IETF Logo Mail Archive

Re: [CFRG] Kyber 'interactive key agreement'?

Thom Wiggers <thom@thomwiggers.nl> Fri, 05 August 2022 09:23 UTC

Return-Path: <thom@thomwiggers.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FCBFC14CF1C for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 02:23:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t95virXjvIKS for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 02:23:27 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F874C14CF10 for <cfrg@irtf.org>; Fri, 5 Aug 2022 02:23:27 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id e127so2892370yba.12 for <cfrg@irtf.org>; Fri, 05 Aug 2022 02:23:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=ZU3E13ydWEgzFMxXJ2FgBd3+ZNjAzIdKtzSZD0d4UD4=; b=PL6c9Ins+vJrWnaKduW4QMDHW7O5TwbdZ2opNQKrktTiw5lWnVObe3ntblhdBsuToe hKg24Zop+L9YvYKpFHeFyKELQIpNF3GN0NAwcTJI0LuY9JMSRe8ah+4VEfrlJgBdrWDm JUKUuObjn+sBORiGn/eeJhJtwPxjyx+Zo5IEU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=ZU3E13ydWEgzFMxXJ2FgBd3+ZNjAzIdKtzSZD0d4UD4=; b=zCc9pG8Yo9SEFPx7D8k7Dszll0JiO48juresZPGosoKb6Z+A+zHrDCnc6LIhqsOOdX HoTr+b/4Z14as2lhjDqplYxLHtFMR6DapRIUe8Ypp1SQl+T2D9Re1Lx6FOD/KiDBNGz9 y66xe4IN8KsOKKcfwVrwB87nbwI8oeCQxfw0EzbOOR+U+Kxt8II5LPqn4DyZXmLlavlc J6OU2dl9Uf2nLt+RDzMdF8UIvVLfJLPaSxZ9nWOzSuSTdj8+T4i7F0AffsqUMA6cvfVx 3YpeOXj/r5B126mSbwrLYPxW3peMM9A7CVegd4k1HIwBUxQfhxZhpF21tV2K5lAR6yJP G3sQ==
X-Gm-Message-State: ACgBeo37cfmqTq9ior/fMuN0bLTGDka9Nd40sopKoV9kkp4kItw/4Jc1 8LuOtNY5FURgU7ZKH4tSsiD9KD9eDyoNd6eW5U6qnA==
X-Google-Smtp-Source: AA6agR4Zpbq/WGuRjJZRavlpU1GGAY+q58Z8CVEYAto/HymVYRVSw5CIC3yiR7rPFDDUt82S2rV0fbJXLeaHLIQy05Y=
X-Received: by 2002:a25:9e0d:0:b0:669:b451:6483 with SMTP id m13-20020a259e0d000000b00669b4516483mr4330532ybq.623.1659691406621; Fri, 05 Aug 2022 02:23:26 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com> <5CD18980-6C52-4CCA-8EF0-F7C45D1CB0F1@getmailspring.com> <CAMm+LwjfWGWR2StRtQGbahcyq+L+CGHdmsu7ZVHO8PyCnepDFg@mail.gmail.com> <950A7700-0514-416A-A0BC-43C9CB85628B@ll.mit.edu> <YuzUV9OyBUhlFTwt@LK-Perkele-VII2.locald>
In-Reply-To: <YuzUV9OyBUhlFTwt@LK-Perkele-VII2.locald>
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Fri, 05 Aug 2022 11:23:15 +0200
Message-ID: <CABzBS7nG-i6kmcvLT+Sr2s1D0m+quhPnUWeajpXc6o7fBw47wg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000ba936405e57b04df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dU8SSdU51A7aeOTZkUsbwasYv3g>
Subject: Re: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 09:23:31 -0000

Hi,

Op vr 5 aug. 2022 om 10:27 schreef Ilari Liusvaara <ilariliusvaara@welho.com
>:

> One still needs KDF. There is no guarantee that KEM directly allows
> variable-length output (KYBER does, as the final output stage is
> SHAKE-256) and even if it does, that the implementation supports that
> (the reference KYBER one does not).
>
>
As far as I know, the output length of the shared secrets in the current
version of Kyber is part of the spec and the Known-Answer Tests (KATs); so
even if it is using a XOF there, you're strictly speaking not allowed to
change it.

Now, the current KATs have lots of things to be desired, and probably fix
too many things. They even cover the secret keys, which is probably not
great for lots of applications. Also, this all might change for the final
version that NIST standardizes. If you want variable length outputs you may
want to start a chat with NIST ;-)

Alternatively, another KDF is still fairly cheap.

Cheers,

Thom

>
>
>
>
> -Ilari
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>

v2.23.0 | Report a Bug | By Email