[CFRG] Re: I-D Action: draft-irtf-cfrg-kemeleon-02.txt
Veitch Shannon <shannon.veitch@inf.ethz.ch> Fri, 03 July 2026 12:35 UTC
Return-Path: <shannon.veitch@inf.ethz.ch>
X-Original-To: cfrg@mail2.ietf.org
Delivered-To: cfrg@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 22AB910DA12C7 for <cfrg@mail2.ietf.org>; Fri, 3 Jul 2026 05:35:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1783082141; bh=+42rHSeJ1JHiYxPfxeMja32Jt1qacWrdcHPM25AFQ1o=; h=From:To:Subject:Date:References:In-Reply-To; b=hfe3MBLsUSuFQ2mMh481NNudnOW9MBmM8+Ll2p2ijChfoFEm/6vVUfSPGYkO3rozZ bVXXIdHQxBahDe+AWaxk7+ZioJIbTC0f1muWzxkjCWmQRPXCcQ6jNDSflUgXDgJU8+ 54VMuCWZGa7bPuaeOJnJc3oHiObzF+Zl3e2xQ2ng=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=inf.ethz.ch
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faXOqXCZVJoY for <cfrg@mail2.ietf.org>; Fri, 3 Jul 2026 05:35:39 -0700 (PDT)
Received: from GVAP278CU002.outbound.protection.outlook.com (mail-switzerlandwestazon11020091.outbound.protection.outlook.com [52.101.188.91]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9DA0010DA12BA for <cfrg@ietf.org>; Fri, 3 Jul 2026 05:35:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LHXaE1iqYLd6zL72U5yCWtHjcRHCZev98YSWcyidVtxpxsEtCCO/TtTk07Z1Ajb0CU30EwolXpcMdaWvFDsQOYiVrjVuZ2xW+BX/NikFtBGMwOdFC6o8bZ2UTWXJrPLROCV0asV4v7hwfqurHwuTX80lh7TlM8XY9/ne3+mpemQUqkiX8mYLLI6SmKZN4eonhvsafZc5WqTmpl9Xj9we3Svn7csm2sCn8Rv/oLw1CDK55KNgEYuPWWIeXYEutBSs05mrkiQrfL2pgq3taHq/X4mxFdVkLTUftJgzamt/SNU4qanbYnZ8l8slqtFlfZ6FD7xjj7VE8emSHkkwAcVqPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0IW873xYhuW1B87ePCPS07fuWq5VCudEIvnNlhyP/pk=; b=aL50dYipU7TBc7WUiiZZg+qlLg6O8oHA6SIQ9Wmy+x+kzPzeRQ+Bdc5D76ietJqm537PE1M7qWJLaIktPM74Pnja7TNYEFLbsy+GuhOxRDJI4dM0F8HqeNVpfvan2smiTaWha5mZ1q+DnMqNHZpKCJdCsifVmfzFe1akALbjx7EL0Hm2p1Z6CJZpFOLjLvN3/0Cyj7J4NxVSvmguOTpBrts/yFor9QBuiExPFKgvvDSsRil444/WODi74RR+TqFRzj3bxbQbx2xzfLDO9BZxDE3UMikxHTjxrOtkyCCMzoSvo2xmebclbCcrapz6DJGulYYy3MAClihd8EwLXIAOMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=inf.ethz.ch; dmarc=pass action=none header.from=inf.ethz.ch; dkim=pass header.d=inf.ethz.ch; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inf.ethz.ch; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0IW873xYhuW1B87ePCPS07fuWq5VCudEIvnNlhyP/pk=; b=fUyTczSCJSqTPDJkicVqCppBvDN6zNIBQjwSc2q37RV+sTzwQNzKPyIdCCXpPBsT024tUo5rkFyqeVrc0WCXjItW7GXMfSw/UFIrlpqaJWJzpe/LAmIZuyvfY/I7ll4kZs+XGPybEvvc/X9zXeTUsQcNrw/DG2eB1aB0MQp+5sXEIxKSds2UXl4gleFsuzS9FRnSTizo0cy91SBvXgS/lhZAuUK513m6y1VbLBNkl6vG2TEkpOnMw/4KeZLn9bpwmvl7pCMIDMm2O9ykOPUu5O/WzBLXlsB8VQoXC0zdpw1k4t3MeRvKp4VKr/cCjThsLfkytEULoz5kesBZ3aIewA==
