2) The uses of that draft in various protocols have picked all sorts of
>    combinations of algorithms. Supporting that in crypto libraries is a
>    PITA. Much worse, the protocols use it in slightly incompatible ways,
>    which is just about impossible to deal with in crypto libraries.
> 
>    Considering how important crypto libraries are, this is very bad.
> 
> 3) It labels its slots as IND-CCA2 KEM. It is not safe to just stuff
>    ECC into such slot. I don't think there is any widely known
>    IND-CCA2 KEM construction based on ECC (HPKE introduced its own one).
>    And using such would lead to goofy hash duplication.
> 
>    It is very bad to offer crypto tool that will just be widely misused,
>    even if that misuse has no practical security impact.

[SK]: I would like to point out that we propose a KEM Combiner that is CCA2-secure as long as at least *ONE* ingredient KEM is CCA2-secure. We point that out at several places in the draft and give arguments in the security considerations, e.g.

- Abstract: "The combiners defined here are practical split-key PRFs and are CCA-secure as long as at least one of the ingredient KEMs is."
- Section 3.2. k_i construction: "Including the ciphertext guarantees that the combined kem is IND-CCA2 secure as long as one of the ingredient KEMs is, as stated by [GHP18]."
- Section 6. Security Considerations: "Our construction can thus be seen as an instantiation of the IND-CCA2 preserving Example 3 in Figure 1 of [GHP18], [...]"

IMHO: We propose a very robust construction.

BTW: I think the widely known method of producing an ECC-based IND-CCA2 KEM is described in the 2001 paper of Cramer and Shoup, "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack". That paper is also cited in HPKE (RFC9180) and (I believe, judging based on https://www.shoup.net/papers/iso-2_1.pdf) ECIES-KEM derives from this.

> 
> 4) Because it is generic, it needs to deal with all sorts of badly
>    behaving KEMs that hopefully nobody is using. This makes things
>    slower and more complex than needed.
> 
>    E.g., KEM that does not resist ciphertext second preimages. Or
>    a KEM that does not resist re-encryption.
> 
> If version based on draft-ounsworth-cfrg-kem-combiners gets posted, it
> should have major warnings not to use it for any protocol work until
> published as RFC. Incompatible uses are really bad.
> 
> 
> What multiple protocols actually want is a set of fixed-parameter hybrid
> KEMs, constructed from ML-KEM (or sometimes other PQC KEMs) and ECC (or
> sometimes RSA) And any such can be optimized for both performance and
> simplicity (usually the goals do not compete).
> 
> 
> 
> What I think CFRG needs to cover:
> 
> a) Protocol-universal KEM combiner, accepting KEMs, ECC and RSA as
>    components, with no unneeded degrees of freedom.
> b) Presumably based on NIST SP 800-56Cr2 (apparently some want that,
>    it doesn't really add complexity and haven't seen any conflicting
>    requests).

[SK]: This is actually exactly what draft-ounsworth-cfrg-kem-combiners is doing. See e.g.

- Abstract: " This document defines a comprehensible and easy to implement Keccak-based KEM combiner to join an arbitrary number of key shares, that is compatible with NIST SP 800-56Cr2 [...]
- Section 3 KEM combiner construction: " In Section 4 several possible practical instantiations are listed that are in compliance with NIST SP-800 56Cr2 [...]"#

> c) No unneeded complexity. If key can be elided, do so. If both key and
>    ciphertext can be elided, do so.

[SK]: I assume you mean *public* key here. In general, you must not elide the ciphertext. This is what Giacon et al "KEM combiners" tells us.

> d) Number of recommended pre-made instantiations for real-world use,
>    complete with test vectors. The rest is NOT RECOMMENDED for use.

[SK]: Actually this is on our Todo-list for draft-ounsworth-cfrg-kem-combiners.

> e) How to use ML-KEM as a component (simpler/faster than generic).
> f) (Possibly how to use NTRU prime as component).
> g) How to use ECDH as component (it is not a KEM).
> h) How to use X25519/X448 as component (ditto).
> i) How to use RSA as component (yes, apparently some do want RSA)
> j) How to use generic KEM as component.
> k) Description of security properties of all previous (sometimes those
>    seem to get a bit funky...)
> 
> Details for each algorithm class (except generic KEMs) need to be
> worked out anyway for the recommended instantiations.
> 
> The actual instatiations will presumably look something like what is
> in this PR:
> 
> https://github.com/lamps-wg/draft-composite-kem/pull/11
> 
> (I think ciphertext is needed for RSA, even if IND-CCA2 proof would go
> through without...)
> 
> 
> 
> 
> -Ilari

v2.23.0 | Report a Bug | By Email