IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 05 August 2022 17:07 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AAC0C157B41 for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 10:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.588
X-Spam-Level:
X-Spam-Status: No, score=-7.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJIiMNu1uGBZ for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 10:07:36 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2109.outbound.protection.outlook.com [40.107.223.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2763FC14F730 for <cfrg@irtf.org>; Fri, 5 Aug 2022 10:07:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AC8dzobdKst+EUHjzTE96kRMC3nYAi3pIWG3LXJZz1z1EwfSdMoEDLga8Z+UG+RHzkKv6IwNsiUDQyfnIdeGlYxXwH9DIeBrK1i5lvJu/RwfiUqGyQ+4/d0EV0VumkWP5TRzQVSxU7ljO57Ams0nkvX9GvGUENOCGys6l/1HQQ0xdJgKkkU+GUvtCBqYFp/roUvtA3GMbe+RfU9M55KunhhSrByobSWyI2Of2Dzo6J2okqhpXV1icKYs9NiBSVJCa9WqCF1ltI5jXud+6lvQ6PKZlycUGfDxPcNivSdhFB/ZHB6db50p79Uls5Gp4PvnyJP6CLTPG81LKyrDMecoXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lFFu5M+eod7PTyzqD6YyD5/+nv68AtnRQ1hiLznkRew=; b=F3kSVzZ5NEPhUo0h0DH/gHsE9zlIzYp4WUEiivFna1KAfPfYCvBgXGlKnlDpxMkk59MYB9nzO3p0uNPnzb70gXwEPEgjT36oh4YEAvRw0FoktAzfXvd+IcdgI0Agel2/qaD70YpXRtA6E58izME4trWmHcjKcBqRu19f/cGNp8ULaVZgaVSEzg8iqUVk1uqwACO1szB6YBDbgbEusvIHwDrgcQPGYPoOKlyZzPTZc+yf49o5m8EqEacL//F3LsC6uLMemW1+JWEEXooruCe28avmo5VWAl0T6u0i+teHMy38+xurrMfIF/N/ZKj4ID6mprtYG/oBS4WyYxlhCOsOuQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lFFu5M+eod7PTyzqD6YyD5/+nv68AtnRQ1hiLznkRew=; b=0KryuJVlyzDYahSPG2GSREM2lW4qi4Ec8PhP7rrHqLTX8jURIGUAnmBaprsjDUopVVYzylpKTDWy9xULPUwwaG8r+3wAa37/7aivWUgT8kI9XEpD+TtBlrGVH5ZfCHM3Tpmjv8GtsxcfRnCEYhaOx0GdZSo2ckhkXA6T0g5fhLrEoX+DsN6zES0zXiXkQJv6j+rkdWYfX0S4YNdf/ITSboVOqg1ApW7W71zbInHvxjrLu+8djc8/RiTpJrztjUZX8bva+4uSSTEM9Pv8H9DZsjTH10OsjiII5JvKXDK6n1Zlch2i1k+uqr9UOYAuzJ6dcZqxJAb9nvpKBQJC8JJIGg==
Received: from DM8PR14MB5237.namprd14.prod.outlook.com (2603:10b6:8:24::23) by PH7PR14MB5618.namprd14.prod.outlook.com (2603:10b6:510:1f5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.25; Fri, 5 Aug 2022 17:07:31 +0000
Received: from DM8PR14MB5237.namprd14.prod.outlook.com ([fe80::39e9:c1ac:9c11:b5dd]) by DM8PR14MB5237.namprd14.prod.outlook.com ([fe80::39e9:c1ac:9c11:b5dd%8]) with mapi id 15.20.5504.016; Fri, 5 Aug 2022 17:07:31 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Thom Wiggers <thom@thomwiggers.nl>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?
Thread-Index: AQHYqOodWBy2qis0PE6YoaAdxVEEc62gieJw
Date: Fri, 05 Aug 2022 17:07:31 +0000
Message-ID: <DM8PR14MB523735BF8559A1B6DB04C648839E9@DM8PR14MB5237.namprd14.prod.outlook.com>
References: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com> <5CD18980-6C52-4CCA-8EF0-F7C45D1CB0F1@getmailspring.com> <CAMm+LwjfWGWR2StRtQGbahcyq+L+CGHdmsu7ZVHO8PyCnepDFg@mail.gmail.com> <950A7700-0514-416A-A0BC-43C9CB85628B@ll.mit.edu> <YuzUV9OyBUhlFTwt@LK-Perkele-VII2.locald> <CABzBS7nG-i6kmcvLT+Sr2s1D0m+quhPnUWeajpXc6o7fBw47wg@mail.gmail.com> <CH0PR11MB573935F7A00290145B50E8BB9F9E9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB573935F7A00290145B50E8BB9F9E9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b864e78c-15e3-4b5f-fb77-08da7704fb92
