IETF Logo Mail Archive

Re: [CFRG] Call for adoption: Hybrid KEM Combiners

"Kousidis, Stavros" <stavros.kousidis@bsi.bund.de> Tue, 20 February 2024 08:04 UTC

Return-Path: <stavros.kousidis@bsi.bund.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D07C14F5E9 for <cfrg@ietfa.amsl.com>; Tue, 20 Feb 2024 00:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=bsi.bund.de header.b="n32oYYuN"; dkim=pass (2048-bit key) header.d=bsi.bund.de header.b="JLlLAkCF"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9FKMjCgx4Ri for <cfrg@ietfa.amsl.com>; Tue, 20 Feb 2024 00:04:08 -0800 (PST)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C887C14F5EF for <cfrg@irtf.org>; Tue, 20 Feb 2024 00:04:07 -0800 (PST)
Received: from m3-bn.bund.de (localhost [127.0.0.1]) by m3-bn.bund.de (Postfix) with ESMTP id 6B542671698; Tue, 20 Feb 2024 09:04:04 +0100 (CET)
Received: (from localhost) by m3-bn.bund.de (MSCAN) id 4/m3-bn.bund.de/smtp-gw/mscan; Tue Feb 20 09:04:04 2024
X-NdB-Source: NdB
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-ed25519; t=1708416231; bh=of2GRNOrI1fdG0c9KptdYmhIo8ZnvmHF28SkhMMbpZY=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=n32oYYuNKqs8CHR0tyzJptGgBtErB2uAdHjkEvS+ckPskVeaYLuGM56TBom+k9LLf iNQ4nEXYLWkSbbJIZXKBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bsi.bund.de; s=211014-e768-rsa; t=1708416231; bh=of2GRNOrI1fdG0c9KptdYmhIo8ZnvmHF28SkhMMbpZY=; h=From:To:CC:Subject:Date:References:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version:Autocrypt:Cc: Content-Transfer-Encoding:Content-Type:Date:From:In-Reply-To: Mime-Version:Openpgp:References:Reply-To:Resent-To:Sender:Subject: To; b=JLlLAkCF4HFdEjHKhxddVsaKFyQvWLcSPkKik2eQ3hnnCnKvsK2q1Gr5x/ga3zQnF U4lQOVxz/6kregISl+6GOEgmw9CpUEtaHc/5ZOoXapHTQpOLOu8MJBns3n0/r3VGe1 1KoLSL+FkUqLGqFb/TH8EWvftWsByd074oVX++orxw+dllZ8hZ3YrlcHL1YGCStBRk qf57ZnNLO8jsBhs/M+AqaW8nA764oB5G4Fa1UTKTe66vSpCz6mBaaswOzSqxA70Jl1 wefNhTvc2r4vuCb6j3IOf24dU6p/Z+JXvfxOoOglH/JbbVsT4hL4Ves7SIJ7qEc/15 MNhxcTyiutlVA==
X-P350-Id: 2ea2e7323ef33038
X-Virus-Scanned: amavisd-new at bsi.bund.de
From: "Kousidis, Stavros" <stavros.kousidis@bsi.bund.de>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] Call for adoption: Hybrid KEM Combiners
Thread-Index: AQHzW1XSJm8s+/xla8zXj5i2m5yGqgHLPPlsAYe1wbEBflOmzrC6Yjyg
Date: Tue, 20 Feb 2024 08:03:48 +0000
Message-ID: <448616f1d7864b81a2f7e4b18ae4ddee@bsi.bund.de>
References: <CAOjisRyCU+nhJm+x-UxEUjEPAPxH6e-Sa+TkwgYYBDcAx_a93g@mail.gmail.com> <ZdIhou0UPo2YH-hx@LK-Perkele-VII2.locald> <4341fe61620343f8a4b6d43a6895ac06@bsi.bund.de> <ZdOM0Ju-_Mo6WUnJ@LK-Perkele-VII2.locald>
In-Reply-To: <ZdOM0Ju-_Mo6WUnJ@LK-Perkele-VII2.locald>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Old-x-esetresult: clean, is OK
Old-x-esetid: 37303A292EA56255607266
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EsetResult: clean, is OK
X-EsetId: 37303A29B8016555607266
X-Rusd: domwl, Pass through domain bsi.bund.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/W_G1iAHj_YhZIzvqQsfqPT8brfU>
Subject: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Feb 2024 08:04:13 -0000

Ilari,

Concerning your reply:

> "fixedInfo is some protocol-specific KDF binding,"
> 
> That's no KEM...
> 
> And there is a precedent on this sort of thing. Turned out to be a major
> mistake. Except I think this one is even worse.

[SK]: Let me repeat, we define a KEM combiner through the use of a KDF (from NIST SP 800-56Cr2). Of course we have to explain the interface and consequently it is obvious that you will find many such sentences as the one you cite.

