IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: How will Kyber be added to HPKE (9180)?

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 24 November 2022 16:27 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 768F2C14F728 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 08:27:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NqYTf9djFDun for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 08:27:11 -0800 (PST)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2044C14F72D for <cfrg@irtf.org>; Thu, 24 Nov 2022 08:27:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id C5F49C4BF7 for <cfrg@irtf.org>; Thu, 24 Nov 2022 18:27:02 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 8iBRCY4LCRiX for <cfrg@irtf.org>; Thu, 24 Nov 2022 18:27:02 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 9E3D62316 for <cfrg@irtf.org>; Thu, 24 Nov 2022 18:27:01 +0200 (EET)
Date: Thu, 24 Nov 2022 18:27:01 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <Y3+bVcM+k58ry4gP@LK-Perkele-VII2.locald>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald> <CH0PR11MB57396B0774CA27A5918E570E9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CH0PR11MB57396B0774CA27A5918E570E9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/aUNDIhdiCuoi9WJmXEIZhK_R2po>
Subject: Re: [CFRG] [EXTERNAL] Re: How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 16:27:16 -0000

On Thu, Nov 24, 2022 at 03:58:31PM +0000, Mike Ounsworth wrote:
> Thanks Ilari,
> 
> So to make sure I understood you correctly, the Kyber update to HPKE
> will only provide Encap() and Decap(), and WILL NOT provide
> AuthEncap() and AuthDecap() ?

Correct.


> In CMP both client and server have KEM certificates and we need client
> -> server messages to be authenticated by the client certificate. IE
> we were hoping to use HPKE mode_auth as a Kyber replacement for
> DHBasedMac defined in RFC4210 section 5.1.3.2 (authors are still
> discussing, but I think we would just use HPKE to get exporter keys
> to use with a MAC cause we don't need enveloping encryption, but don't
> quote me on that yet).
> 
> So if HPKE won't support mode_auth with Kyber, then there's no
> advantage to us adopting HPKE, and we should just define a
> KyberBasedMac mechanism directly based on [Kyber2018] fig 3?

There is no known way to do that (it is equivalent to non-interactive
authenticated key exchange). And that is the reason as why Kyber
will not support AuthEncap/AuthDecap.

As some others have noted, Kyber2018 fig 3 is interactive authenticated
key exchange. And there is no known way to make non-interactive
authenticated key exchange out of interactive authenticated key
exchange.



-Ilari

v2.23.0 | Report a Bug | By Email