x-ms-traffictypediagnostic: PH7PR14MB5618:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5J+JQSzPAzBNMtuETswRrtabO9I7Xvfmu4wwKOkChavcZAEaCW1TNhtaTh/125cLjqiVaMN0Qd5HSMFF9t8W4M749sO7u6TSodUUk6xbk8c/TN2KwoexL39UvPlYYS6gD67814idzbF2CdkarvC1YCoE+TLVxMcnoDzyvxDBedGnVzSMe2qUKipavvJpprMa8VbTyXEx658vq7OkZkUEMjOb0e9yUFoeyZ9uYWNZ11/mUoIhemJHMh0+HJ4pl0f+iHUhrKm0w8s4mAr4EPTHgo8m6RXgEE1hS9mif7LJsdCI7lj1ezcypYv7d/BwkJ/aQI+kENAZlJxIUApfldr8d6GDf/scIOh1QSg2PxBlr8Nbd5xIqIqVs7/6naNMxL9ZwRYjU+HdE8UMdx8kwr1SNdZZzYhuKYSxp3d/n/HmawnEYsTxFtwseuXsL1UO/a0/INc7yn+gj8mlbv+3xCNmqbfvFcy/y/c0XG5JSZlVU43yN/ps7cZdpO32ZCnC9jAGk9KH9ZrQGCE8MC9LvezGgy07Hyq3NqpKef1WwR/3XyN8fdpWDMYLxXZoipKuDfxSrDl7/JLcVdu+SE63odf6Iun1KscByzTcuBYeyFMWhaBVcJ5GjZY4WDtopzMECFOQkfh8LIdNi3WaQcYBpaiBMkNqwRXZVnagzb7JNgtYP8m0la/QvQmdwsQuYtRzlKGn3fETVWcepMb6NrnCwFSJrDcdrbbGkcfbT9ipofJ4YXYKG/PqYPv23iHyapffHOvv5VVIvYmESsv7GEv9uw8BgvSrbRhuTa/sacKid3g0AYEmDbGjh+qJDSoKWlykxKNw
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM8PR14MB5237.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(366004)(396003)(376002)(346002)(39850400004)(136003)(55016003)(166002)(186003)(83380400001)(71200400001)(4326008)(110136005)(38100700002)(66946007)(66446008)(66476007)(64756008)(76116006)(66556008)(8676002)(316002)(6506007)(38070700005)(9686003)(86362001)(53546011)(478600001)(7696005)(26005)(52536014)(122000001)(8936002)(33656002)(2906002)(41300700001)(5660300002)(44832011)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 92u1EfueXej2QJOdJAmW1gLWQ9QOzOR+o/AsOW8VC0L/aNkTqx1TP3fDgxbTXUfHae1e6Y0RSIY0wvY6s7KNpJku2awH2MD7qnQ7ac1lEcJS3+HzsZEnSEwKJyvyfgKzhBTZUrNnpF3GqwGLYDz0CSZpzXbQvWuYWW4R+M0qBjgaN1jntg6niy92BWk+HSsY7kHOMsGoOM/AH6eg0LVIgJq/c5zBBfqxrN74ehr63E96mgpg+MdOW38+62zsAfl+79mflvfGbqmn6yIFjuCpfmBr22V5DPEZ/3nFBOUiNNt46l3njfFXP5BTfAQbYB53YOmepaKyB8VYInzt8nXlaSOWwAsfc6GmsdLZD3Epthy5UVkm5UC795rdYMa+rtQXJ+68XZ31HI3T9ixo+v9XMqpE2Mtm2VjNzq16MkR44wGD/srddQKsc/NLAANlMISX7+Q52m+31+CR3hSVwmdxIqenDGpcpgSB3rOOJmmrPLgowxyE8I6iv+M3MGCzxIowgtPfFLpxRC9EfZ8qsnh938rE0kpSpKnLiD4zO48oTQ3jYgtfWVGD1Hqc6C+FtCMCeeHyQuooy9+JnkO2G2WbhCEz7CtouUZDyUcyG2vaK9kNbDzd+KeMPpHLY7yk1Uywb1zECBLAfRYqxL8mhRjmEozQ5ROxgOFjzJYOBK0ozsL7KarJJoaWOrbTSTdvBRlnrg2P8292Ut/r6+XKu1KfamMxuEowyiNNuF3aLWmvJeWQF9OMl40wReKgc8AqGa15bQJ1M7ufdBJgM8EKtbG6xsF2eE37zU/xR0pK3Md2v5366rjw67lg3C0yaGOKKaFsPydKTJ/29NnA5RQHjyPYggMg1TZ+LRsbYq1ARvG8hIAyoJbCy9aBh/3DILge54vfOWgL8L1U9VNSn1M/hNnCQXTczu+OQhMQd/NljCP+XYQC98S383DROvX4x+WGnLWSaIC5+tcquK9gMC2q2KiwoLpf7WG0o+cYzg06/PWECt3XuuNXaPQ8afmy+WpB7VUiLGuzFsMYjSt14CrmX4W2staKug3ICZ7OR0w/bb6T2WkAvMJiHSZhzPSFF7nwO7Ea/5on8DO5A+cHS/Ew9klF6PMq/rncCupgwaT6zW+0FBi8jim4aVbAscs9rUWPMxb5LDRC9SzBJKpdhkvUwQ9AToVrbPFhVALxnnsqkVbPVsHYQyASfB196txAYuYlHFPoTP88m4zP88+L8g4ZX3TvoPJYWV0zBHN1OKd+jBDLp3ZXrMdF8I6/HkczW9pmOvkXBU1qWHdvx/dnLWPe5dthoVx4WhgL/GnH9rYorIIRJhUfcRuA0ERYC4vSL+GKu/3rnvV6huKG2T9PefFn74z6Wyfn04U9NswgmLXPs23saI5uJy5BleDlsVzs1asOFlGJIQDU7V75D5XJF0pamrR1679+MZuTv6/FXcnoHRAaJiMSq8DhmnNrAD26aXmJVXM53AMYc5MR4xItG+0OYYKuVXF5pjY9vwOk9Pon2oJcXMtoGN2zFbWw08lGsm9zp17SZm3JvmdqBhZBTENqLNGEHXF0YOXXr/qX48EsVhog3B6qNAQ+9EGCaqyJP77+JTZFnPyz+ekhThOBXtU297m5Vg==
Content-Type: multipart/alternative; boundary="_000_DM8PR14MB523735BF8559A1B6DB04C648839E9DM8PR14MB5237namp_"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR14MB5237.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b864e78c-15e3-4b5f-fb77-08da7704fb92
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2022 17:07:31.0322 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Pyds3IUU+9wXoQWMd6dvTrPwe5q9pYJLcW6/i7LH3oIWO89kwGTqMwAZBsu9XD92vMDDm8as1D+xdIZe62l1Mtrw1qDSS7ggzmckd2T5N+Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR14MB5618
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rPdS6QuqVsfXwsFmFfkV1zy2jhQ>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 17:07:40 -0000

