IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761

Peter C <Peter.C@ncsc.gov.uk> Sat, 20 May 2023 15:18 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0758DC15154F for <cfrg@ietfa.amsl.com>; Sat, 20 May 2023 08:18:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k2syt6oBdfdN for <cfrg@ietfa.amsl.com>; Sat, 20 May 2023 08:18:47 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-cwlgbr01on0720.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe14::720]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60EB7C15107E for <cfrg@ietf.org>; Sat, 20 May 2023 08:18:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Mx79Z0dDI1r8MhJfHVjOg7tAeRFvB7mvd06XA/Gw1KcskU2snFmhsdsRx/SNqgUOj8IRkBzaMOm8JiJoIMGVYxXq2tfKcbQwRD0D1Ry/jr3cZWoecIdhO4NyAoRSbWKO18R2yORnbzVpjvnkBxaZPVUraf2qyEVDpumu20D8xBTRTc+J3IsuS+c3sIfN7CP1o9ha5TbSHFgULLXsJvmVgscRXetptLze5v2ivHgDIp5MmzO5BkzrBd5y98+j2wAN1Htp62jvPbthLi/bGGBGK53mZv3vmiA2N6f/uKmj3zzBykLo4Gwp9crXGTfR9jIZQ3nIMIxt/QnG4DCr+wcyQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=B4mEjWKqmdV4WTYyi22DcVjHxDjdOdHuECBBu4mnBYY=; b=Si7z5cf4WgoG6OGPJQv2m4ISXg1It9toPNK6gHhnTtC9MaFwY+YlRyFYXq2gP2xGBXoJmBxqwcSrCU2xwhjbpztS3OlHCNP/JTsxeizsnh8/f3Y9eo9849xLZgXRXjrSu+PYfP8tpHfw6/Fr9AWBxav4R9ouMfVpEp8UxLaysfbtYPa+ihcnmKlDF+VipW08EQPJviMK8/bAAoOJufossUqN3+lJQtnRe2apOva9ZqignaOzgGtGwz6WIg5WFu8AFZ7BVaKqflJ/BmQD1xQYnppvbrz95gIu6MGBlPHzaJET2+3kbav4JtkFAV5W2VbQcgE+hS77s2hzon+rtFOBWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B4mEjWKqmdV4WTYyi22DcVjHxDjdOdHuECBBu4mnBYY=; b=v1ew6D5qqcuMgCy/Oim+45uEbfk2nqeA52CEI7pbAhF88TqN0ES7rJa04O3eY1RsG+SihDouAn1GyDdnP6/ugp6ycae1dSVmlRCqAyZ5fPlV734QSbnfOTcdvzrS8LCkwIpf0CygElP92ZOXgh8tHm842ScrGGC+vn45RnMRLgo0maQZtjlugb3qYYbkF5Amds/EtcBe0rgNUY5zw5TpIKaWVl0BU6wHWJWzcXrq1Ft3AT0wFLR7TQwtSkzNiTjKAoqchdj0o12qWex3E4kt4XRqTn0A0G2bAbiFpG+W6shvic63oWAPOgMwka84mZkzIQzsUIJpuKNfy1e3DOvG0w==
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1e3::6) by LO3P123MB3098.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:f8::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.25; Sat, 20 May 2023 15:18:43 +0000
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::93f6:c43:1b75:465d]) by LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::93f6:c43:1b75:465d%6]) with mapi id 15.20.6411.025; Sat, 20 May 2023 15:18:42 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Simon Josefsson <simon@josefsson.org>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
Thread-Index: AQHZipFL51lrjXv1q0qrsDbmc6FQyq9i5NAQ
Date: Sat, 20 May 2023 15:18:42 +0000
Message-ID: <LO2P123MB49274E446172F919D3D616A6BC7D9@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM>
References: <871qjm4ikm.fsf@kaka.sjd.se> <CAN8C-_LmurEBGA-e6YjNd2W0f+1gajqoSAq-F-fHOugbJO0xBg@mail.gmail.com> <CH0PR11MB57396AE5BFC2FA681425A7BC9F759@CH0PR11MB5739.namprd11.prod.outlook.com> <LO2P123MB492793A5C785D17ECDF2C6ABBC759@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB57397C6048EF71AC477B268B9F759@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB573955922D5A757483440B389F759@CH0PR11MB5739.namprd11.prod.outlook.com> <LO2P123MB4927ABC0807EDA8ECD5B3F1CBC759@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM> <DM8PR11MB5736FA9C22B6F4830C101CC29F7A9@DM8PR11MB5736.namprd11.prod.outlook.com> <LO2P123MB4927C5995EF71071E93B549DBC799@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB57392726A51E1FFF13C196CB9F799@CH0PR11MB5739.namprd11.prod.outlook.com> <87zg60xdpx.fsf@kaka.sjd.se>
