IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

Neil Madden <neil.e.madden@gmail.com> Thu, 24 November 2022 19:13 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854B9C14CE4A for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 11:13:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JPjYmAqJqvAO for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 11:13:20 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A835C14CE4B for <cfrg@irtf.org>; Thu, 24 Nov 2022 11:13:20 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id bs21so3735138wrb.4 for <cfrg@irtf.org>; Thu, 24 Nov 2022 11:13:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=XSSRKCaN5V7opYJktW42qh6oDhHHs4Jak48LwH4vIMg=; b=LsF/BLTtEZYPnxUVayUotu4BdmN4xUu3Az+sD7hz/Ks5mO2lduJzB7+/hbuS+raTkl oGZ1WCuYjzgVxtyzWVQzCJYZvMdeyhOAl9wH7hzyR8X8k4O97LkO380mTYcxT7fIpSpc pu5m6TtTApEZt7RWvQEk+RonIWLf+GecMqMl+vJ3e3UcRkZG28ItvFAbwS0JmexiDbq/ xvHoV8p+tMxF6CuoBKwXAkAErmgto9FsyzbZ6glthYWkNxKVYq9z517hyMUTzGYtpttI VGnprzDTzBF3Y8sXhtjTIsCOIOr9g6hHd6Oe/RSadCNpUngXqoFB50u6edgb7I+U1aBG sNLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XSSRKCaN5V7opYJktW42qh6oDhHHs4Jak48LwH4vIMg=; b=vWIfmoLBeIV9OoPGnZBhmFY7FSIvh6qRoaJvfO1t4i9xVuyvuaKzmT+6a98MkUc6Km 4GUFnD4zMuivKHwbbkfzV6W8PlCZT5yR5KKsrCVBlO7ylRJsLsFNjKTxMT4lBxSL/cQT ccY+w91C9539TOvqwaX+hIP54rjBud5QqARFen7NG3kKBZqS2mIC9Ec4Q18v5kSgJCH0 G7mkti39GrWDY7FvZkZxeKFSvo+Q+wShO2FLcmW2ayJr8/FioOEqS8GoXgsQ7mS7th4d cWMnMd7p/VaaqZobHggKGFdf6xS3A16D7rIXqQWMpDd20s4nRSmHeWBaTHytYv1OTpdq OOKg==
X-Gm-Message-State: ANoB5plcLUq4meymVpXBzk0GZgF7ki3I7sDL/Gvj/OdwbcRqi6QQLDPh R48Ay8EEEdGHpo7+p9qlpeDO0bV4m65dPg==
X-Google-Smtp-Source: AA0mqf5Mq2Von8yFhLdRWbM5QUXf8b4s/CzAilazaegb7/4tdjlEOeLXcUh30sJnR4IAHR+3aUJQpw==
X-Received: by 2002:adf:e508:0:b0:236:588f:b5d with SMTP id j8-20020adfe508000000b00236588f0b5dmr9526509wrm.255.1669317198832; Thu, 24 Nov 2022 11:13:18 -0800 (PST)
Received: from smtpclient.apple (233.213.93.209.dyn.plus.net. [209.93.213.233]) by smtp.gmail.com with ESMTPSA id p9-20020adfce09000000b0022dc6e76bbdsm2031940wrn.46.2022.11.24.11.13.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 24 Nov 2022 11:13:18 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-58E35046-54AB-434D-A462-A66B93C41835"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Thu, 24 Nov 2022 19:13:17 +0000
Message-Id: <61BCC306-CF0E-421C-A6A1-32226D9E417C@gmail.com>
References: <CAN8C-_KwT8M6-8_xA5mCCHrDWja3s1tH-RQjGz5eskYhNaa63w@mail.gmail.com>
Cc: Mike Ounsworth <Mike.Ounsworth@entrust.com>, CFRG <cfrg@irtf.org>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
In-Reply-To: <CAN8C-_KwT8M6-8_xA5mCCHrDWja3s1tH-RQjGz5eskYhNaa63w@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
X-Mailer: iPhone Mail (19G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PibdHWG1qavKJS2-nwmdA6r8Ab4>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 19:13:24 -0000

Not with just a KEM, no. You either need a KEM and a signature scheme or a richer primitive like Diffie-Hellman. 

I wrote a blog post about this a year ago: https://neilmadden.blog/2021/02/16/when-a-kem-is-not-enough/