Received: from GVAP278MB0779.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:57::11) by ZR0P278MB0896.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:4f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.181.11; Fri, 3 Jul 2026 12:35:30 +0000
Received: from GVAP278MB0779.CHEP278.PROD.OUTLOOK.COM ([fe80::9276:1c3:573f:3d0e]) by GVAP278MB0779.CHEP278.PROD.OUTLOOK.COM ([fe80::9276:1c3:573f:3d0e%3]) with mapi id 15.21.0181.010; Fri, 3 Jul 2026 12:35:30 +0000
From: Veitch Shannon <shannon.veitch@inf.ethz.ch>
To: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [CFRG] I-D Action: draft-irtf-cfrg-kemeleon-02.txt
Thread-Index: AQHdCufNLnlLbobii0OxmV+ogLvpbrZbugMA
Date: Fri, 03 Jul 2026 12:35:29 +0000
Message-ID: <6BD3561C-E62A-48A8-891E-F9B0CF0FD224@ethz.ch>
References: <178308179844.589.8747554118691636814@dt-datatracker-57b5d8f849-v5cht>
In-Reply-To: <178308179844.589.8747554118691636814@dt-datatracker-57b5d8f849-v5cht>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=inf.ethz.ch;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVAP278MB0779:EE_|ZR0P278MB0896:EE_
x-ms-office365-filtering-correlation-id: 294e6b48-fcc5-4264-70db-08ded8ff9153
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|23010399003|1800799024|19092799006|366016|786006|4022899009|376014|38070700021|18002099003|22082099003|56012099006|5023799004|11063799006|6133799003|8096899003|3023799007;
x-microsoft-antispam-message-info: iP4gMPBjBG0b6RjU4ExiCYqe5uzWKfdE2BGly0Zb8s0rdYQmbrtgWgwA6qjYLoxmucT1cvDi8nRBodSmKoeUYFAkh5R0GA+ajNEGIQErIvNwBvV2xV3oe/CLIpLkWvUHPcYdkXfset515X6OQSMq5L2I+ICF1IDwaveaFWBcieWtNkEFD9XmMytehs/3nbeYL3JKnoYhdHVvB6x4ynMT1UbKn7kkosisLN6japBO2R6rTfUnZWLKBGpoEucMx9cjkKClQjgEgjLNk8z+/cn5yVJhH5QC2TOrB7l+I+OGUNdz3hMF3JGktExlwV8XUcnRe6nchv3WUN1pRdwt1zmyS+UenH1pNpayax4QUme1Z4hNojMw9I7s1Bi9GvBh3etRpYh5yU5FR3yQ7fuQWsca1cTICTbz2ebaMSPaR5PnmF+5eO9St+SxlDcP6QV/Q8p8ItdAbFyD2z0LMgHAyU1bORSrtcRFsGmPS38PYy7Km+WTE8F6lSCdmIS2v8Cj8G8kj2l6f9QXTYN1SaNRq6EuXli9ZkRKstAhJYpSA7Cb2OP+tKqOwfmi7b/8FvvcNuLAuJTejweaqmee5TsFFyS63GySATUuaU8AwptDDm+Yg2sxS5PomqMU8qieFaEDNaZCMkpRsLRgilMc4/5NJn3KSN5afSx66EbKEcuRyb5varyvaeKOEZ3FgN5UdKYO6UDHomzZRec7Jdyzglh3Hkmh5HTCcWJKAKVhINXXJdc7t64=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVAP278MB0779.CHEP278.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(23010399003)(1800799024)(19092799006)(366016)(786006)(4022899009)(376014)(38070700021)(18002099003)(22082099003)(56012099006)(5023799004)(11063799006)(6133799003)(8096899003)(3023799007);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Sk/E+s3Mgymf/w3VOZoJ8oRAmJHTOVHCI0HWe71vkMS6Lgo9GobhkqfaG1wbmxuTAwsuxpdb7qlEOJDV98OnE2KMhwXl52BimS+411L2nu/j0AQgO+tUlhdot0u6DtXu/y/eOKyRj/pZM3Y4enHLm4NRY78FxyfsPFQ6XdIOUKuWfdrzQdbagI9jDHGNpYnkjyUpbdrgP3OTSYz+T0TxVAFJopGTW25jO3KUAQ3gDEY3aRSI61rAvPB+Xtv5kQAwh42TtOfYO4YvXed+jKmxy95Z+D0KQzfl3R9oZpcTP70M5RrClF2/jsTGRguMBgncqsh/5y5Q0an8OTnVD/LKv4D2O7eQT1lTT/2QdBPQpjPA9Ji6EdhrhwqahI7UBX8OrMHn+BIKrvmE+wjcG7mbw82XdVklYNLL7aX7FB1iFrwb/xoTRZMvzyMmaSL+JLEUHVR0vdxxAyjyy7kk0uztXSIam2M1nG5XxlQUGp1jxVJ6Jfkf6MgbIHz75HFvrOUOnTW9horJPuSdxygtdYH9m7h7MTgRPc1zJTWf7Kcsb1NvbTiU00sVmp8Ty6U5q3N1ezihmF6C8ThdUMpRpysMBBT02+dIhJ9plI8NCLVB+EmofHGdINHmoYi9yzTYgZWeFcoNgL8IX8RRJHxsjJEAcJ5TMNlQxgXlFKvwQfGpx1JTTAScWcaN08fy3oOj6bba0o5B1WItx70XmH/YMQUHdBXLYrdLSBGL+xmgLmqdqDCov0x4I1BWXc7kH2JlZk7jEEZLHMngloiSmZRTnw80Kd0fFC5tcRqooboo+16SBbyx17hva16mrH9ofh+NgpMEGhynHsKrDQIOMQ9rmAItDeepnQ3nGhu4MI9AVBFkqa7idDmNMKAdNRqHocnHyUnG8ckhi4fNmYRqi9Ipif+FbZ+OGbZqLmztiWwLJmytP+K2SnFhwVSB7R3vHePfXX6T4JtQu3wdldR5tKBS16GkSpSg50wpIfzw6EufG37O3WG6vJSNxlnBg/f4rQN4A4T70zU8hRkB4IL+OeuZJgZNprREz6PNE+ydPffsFCTiCxzxle8P041kbHvhUdnmZozeLHPCbo2FP6O+N8wwuk6ZVmlKfrlV5tb70nkeyIwhPN97ZJWHEEGwDzbYOsKvPIEkkU+DBW1OvKpFM8ECUF9iAemEeF9hzt3gcKxwnHKujCNv0H9KFncqpf+f50OiTd3/8NH2a3RkE+JsAOSRYKrgqzA7OoYy5Qf2MvC9tnEzB2i2MGYhQWahKwsc0q54VFnnLbiOKXg0iKHRLdqWC4DYP+++OvP+scp+X9NxSFhBydJTKLoQmhZW8PEfvDVYsnnDr4hqnKNIIzc/8bcw25jsYv92h/V4wCc7wUp4oQ3+dBZPQ6nuzW7EW/tbEmKTBSzOxRNciogzMYc/XuOKAJgF9Gvk1xRSJcjP/wO4SUrGQ66CTJ9OytFobLAKyW5uiR1/EdYI/GXdiglnCZrSCA6jnkI0+4HiUOrJzeNxOVzsVqTl35OW4ASbhGvoe995B9cwmk4L+2L5pbphGp8qgB+FfxtH4HTIs93xAUCBR+9hOw+saJcxCdj45RzLQYFXUUvQ+h23pVJFXPXHJ7P69nYkVgC1byE+keJkkaudpamuBZYBZGvr+QLOA4hWGN37kMWzmBiwSS5OKrUTRHHlr31/A3QsmTvCmPivGDVeLF9mtXr/QAdEclS89nE+t9ehMBxT
Content-Type: multipart/alternative; boundary="_000_6BD3561CE62A48A8891EF9B0CF0FD224ethzch_"
MIME-Version: 1.0
X-OriginatorOrg: inf.ethz.ch
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVAP278MB0779.CHEP278.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 294e6b48-fcc5-4264-70db-08ded8ff9153
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2026 12:35:29.9590 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9634a6ec-a266-45a3-ab14-74c4211fc582
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xhssf+LL9wQ+eWwVVLhA4LKVHs7SrCr+741S8ZcZ7V809CaYV/nHvjBkaHe3vT7u
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB0896
Message-ID-Hash: YY4A6S2Z3WNAONXXXNRXDKMZXIBAUHPE
X-Message-ID-Hash: YY4A6S2Z3WNAONXXXNRXDKMZXIBAUHPE
X-MailFrom: shannon.veitch@inf.ethz.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; header-match-cfrg.irtf.org-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [CFRG] Re: I-D Action: draft-irtf-cfrg-kemeleon-02.txt
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/RVjccduEHQ9Gf0hWa_TsaPp7plw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Dear CFRG,
We've updated the Kemeleon draft to reflect feedback from Dan Harkins and further insights, in particular:
* We revised both the main non-rejecting encoding (Section 4) as well as the rejecting encoding (Section 5.1) to make outputs byte-aligned.
@Dan, to answer your explicit question on output sizes being off: your numbers were correct, as outputs should indeed be byte-aligned.
* For the rejecting encoding (Section 5.1), this requires some minor helper functions to randomize/clear unused bits in the top byte.
* For the non-rejecting encoding, we can use an appropriate parameter t in the Elligator²-style redundant representation for byte alignment.
We've opted for t = 76 in the draft, with the following rationale:
- Fixing t avoids a tunable parameter, helping interoperability and avoiding that people set it wrongly (too small or not byte-aligned).
- t=76 ensures byte alignment s.t. Kemeleon-encoded ML-KEM encapsulation keys have the _same size_ as regular ML-KEM public keys, possibly convenient for deployments.
- The resulting distribution's distance from uniform is at most 2^-76 (modulo ML-LWE). Importantly, this randomized representation step does _not_ rely on any computational assumptions, i.e., we get 2^-76 statistical distance independent of adversarial capabilities.
For censorship avoidance usage, this seems to be fine. (Corresponding to "after seeing 2^76 connections, an observer can distinguish with 50% advantage.)
For PAKEs, we'd appreciate input, but our understanding is that this corresponds to a 2^-76 chance of distinguishing one password guess right from wrong.
We'd appreciate feedback on the list (or during Felix's presentation at IETF 126), thanks for your input!
Best regards,
Felix, Douglas, and Shannon
On 3 Jul 2026, at 14:29, internet-drafts@ietf.org wrote:
Internet-Draft draft-irtf-cfrg-kemeleon-02.txt is now available. It is a work
item of the Crypto Forum (CFRG) RG of the IRTF.
Title: Kemeleon Encodings
Authors: Felix Günther
Douglas Stebila
Shannon Veitch
Name: draft-irtf-cfrg-kemeleon-02.txt
Pages: 15
Dates: 2026-07-03
Abstract:
This document specifies Kemeleon encoding algorithms for encoding ML-
KEM encapsulation keys and ciphertexts as random bytestrings.
Kemeleon encodings provide obfuscation of encapsulation keys and
ciphertexts, relying on module LWE assumptions.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-irtf-cfrg-kemeleon/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-irtf-cfrg-kemeleon-02.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-irtf-cfrg-kemeleon-02
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
CFRG mailing list -- cfrg@irtf.org
To unsubscribe send an email to cfrg-leave@irtf.org
- [CFRG] I-D Action: draft-irtf-cfrg-kemeleon-02.txt internet-drafts
- [CFRG] Re: I-D Action: draft-irtf-cfrg-kemeleon-0… Veitch Shannon