In-Reply-To: <87zg60xdpx.fsf@kaka.sjd.se>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB4927:EE_|LO3P123MB3098:EE_
x-ms-office365-filtering-correlation-id: 9a25a632-982f-4531-7150-08db59457f71
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lQEKssGeHeZdRpg6Zi+UGvdLiri3ND4TDzwaoA8S5lbNLgswa/Hu8GjeQfMzEJNqTXKqsj9c7sqGj2d4Ca5A6SwqqQoY/Z7UG3L8kYALMlxrvNSMYvLe+V5tMmChY9OcQqjI5bZqCJmdR5eMgtoM/lfR/tceyqO8GlSfiYehTESd4ivOzBw3DMtsL0bNxotT4qx/ZMqvtdkmZOfxktuhxvrL6ALD8azShkRlT9Fhe573UlLVbSYacTKE3xqpczkBJrC2Upjft9mowpRP0Ey9iDnBhYIA9iNNMka3lNZSRulEbbsRTeaYHn0UJw6aSoAxBzLwIi93J0Pohh62CELoGshMCmSkMWEr/z6z8UiRF0jG+Gt6TByfHQtjXz0ZL9dzgimDxufraAkQC5mEx5jeclr4wjZ/ewYgserG9pZkHD+uhCN5L5bMDwlAker/9OURdaOHI9T0Ey9ZxgPqlfvxE95NazTT17sI/mzsVVBpByIarAT8IIBifvqdwWpYEwEjfmrexV4nbyS93MIr5GskE3ISwG8AlQFj9Fm6GmUAXWd0BF2M45+LEaOkwcUZ3vL0np7PHTQqhiszvKTCUZ/pz4UzfZFIGu8qAYoJtYTa40kqDudQyTEql237sYjoD1SX
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(366004)(39850400004)(346002)(396003)(451199021)(478600001)(8676002)(52536014)(5660300002)(66946007)(4326008)(6916009)(76116006)(64756008)(66446008)(66476007)(66556008)(41300700001)(7696005)(9686003)(8936002)(6506007)(26005)(71200400001)(38100700002)(316002)(83380400001)(82960400001)(122000001)(38070700005)(33656002)(86362001)(66899021)(2906002)(186003)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0By3XufXz+/yxxjQpj5huEjNfbKQwMYlW9yQPl97exVrBW00DfWMH8WcCW1s9s9ixyF/62in3mIaN0Fg3l92uzWHNJ4+sfA59cvnbrOhQiuAjhcbcXZBx6uSV+/GCd97YVzhk/V1gh2gzt6GKe04h/4WkueWE9M+feDZa25GFiudHHbric3X43O3qeMPnopN7b7sxZ1RE8+seqx1Bx/wTBX9iae1dEiTlYhOgbkTh5eXGHWtI43KMaD0Cas1SdijXX0CnQwjSRePIb8ZGiLrPIwi/he5/YieW14yftON7CK90mayRvZRQgMYN4My9nm2vfLPQ9Y+DBPmK/FMRVaUfLsws0Sac7q/4BLK4PKc+Cw9Yc2rOIi/Cdolv3VL+cFcCsEN5Sh1+LYHAZjriyrSfULV7gCeDDIWgLEILa1OejX09hGGvtBISu7/ODq2j03bckuQKr8L8gpE6HyA++1MsOjK0v2uJCADHWe1nobjdiUezuLsQFCXoFF71yHoL0f7p6S8VquwRSN8SEonAPtizgiLJw9yG4bzk0y6Rl1+PIWENpZjUUheqUltbkk7fa45yOUlNhe2On0Hz53dDroS0KQgoSiaDShfPxnxkInxK+VcgpskmUNeXMAs5GP5MAuzMuiJst/DTRxpWhPHlA1itOGUfn9yVV5uWszu1VQ/naLimZ12hDbQVwTbrPzT0W6504zlHOAziqfo3nlIagQhIdtKpfG0dEU4c7NutDhIblqlf1qtwjTg7lmQRwbnApjk1Qq728xGwOJ21UCpL1moHk2GaiQvBGL2MANyOUgL/AqaKlw3IrMeVr0RfBpJlPRWUtxIYX1cCkA83c1OXjldKBvR9i+P2qrW/yYXM2+dl/kQTggtk499Mj8BlRMfPHwmS1jjtDVo+9FueRmaiv/V0TQVMTKJPcyzP/eMPuP5OFqNd77sa2kHkccIJfRmTCEk1lTpVYx9Rgp8KoY7JNCSLZV2EEBmBXbIDxlR26nLyDQECNbl7En2Mdv9wHj+OhZ+J1YfmPqjXNaLu5e5L8X3vkR/gSFVNyHx9lyXx5RAk2YnbWZRpFl1gECxIKppese79TGOqf2NW0PSss0S1Q3lyM+/i+/sN9YdQ4I7XX0wqkoLkMbmjJmkIC3dbcxK6LtEZbW1m4MFdHWPvz/dkraZYvxyMVK/MkA8FUAfzEj7wgq7zXGahzLogAQX2N3rrHiRkpLa+SWZkCKMCwhA3JyqActisv+KmclPYhiv1oT0sFX+icyRZ8LftfIhP5ICoHhZ97zDFZzitE0vidY4+ZtCPWZ6b8LExfag2jLo5HzYC63LzViCBa0F8TMKoNvH3krkZwC+mZo4hlXX2ZZv3D/I0ePzz9rO2mVVqu2dRHFyDGDc9tQZH1qy3QC1stNs4WKEfb9XCMD8l289wSzcpfmxaOTuBX5Eu3/KZgUjv0tGQCOaP+/8N2rDq91vk78EhCOQzkiLsyIdICKqshYt16fr7FWekBtEloVLbxzGkXJIhoj6fDxJvJRuoZhdj19EHOxjvBeg7yHoy9D+ysIp+OfXStd79IBXKthaaobe5EAq7IKeNqTJNtbyKy737xSxcTr8
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a25a632-982f-4531-7150-08db59457f71
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2023 15:18:42.8539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OUz3jnryv5fiAN8yBUp0AC3h5YEIHZtw09d/7/TyiRK/mmPGPoUeUCThH7z8fIpBdPGDYY/YkLvPkogZ8p1U3A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO3P123MB3098
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/_XT8_ar3WpLCx6pAJyA_lffJYR4>
Subject: Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 May 2023 15:18:52 -0000