— Neil

> On 24 Nov 2022, at 19:03, Orie Steele <orie@transmute.industries> wrote:
> 
> 
> I think I'm hearing there is no way to build something like ECDH-1PU with KEMs... Right?
> 
> https://datatracker.ietf.org/doc/html/draft-madden-jose-ecdh-1pu-04
> 
> OS
> 
>> On Thu, Nov 24, 2022, 12:40 PM Neil Madden <neil.e.madden@gmail.com> wrote:
>> Right. As others have said, if all you have is a Kyber certificate then you are stuck doing interactive authentication (as far as we know). If you care about non-interactive authentication then getting into a situation where all you have is an non-auth KEM certificate would be a bad idea.
>> 
>> (If you were going to do what I suggested then the public keys for the KEM and signature scheme should be combined and thus you’d have a single cert for the combined algorithm rather than separate certs). 
>> 
>> — Neil
>> 
>>>> On 24 Nov 2022, at 18:31, Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote:
>>>> 
>>> 
>>> John Mattsson said:
>>> 
>>>  
>>> 
>>> > I think that is a good idea. But I think the construction should probably be:
>>> 
>>>  
>>> 
>>> Add the recipient identity to the message.
>>> Sign the message with Dilithium
>>> Encrypt [recipient ID, message, signature] with HPKE-Kyber
>>>  
>>> 
>>> > That is probably a good solution for CMPv3
>>> 
>>>  
>>> 
>>> I disagree.
>>> 
>>>  
>>> 
>>> Take for example a Kyber certificate trying to authorize/authenticate a request to the CA for its own revocation, key update, or cert renewal. All you have is a KEM certificate; where do you get a Dilithium key from?
>>> 
>>> Of course you could create an ephemeral Dilithium key, but a signature from an ephemeral key is fairly useless.
>>> 
>>>  
>>> 
>>> Some PKIs will always issue pairs of KEM / Signature certificates, but you don’t get to assume this in general when designing the certificate management protocol  – this will be especially true if TLS AuthKEM takes off and demand for KEM authentication certificates skyrockets. Plus, if you’re using CertA to authorize management operations for CertB, then you have to strongly establish co-ownership of the two certs, which may be possible in some PKIs (for example if the CA has a consistent DN structure that strongly identifies both certs as belonging to the same entity / device / hardware key storage container, whatever the PKI administrator has deemed to be the definition of “co-ownership” for that environment), but requiring PKIs to be able to determine co-ownership of certificates would be a departure from current requirements of the CMP protocol where mechanisms exist for all cert types to self-administer.
>>> 
>>>  
>>> 
>>> ---
>>> 
>>> Mike Ounsworth
>>> 
>>>  
>>> 
>>> From: CFRG <cfrg-bounces@irtf.org> On Behalf Of John Mattsson
>>> Sent: November 24, 2022 12:01 PM
>>> To: Neil Madden <neil.e.madden@gmail.com>; Ilari Liusvaara <ilariliusvaara@welho.com>
>>> Cc: cfrg@irtf.org
>>> Subject: [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)?
>>> 
>>>  
>>> 
>>> WARNING: This email originated outside of Entrust.
>>> DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
>>> 
>>> Nail wrote:
>>> >Isn't there a straightforward generic construction of an >AKEM from a normal KEM plus a (PQ) signature scheme >that could be used here? i.e., run the KEM and then sign >the encapsulated key? Obviously this would produce quite >large encapsulations, and a "key-pair" for such an AKEM >would then be two key-pairs encoded into one (with a >covering self-signature to prevent tampering). In principle >this seems doable?
>>> 
>>>  
>>> 
>>> I think that is a good idea. But I think the construction should probably be:
>>> 
>>>  
>>> 
>>> Add the recipient identity to the message.
>>> Sign the message with Dilithium
>>> Encrypt [recipient ID, message, signature] with HPKE-Kyber
>>>  
>>> 
>>> That is probably a good solution for CMPv3
>>> 
>>>  
>>> 
>>> Cheers,
>>> 
>>> John
>>> 
>>>  
>>> 
>>> From: CFRG <cfrg-bounces@irtf.org> on behalf of Neil Madden <neil.e.madden@gmail.com>
>>> Date: Thursday, 24 November 2022 at 17:00
>>> To: Ilari Liusvaara <ilariliusvaara@welho.com>
>>> Cc: cfrg@irtf.org <cfrg@irtf.org>
>>> Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
>>> 
>>>  
>>> 
>>> On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>>> 
>>>  
>>> 
>>> On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:
>>> 
>>> Hi CFRG!
>>> 
>>> Background: we are working to add KEM support to Certificate
>>> Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
>>> will eventually be 4210bis). We are planning to accomplish this by
>>> supporting HPKE (RFC 9180) as a new message protection mechanism in
>>> CMPv3 and hoping that we can inherit Kyber more-or-less for free once
>>> HPKE supports it.
>>> 
>>> Question "how": How will Kyber be added to HPKE? I assume there will
>>> be an equivalent to section 4.1 that defines KyberKEM with its own
>>> Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
>>> AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
>>> but making use of Kyber internally? The Kyber2018 paper [1] figure 3
>>> defines an authenticated Kyber exchange that looks like it should
>>> easily fit into the existing HPKE APIs. In other words, will
>>> supporting 9180 now with abstractions around those 4 functions allow
>>> for easy drop-in of Kyber later?
>>> 
>>> 
>>> Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
>>> interfaces is optional is to allow for KEMs that do not allow non-
>>> interactive authentication, like the post-quantum ones.
>>> 
>>> In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
>>> is CSIDH (not to be confused with totally broken SIDH/SIKE), and
>>> security of that in both classical and quantum settings is subject to
>>> debate.
>>> 
>>>  
>>> 
>>> Isn't there a straightforward generic construction of an AKEM from a normal KEM plus a (PQ) signature scheme that could be used here? i.e., run the KEM and then sign the encapsulated key? Obviously this would produce quite large encapsulations, and a "key-pair" for such an AKEM would then be two key-pairs encoded into one (with a covering self-signature to prevent tampering). In principle this seems doable?
>>> 
>>>  
>>> 
>>> -- Neil
>>> 
>>> Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email