Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75DA5C14F70C for ; Tue, 28 May 2024 07:27:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.094 X-Spam-Level: X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HaNQpCT5drZD for ; Tue, 28 May 2024 07:27:50 -0700 (PDT) Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C48B6C18DBBC for ; Tue, 28 May 2024 07:27:41 -0700 (PDT) Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-627ecda47d0so9540497b3.2 for ; Tue, 28 May 2024 07:27:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1716906460; x=1717511260; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7838ERlXu8HPQKhw65VNWziJcMMVqzOmiJmWbq1Rlag=; b=S7QqJYTQhIvMyp75gykXjg30XzroRqr3xbJInkadXbUc+KEhlQO+6/ZomP6Nv/kxX2 xj2+H1tf3Yw7n4tCkFu8GXG63Ayo2wwXxXzCXzx6EmSaNZ4OaO4A53Uol0j3kTBb1yip M3aa/uvIaC2ExjAG4tLQcF8Wyd93keW0HtaNIZaiIFAu6NsEIsIPg/zvsCd1ftg22gYp 8CzelqEiKf/PSlfGGtcrWJpLJIQ6fneUZr45O55cVPwIm5ozbv0WRGkdvt5vrbsaanjr oOtFzB0D2d8No6XiNHTb2ogccG7hCiyZoKl6UiVuyd+7vt19ygkWV/LQjuI8FX2E0Fhw cAYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716906460; x=1717511260; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7838ERlXu8HPQKhw65VNWziJcMMVqzOmiJmWbq1Rlag=; b=wUSFFzE8WVVk4YBioSN9DmZ4+Gn4BM3Kr8EL/TBGYlLx+4yD1NERocioAxUINjMdIu ggyq+ALmaPm+Aq2wczp8S+fWDn1VI8WH5UHSBbRyFlJ97Fe1LGS7Xqmbne1zBGHDi7ie iP5i1iCF6Qz6DcAZpWsIqDcISxWTckeWX9kaE/3x7iq3xPiHzgalSFzl4gq0wMTPexl1 NDddXGTudUw245D7WuUSGKgY0+g51tW9UTZ955Gos0tFwPl7+oQIhpVWAaArDOs+m0Cn Lel6BLL6VXNIBCn88gZHnQnZ2V0xcpOFxu6I5jWn8ZILU2+u2cTtt52dcayGeevwxHix V/iA== X-Gm-Message-State: AOJu0YzbIsvA2n1yeEZeZsmm7yihdBhYUYo7biZd+CblbsGUgtMUBrYU +uGA6Z5C6ukYFZf4C7opXrjnQ13xbr3yQKhs54l1UO/OdPhhL0zZNJrKwjxP+5FhsJSHXkW0LDL hKtj+gNNX0gLrH/b6Gt21Wf8f7z7cnRuYzZVjYA== X-Google-Smtp-Source: AGHT+IFWMZIQA00m7fMJR39WjT8iiRYQ+utuVvtbNYaXVz9UGJmJaHttBo2BrZ1ld2yjG5aIO/i4BhHhgiCFz4qJPmY= X-Received: by 2002:a0d:db95:0:b0:618:ce10:2fcd with SMTP id 00721157ae682-62a08ddcaf6mr122584177b3.26.1716906460521; Tue, 28 May 2024 07:27:40 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Bas Westerbaan Date: Tue, 28 May 2024 16:27:29 +0200 Message-ID: To: Orie Steele Content-Type: multipart/alternative; boundary="000000000000b14ba80619846f8a" Message-ID-Hash: PMI7NGBA256TQ7GNZZUMZX4736AYWBMQ X-Message-ID-Hash: PMI7NGBA256TQ7GNZZUMZX4736AYWBMQ X-MailFrom: bas@cloudflare.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: CFRG , Deirdre Connolly X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BCFRG=5D_Re=3A_PQ_HPKE_in_JOSE_and_COSE_with_ML-KEM-768=2C_HKDF-?= =?utf-8?q?SHA256=2C_AES128GCM?= List-Id: Crypto Forum Research Group Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --000000000000b14ba80619846f8a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, May 28, 2024 at 4:19=E2=80=AFPM Orie Steele wrote: > If I'm reading the pqc-forum correctly, the domain separation applies to > KeyGen only (which is before HPKE). > A HPKE KEM needs to define a DeriveKeyPair(ikm) function. GenerateKeyPair is typically implemented as just calling DeriveKeyPair on a random seed. See the "ikmR" values in the test vectors of https://datatracker.ietf.org/doc/rfc9180/ https://datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/ Also we would be assuming there is not any other backwards incompatible change to ML-KEM. > Or are you suggesting there will be HPKE ML-KEM domain separation from > regular ML-KEM? > No. [1] > I'm mostly interested in what parts of HPKE ML-KEM will change, assuming > ML-KEM is a black box that will eventually become immutable. > That's up to NIST. Best, Bas --000000000000b14ba80619846f8a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Tue, May 28, 2024 at 4:19=E2=80=AF= PM Orie Steele <orie@transmute.industries> wrote:
If I'm reading= the pqc-forum correctly, the domain separation=C2=A0applies to KeyGen only= (which is before HPKE).

A HPKE K= EM needs to define a DeriveKeyPair(ikm) function. GenerateKeyPair is typica= lly implemented as just calling DeriveKeyPair on a random seed.
<= br>
See the "ikmR" values in the test vectors of
<= div>
https:/= /datatracker.ietf.org/doc/draft-westerbaan-cfrg-hpke-xyber768d00/

Also we would be assuming there is not any other ba= ckwards incompatible change to ML-KEM.

=C2=A0
Or are = you suggesting there will be HPKE ML-KEM domain separation=C2=A0from regula= r ML-KEM?

No. [1]
=C2= =A0
I'm mostly interested in what parts of HPKE ML-KEM will change, assumi= ng ML-KEM is a black box that will eventually become immutable.

That's up to NIST.

<= div>Best,

=C2=A0Bas
--000000000000b14ba80619846f8a--