Concerning your replies:

> What if none are IND-CCA2-secure, but there is Diffie-Hellman with hard
> {CDH}^{DDH} in the mix?
> 
> That case absolutely has to work, but no generic reasoning is possible.
> 
> In this sort of stuff, correct result for incorrect reasons is wrong.

And 

> Ciphertext can be elided if KEM resists both ciphertext 2nd preimages
> and re-encryption. ML-KEM is known to satisfy those assumptions.
> 
> Yes, this is a special case, but so is Diffie-Hellman.

[SK]: I would like to cite https://mailarchive.ietf.org/arch/msg/cfrg/84TUdtD0w12qFSNPpdV5ArS4-IE/, i.e.

"More importantly, a combiner that simply asks for IND-CCA2 KEMs is easier to review than a combiner that makes ad-hoc assumptions about KEMs, such as the QSF combiner inside X-Wing."

And let me repeat, the KEM combiner described in draft-ounsworth-cfrg-kem-combiners asks for at least one IND-CCA2 KEM.

Best
Stavros


> -----Ursprüngliche Nachricht-----
> Von: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
> Gesendet: Montag, 19. Februar 2024 18:16
> An: cfrg@irtf.org
> Betreff: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
> 
> On Mon, Feb 19, 2024 at 08:46:52AM +0000, Kousidis, Stavros wrote:
> 
> > > -----Ursprüngliche Nachricht-----
> > > Von: ilariliusvaara@welho.com <ilariliusvaara@welho.com>
> > > Gesendet: Sonntag, 18. Februar 2024 16:26
> > > An: cfrg@irtf.org
> > > Betreff: Re: [CFRG] Call for adoption: Hybrid KEM Combiners
> > >
> > > I think CFRG work on hybrid KEMs is very much needed. However, I do not
> > > think draft-ounsworth-cfrg-kem-combiners is a good starting point.
> > >
> > > Some of the major issues with that draft are:
> > >
> > > 1) It solves the wrong problem. The construction in that draft looks
> > >    like a multi-key KDF, not a KEM. Protocols usually integrate the KDF
> > >    rather tightly, making replacing the KDF very difficult. Whereas non-
> > >    exotic asymmetric confidentiality can usually be replaced by a fixed-
> > >    parameter KEM (exotic uses are usually pre-quantum anyway).
> > >
> > >    (D)TLS 1.3, COSE, JOSE, CMS and HPKE are all that way.
> >
> > [SK]: The construction is not a KEM it is a *KEM Combiner* that is
> > instantiated by picking a suitable one-step KDF from NIST SP
> > 800-56Cr2. So IMHO it solves the right problem by building upon
> > existing functions. There is no need for protocols to replace already
> > integrated KDFs. The composite KEMs that are offered in
> > draft-ounsworth-pq-composite-kem illustrate this. To be precise, the
> > resulting (combined) shared secret that results from e.g.
> > id-Kyber768-X25519-KMAC256 can be fed subsequently into your already
> > integrated KDF.
> 
> "fixedInfo is some protocol-specific KDF binding,"
> 
> That's no KEM...
> 
> And there is a precedent on this sort of thing. Turned out to be a major
> mistake. Except I think this one is even worse.
> 
> 
> > > 3) It labels its slots as IND-CCA2 KEM. It is not safe to just stuff
> > >    ECC into such slot. I don't think there is any widely known
> > >    IND-CCA2 KEM construction based on ECC (HPKE introduced its own one).
> > >    And using such would lead to goofy hash duplication.
> > >
> > >    It is very bad to offer crypto tool that will just be widely misused,
> > >    even if that misuse has no practical security impact.
> >
> > [SK]: I would like to point out that we propose a KEM Combiner that is
> > CCA2-secure as long as at least *ONE* ingredient KEM is CCA2-secure.
> > We point that out at several places in the draft and give arguments in
> > the security considerations, e.g.
> 
> What if none are IND-CCA2-secure, but there is Diffie-Hellman with hard
> {CDH}^{DDH} in the mix?
> 
> That case absolutely has to work, but no generic reasoning is possible.
> 
> In this sort of stuff, correct result for incorrect reasons is wrong.
> 
> 
> > > What I think CFRG needs to cover:
> > >
> > > c) No unneeded complexity. If key can be elided, do so. If both key and
> > >    ciphertext can be elided, do so.
> >
> > [SK]: I assume you mean *public* key here. In general, you must not
> > elide the ciphertext. This is what Giacon et al "KEM combiners"
> > tells us.
> 
> Ciphertext can be elided if KEM resists both ciphertext 2nd preimages
> and re-encryption. ML-KEM is known to satisfy those assumptions.
> 
> Yes, this is a special case, but so is Diffie-Hellman.
> 
> 
> 
> 
> -Ilari

v2.23.0 | Report a Bug | By Email