Simon,

> My goal is to document how sntrup761x25519-sha512
> is implemented by several SSH implementations, so that
> goal makes aligning these documents a non-starter.  

That is what I had assumed.  However, the draft explicitly says "we offer this document for other protocols that desire to use an established hybrid key exchange method" so there is a clear intention for the hybrid construction to be used elsewhere, not just in ssh. 

> I struggle to see how SHA512(SS-SNTRUP761||SS-X25519)
> is weaker than using either of SS-SNTRUP761 or SS-X25519
> directly in any practically relevant way though.

There was a discussion about the relevance of IND-CCA security in the draft-ounsworth-cfrg-kem-combiners thread.   I think the main point is that it fundamentally depends on how the KEM is going to be used.  If you are specifying a general purpose KEM where you don't know in advance what will be needed, aiming for IND-CCA security is the safest option. 

As a concrete example, consider HPKE.  RFC 9180 requires that the KEM is (at least) IND-CCA secure so that the desired security goals for HPKE are met.  It is (probably) acceptable to use sntrup761 by itself, but it wouldn't be acceptable to use the sntrup761+x25519 hybrid construction for exactly the same reason why it wouldn't be acceptable to use X25519 without the DHKEM conversion.

If you decided to use the sntrup761+x25519 hybrid construction anyway, this could have unexpected consequences for any protocol that relied on HPKE.  It would, for example, break the suggested anti-replay mechanism in draft-ietf-ohai-ohttp.

Peter

Peter Campbell
Industry Liaison and International Standards
peter.c@ncsc.gov.uk

v2.23.0 | Report a Bug | By Email