IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761

Peter C <Peter.C@ncsc.gov.uk> Fri, 12 May 2023 15:12 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32509C14CE44 for <cfrg@ietfa.amsl.com>; Fri, 12 May 2023 08:12:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vbsL4BXsTdSC for <cfrg@ietfa.amsl.com>; Fri, 12 May 2023 08:12:49 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-lo2gbr01on0713.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe15::713]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAAB9C14CE29 for <cfrg@ietf.org>; Fri, 12 May 2023 08:12:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CIkm6WcSLbTwSp3cgtoR+G+bKsnY71mpI9KOD2SUnD6kHtCrBWJT6STfsobhtm0qf48SoYjBEEMSEbI2bPsesQtJyRyv3TWg+b6kIOKv+xlIt5oJx3mNy9ZgmvU1ucaoI+puHFTRURp1Mlf/pFhopkK3TDWrlGi1iy5j3886N/nYktFuVDqTJlOQwpITtRIhkDdpL1/UAOJNUVa3FoKRnO4YXIA7Q41l5beEE0xMSNpxNDmvj0KMqQxPSDHleldB0RqAglut5mZGUN4CwatHbK4o7pRum0bonEsfiQw6qBV25Wl1e+CB7HPw8ahin74ROEJlGN7qpIZ3c6K51Itgeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WVBF4UWmjgP7BIqaWlzDCuLWOxQ6udxdZ5BVG0TKe7I=; b=Tnt9ypFOYV4DRrQnMWggVrC3zH0huTeAvFcIjdccSgCtbZbr2waoON1PAN2iJSTBObOr0jzzX7xPYXopbeqSUFj6B28l2JH8w433Yjv1+8iyqp40IzDuGmbRJoSNeNH/qSwpnbkkdKsdKiLUYjh93OZlMXbY3m8Uufs043Ae4hjWUQTh/RHENBhniX3sw14lSxTqDmDhj4FWKh4Kx0NVZicqkRxiHvqDJT4MAwtiJr6npioEuAwOXR2+afBe7sdve1AQGp0qvjMpZNZuQkVDJdASUftq3oFp7xwFRHpvJWS6ahyuB/DkX3O2DaFxbnpiSyqZ7snPvFxDdCX2ZSGDrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WVBF4UWmjgP7BIqaWlzDCuLWOxQ6udxdZ5BVG0TKe7I=; b=P1Hfu7pLqT4GkQdlzt5jwvuzWzrxq8Lf5Pw9nvrH4v5wlTzfjbuJ51PEPTzPiHivs6VGvWIqKfwots3JqtxEl1IzGrWVgv+HM9KLDoGCtGTqY0bruSdxZetCEz1AAxO7Z19j1CawtwpFT6RrF9of7rHK/i0+bsZnqoNtazjoKDV4g6aCJGEbHXqVLiDxJXZ/S++Tf8FtfSW0jBz7634TivUzt1SGcK71V/LN4dv7TaH2lY/u6Mbc3DL59Ch93/VMdHlweY5u2OqasrpebG2JeVbA53wHwo8AnN1aYXQCX1a1ODlng5v0Mz65S9fyRpoZb9ZkcgBT0FovGFnb+413bg==
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1e3::6) by CWLP123MB7233.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:1f0::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.24; Fri, 12 May 2023 15:12:43 +0000
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::93f6:c43:1b75:465d]) by LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::93f6:c43:1b75:465d%6]) with mapi id 15.20.6387.023; Fri, 12 May 2023 15:12:43 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
Thread-Index: AQHZhNgBZnC23HkfEk2VANv4UP2jo69Wt9EA
Date: Fri, 12 May 2023 15:12:43 +0000
Message-ID: <LO2P123MB492793A5C785D17ECDF2C6ABBC759@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM>
References: <871qjm4ikm.fsf@kaka.sjd.se> <CAN8C-_LmurEBGA-e6YjNd2W0f+1gajqoSAq-F-fHOugbJO0xBg@mail.gmail.com> <CH0PR11MB57396AE5BFC2FA681425A7BC9F759@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57396AE5BFC2FA681425A7BC9F759@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB4927:EE_|CWLP123MB7233:EE_
x-ms-office365-filtering-correlation-id: 0c8b5224-da9e-4497-9405-08db52fb55c7