Russ isn’t the only LAMPS chair who hates params, he’s just more vocal than me 😊

-Tim

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Mike Ounsworth
Sent: Friday, August 5, 2022 12:40 PM
To: Thom Wiggers <thom@thomwiggers.nl>; Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

Thom said:
> Alternatively, another KDF is still fairly cheap.

At least in LAMPS-land, doing another KDF often means carrying another set of KDF params on the wire, and we all know how much Russ hates params :P

---
Mike Ounsworth

From: CFRG <cfrg-bounces@irtf.org<mailto:cfrg-bounces@irtf.org>> On Behalf Of Thom Wiggers
Sent: August 5, 2022 4:23 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>
Cc: IRTF CFRG <cfrg@irtf.org<mailto:cfrg@irtf.org>>
Subject: [EXTERNAL] Re: [CFRG] Kyber 'interactive key agreement'?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Hi,

Op vr 5 aug. 2022 om 10:27 schreef Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>>:
One still needs KDF. There is no guarantee that KEM directly allows
variable-length output (KYBER does, as the final output stage is
SHAKE-256) and even if it does, that the implementation supports that
(the reference KYBER one does not).

As far as I know, the output length of the shared secrets in the current version of Kyber is part of the spec and the Known-Answer Tests (KATs); so even if it is using a XOF there, you're strictly speaking not allowed to change it.

Now, the current KATs have lots of things to be desired, and probably fix too many things. They even cover the secret keys, which is probably not great for lots of applications. Also, this all might change for the final version that NIST standardizes. If you want variable length outputs you may want to start a chat with NIST ;-)

Alternatively, another KDF is still fairly cheap.

Cheers,

Thom




-Ilari

_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://urldefense.com/v3/__https:/www.irtf.org/mailman/listinfo/cfrg__;!!FJ-Y8qCqXTj2!YH29zAtDyD-yOWR6QKKlaA2XCoZoADXubfaBaA_fd7a-TG-MU7IYsTDFzGLDIjnQcvEk71ZYLu0ui8EkYmWFBoU$>
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email