Re: [CFRG] Call for adoption: Hybrid KEM Combiners
"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Tue, 20 February 2024 08:04 UTC
Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D07C14F5E9 for <cfrg@ietfa.amsl.com>; Tue, 20 Feb 2024 00:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="n32oYYuN"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="JLlLAkCF"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9FKMjCgx4Ri for <cfrg@ietfa.amsl.com>; Tue, 20 Feb 2024 00:04:08 -0800 (PST)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C887C14F5EF for <cfrg@irtf.org>; Tue, 20 Feb 2024 00:04:07 -0800 (PST)
Received: from m3-bn.bund.de (localhost [127.0.0.1]) by m3-bn.bund.de (Postfix) with ESMTP id 6B542671698; Tue, 20 Feb 2024 09:04:04 +0100 (CET)
Received: (from localhost) by m3-bn.bund.de (MSCAN) id 4/m3-bn.bund.de/smtp-gw/mscan; Tue Feb 20 09:04:04 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1708416231; bh=of2GRNOrI1fdG0c9KptdYmhIo8ZnvmHF28SkhMMbpZY=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=n32oYYuNKqs8CHR0tyzJptGgBtErB2uAdHjkEvS+ckPskVeaYLuGM56TBom+k9LLf iNQ4nEXYLWkSbbJIZXKBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1708416231; bh=of2GRNOrI1fdG0c9KptdYmhIo8ZnvmHF28SkhMMbpZY=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=JLlLAkCF4HFdEjHKhxddVsaKFyQvWLcSPkKik2eQ3hnnCnKvsK2q1Gr5x/ga3zQnF U4lQOVxz/6kregISl+6GOEgmw9CpUEtaHc/5ZOoXapHTQpOLOu8MJBns3n0/r3VGe1 1KoLSL+FkUqLGqFb/TH8EWvftWsByd074oVX++orxw+dllZ8hZ3YrlcHL1YGCStBRk qf57ZnNLO8jsBhs/M+AqaW8nA764oB5G4Fa1UTKTe66vSpCz6mBaaswOzSqxA70Jl1 wefNhTvc2r4vuCb6j3IOf24dU6p/Z+JXvfxOoOglH/JbbVsT4hL4Ves7SIJ7qEc/15 MNhxcTyiutlVA==
X-P350-Id: 2ea2e7323ef33038
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Call for adoption: Hybrid KEM Combiners
Thread-Index: AQHzW1XSJm8s+/xla8zXj5i2m5yGqgHLPPlsAYe1wbEBflOmzrC6Yjyg
Date: Tue, 20 Feb 2024 08:03:48 +0000
Message-ID: <448616f1d7864b81a2f7e4b18ae4ddee@bsi.bund.de>
References: <CAOjisRyCU+nhJm+x-UxEUjEPAPxH6e-Sa+TkwgYYBDcAx_a93g@mail.gmail.com> <ZdIhou0UPo2YH-hx@LK-Perkele-VII2.locald> <4341fe61620343f8a4b6d43a6895ac06@bsi.bund.de> <ZdOM0Ju-_Mo6WUnJ@LK-Perkele-VII2.locald>
In-Reply-To: <ZdOM0Ju-_Mo6WUnJ@LK-Perkele-VII2.locald>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A292EA56255607266
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29B8016555607266
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/W_G1iAHj_YhZIzvqQsfqPT8brfU>
Subject: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 08:04:13 -0000
Ilari, Concerning your reply: > "fixedInfo is some protocol-specific KDF binding," > > That's no KEM... > > And there is a precedent on this sort of thing. Turned out to be a major > mistake. Except I think this one is even worse. [SK]: Let me repeat, we define a KEM combiner through the use of a KDF (from NIST SP 800-56Cr2). Of course we have to explain the interface and consequently it is obvious that you will find many such sentences as the one you cite. Concerning your replies: > What if none are IND-CCA2-secure, but there is Diffie-Hellman with hard > {CDH}^{DDH} in the mix? > > That case absolutely has to work, but no generic reasoning is possible. > > In this sort of stuff, correct result for incorrect reasons is wrong. And > Ciphertext can be elided if KEM resists both ciphertext 2nd preimages > and re-encryption. ML-KEM is known to satisfy those assumptions. > > Yes, this is a special case, but so is Diffie-Hellman. [SK]: I would like to cite https://mailarchive.ietf.org/arch/msg/cfrg/84TUdtD0w12qFSNPpdV5ArS4-IE/, i.e. "More importantly, a combiner that simply asks for IND-CCA2 KEMs is easier to review than a combiner that makes ad-hoc assumptions about KEMs, such as the QSF combiner inside X-Wing." And let me repeat, the KEM combiner described in draft-ounsworth-cfrg-kem-combiners asks for at least one IND-CCA2 KEM. Best Stavros > -----Ursprüngliche Nachricht----- > Von: ilariliusvaara@welho.com <ilariliusvaara@welho.com> > Gesendet: Montag, 19. Februar 2024 18:16 > An: cfrg@irtf.org > Betreff: Re: [CFRG] Call for adoption: Hybrid KEM Combiners > > On Mon, Feb 19, 2024 at 08:46:52AM +0000, Kousidis, Stavros wrote: > > > > -----Ursprüngliche Nachricht----- > > > Von: ilariliusvaara@welho.com <ilariliusvaara@welho.com> > > > Gesendet: Sonntag, 18. Februar 2024 16:26 > > > An: cfrg@irtf.org > > > Betreff: Re: [CFRG] Call for adoption: Hybrid KEM Combiners > > > > > > I think CFRG work on hybrid KEMs is very much needed. However, I do not > > > think draft-ounsworth-cfrg-kem-combiners is a good starting point. > > > > > > Some of the major issues with that draft are: > > > > > > 1) It solves the wrong problem. The construction in