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LX88uY8iynp2bWS0jv+1aHcNuGRNtRqrMLrEowimm+LSwokovYcQw/b1LUC69m1jKyJ4+OqH68MxygXh7VxoouYzB+2bKkzkjPpo3VR7daUpOwiGJpWgSqPkpnv6BJpO3tB+lp4x0z2XP8tKdCzlz0UFDyhFwULCdFnLkKzHNHNGGbMs+JdFkk8u5nXEM0scEk4FB96gwZU1RGJlpO+BveTNM6GOU4un21QEgYH5SIZ099S0a/6P63/FMsFymYLFYZPC0m7jsSCV6xtvHScuKH9zfZ1B99uSdNXr9R+LbOTAGanyawYAHKc72MXaMlwXiIHrSbTPJFNzrAMxPYxCSna4SjzqD7AJjI3i3HdYEIHr8nIZKHz811SaLzHlxNlaj866VH/e42iv22s0jNna9Rb2S4lzredGeWSY4bbpvVLr1D7/c8XUClCS0kN+zBkM5b80lG9nwz4fNZGY/8PkIsFFGOIjhX8WH4gosUdVQfpdPQLdXEH26fIsZsShLkKu5wXYv5u0XAYBoWvh2tF8OPoJ1qbtDkbaJz6/THQNhc9UvGTzJw4jN9Zh0WsCSQJBKtvi92mYfEqThJmw6kumyrPA3ULTta4O3kpXL94u38nF1nij9YtxtGZEahEpmq8S
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(396003)(39860400002)(346002)(136003)(366004)(376002)(451199021)(26005)(186003)(9686003)(6506007)(478600001)(82960400001)(38100700002)(7696005)(55016003)(122000001)(71200400001)(2906002)(52536014)(8676002)(8936002)(38070700005)(5660300002)(41300700001)(76116006)(66946007)(64756008)(66446008)(66476007)(66556008)(33656002)(83380400001)(316002)(4326008)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /rw0GvjInXCLAJENTaHCav/QT25VJEqG+A8ddxk7eRqs07YnTm4++BpH0VP10/K868HLIV/3vwb1xENfJuBmML20bKvT5fvVQfb5Z+NRf+5nur4RBGRiUXV8kWiD568rwkb000Fc59rjsKwcu+F3zfyq6b9xzkBuhVmKUkUHKkY/RTZCMRY4m7QCF2yhqfO/DZOddXbJsV8nN/9CU/mM5NDOCR6av5OjRrUApnaaAqAbZLWYeYP4IoD0ka2zQrOz9XCmMae1h0phAbdDl/AExvDNYVDEMR91LGNOffUZG3qdBGBtBss24sIHzGYtQSoiYLi/idHBU7M5vUpfQxrJSyd794G/yUBKcn69MzWtRJKi9Q7Kx4YZof4Mw/ZxwC92cD0uAAM/Lh63PLUqg8eKHNSQqbLl2Ws07fml6I1AJ5jvr8UBoJ9SHorGX85O5O7tTyL52sXeNpjuTrR/BQtssELNuq1b2vUeQp+36ekQ3gEkguSN10MFcH6PAomJLl9Hm1yl993Zwdx0YO2BtNhfw7HU+eM8Ls4aD69YQJJ+2VeLOHayEwOsBHCglQXQv+XnPsnA9JZm4/3y/wn8Nz7lkTZBDQ+zZ0nEXU8CkyAWJj0/24q5qPyciHWoTdwa2qMkdu/uIjUoCiAcRSkuNFyt6bc7Zi9E+itu/Hwa6JDyEjt4bGDkkgTMh2g9BO9JfJSCH7keMQRMKrQ1uTsYKMzjwyNjp4eCZemHU55HyX8FEhoxR5lr+nUqtctQOxZwRHKzae8G/jxDZBGr3xTL4LFyQGhUUHbWZ1YOO4mvR5FwdJDtrvF5r4zXprxXVWmXtel8kY+zyI7hIR2h8SzuoF41uCspywITZhoRmW48bxscE/KSsMXGgjDl6endrp61F5h++VtmQSohmjpdWi3cGe/l/IwdWy6s5VIcfZalvAOCDRhiApczkZfTH3Xf5gZq5bcO9mdH84mtwIY5WJBj14PYvsR+ElAyLHImhWTjuBobPhrPyhsrgxb+YsbmSbyhktMQLS7OSL7QW3GxAjlf2L1+NMkhqIJEeJHVFfwYPVY4/75aF7i2CjvHJ+jGrOSHmdlidvX8EcFd422f9D7CIumok1NEAwCIcQiF6JUlwea69JVTBC4DSBC6RSdkYy8WUi8Ql+P8tLQo3lnyPwXZ1HIRmTz1DtbuGoORWxOo7q8fBVGHx5183Gm3lHNeXjfXI8A7Eu6+i/xtaaOPNQ3DF3ffr3b4BSYOTs6LBPtNCKTkj9AVAZ23ca1kvtJ8jlQlQjCV5p6WriTjZkD+RTPPb5qSpq2MILknplx5XVd0CAF0yIWic24FCKmFIMMfELYDktODwjk7Au7gX6qt4+fmpsBUFoqKpCaSP8bXC67IcJaH/fk4OlwAiNFRBm7ty4vclUL2Gq4rl4gUacAlQFgcM+hSVIBWSVeyMm7mhqQcaZIB7bKaQdAb7KVauXXJquhpHtI8YBhd42uO8gbgRHqsNAIeQ67rgKe5bdosXHhbdGdfHyzPASsimRgl9io8JvRQtQp+ZJLw5CVJwSlbEOdbhwphk72sY4PutFSJcxhpYt9c01GDPKpV3YTuCpbKmLAdXOLN
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c8b5224-da9e-4497-9405-08db52fb55c7
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2023 15:12:43.1951 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ea1qXwcg0uLm1Aqlqw0uLFEFFCVTAHX5KRDKOhqJscuCFWc19qT0qRLuixb8/tg5CAPsc2KSOXOm9kQhjCRnfg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP123MB7233
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dKY30_Qnnt0btVP4jaRVX59ADDc>
Subject: Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 15:12:54 -0000

Mike,

> It first glance, this DOES NOT appear to be aligned with
> draft-ounsworth-cfrg-kem-combiners/. 
>
> First, your security considerations is not nearly long
> enough considering that taking two IND-CCA2 KEMs
> and preserving that property through a KEM combiner
> is not a straightforward topic (or one that even has
> consensus in the literature).

As described, the sntrup761+x25519 hybrid KEM will not be IND-CCA secure.

For any hybrid ciphertext C = (C1, C2) it is easy to compute an equivalent ciphertext C' = (C1', C2) that encapsulates the same shared secret K = H(K1 || K2) by simply adding a small order point to the X25519 ciphertext component C1.  (This is the equivalent public key warning from the RFC 7748 security considerations.)  One call to the decapsulation oracle recovers the shared secret.

> Second, you are proposing as the combiner:
> SHA512(K1||K2) - I assume that means SHA2-512?
> 
> I see two problems: 1)This will not be FIPS-certifiable
> under NIST SP-800 56Cr2, 2) it's not clear that SHA2
> behaves as a dual-PRF in the way you need for this
> construction to preserve IND-CCA2.

To be absolutely clear, the sntrup761+x25519 hybrid construction is less secure than using sntrup761 by itself, regardless of any assumptions made about the hash function.

Best,

Peter

Peter Campbell
Industry Liaison and International Standards
peter.c@ncsc.gov.uk

v2.23.0 | Report a Bug | By Email