that draft looks > > > like a multi-key KDF, not a KEM. Protocols usually integrate the KDF > > > rather tightly, making replacing the KDF very difficult. Whereas non- > > > exotic asymmetric confidentiality can usually be replaced by a fixed- > > > parameter KEM (exotic uses are usually pre-quantum anyway). > > > > > > (D)TLS 1.3, COSE, JOSE, CMS and HPKE are all that way. > > > > [SK]: The construction is not a KEM it is a *KEM Combiner* that is > > instantiated by picking a suitable one-step KDF from NIST SP > > 800-56Cr2. So IMHO it solves the right problem by building upon > > existing functions. There is no need for protocols to replace already > > integrated KDFs. The composite KEMs that are offered in > > draft-ounsworth-pq-composite-kem illustrate this. To be precise, the > > resulting (combined) shared secret that results from e.g. > > id-Kyber768-X25519-KMAC256 can be fed subsequently into your already > > integrated KDF. > > "fixedInfo is some protocol-specific KDF binding," > > That's no KEM... > > And there is a precedent on this sort of thing. Turned out to be a major > mistake. Except I think this one is even worse. > > > > > 3) It labels its slots as IND-CCA2 KEM. It is not safe to just stuff > > > ECC into such slot. I don't think there is any widely known > > > IND-CCA2 KEM construction based on ECC (HPKE introduced its own one). > > > And using such would lead to goofy hash duplication. > > > > > > It is very bad to offer crypto tool that will just be widely misused, > > > even if that misuse has no practical security impact. > > > > [SK]: I would like to point out that we propose a KEM Combiner that is > > CCA2-secure as long as at least *ONE* ingredient KEM is CCA2-secure. > > We point that out at several places in the draft and give arguments in > > the security considerations, e.g. > > What if none are IND-CCA2-secure, but there is Diffie-Hellman with hard > {CDH}^{DDH} in the mix? > > That case absolutely has to work, but no generic reasoning is possible. > > In this sort of stuff, correct result for incorrect reasons is wrong. > > > > > What I think CFRG needs to cover: > > > > > > c) No unneeded complexity. If key can be elided, do so. If both key and > > > ciphertext can be elided, do so. > > > > [SK]: I assume you mean *public* key here. In general, you must not > > elide the ciphertext. This is what Giacon et al "KEM combiners" > > tells us. > > Ciphertext can be elided if KEM resists both ciphertext 2nd preimages > and re-encryption. ML-KEM is known to satisfy those assumptions. > > Yes, this is a special case, but so is Diffie-Hellman. > > > > > -Ilari
- [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Aritra Banerjee (Nokia)
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Stephen Farrell
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Dan Brown
- Re: [CFRG] [EXTERNAL] Call for adoption: Hybrid K… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Call for adoption: Hybrid K… Ira McDonald
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Russ Housley
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners D. J. Bernstein
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Santosh Chokhani
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Orie Steele
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Chris Barber
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Deirdre Connolly
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Aron Wussler
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… D. J. Bernstein
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Aron Wussler
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Flo D
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… D. J. Bernstein
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kousidis, Stavros
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Bas Westerbaan
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kris Kwiatkowski
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Ilari Liusvaara
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kousidis, Stavros
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Ilari Liusvaara
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Kousidis, Stavros
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Watson Ladd
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Peter Gutmann
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Watson Ladd
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Sophie Schmieg
- Re: [CFRG] [EXTERNAL] Re: Call for adoption: Hybr… Peter Gutmann
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan
- Re: [CFRG] Call for adoption: Hybrid KEM Combiners Nick Sullivan