Re: [CFRG] What I want from the "KEM hybrids"

"D. J. Bernstein" <djb@cr.yp.to> Wed, 21 February 2024 08:46 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22729C14F60E for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 00:46:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l3KIEtvM-hVm for <cfrg@ietfa.amsl.com>; Wed, 21 Feb 2024 00:46:02 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 8C0E4C15109E for <cfrg@irtf.org>; Wed, 21 Feb 2024 00:46:02 -0800 (PST)
Received: (qmail 29309 invoked by uid 1010); 21 Feb 2024 08:46:01 -0000
Received: from unknown (unknown) by unknown with QMTP; 21 Feb 2024 08:46:01 -0000
Received: (qmail 836177 invoked by uid 1000); 21 Feb 2024 08:45:54 -0000
Date: Wed, 21 Feb 2024 08:45:54 -0000
Message-ID: <20240221084554.836175.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <fcb13953-13c7-41d4-991e-b19f2d9b6f00@app.fastmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fggGRxNiHz9QRIp8gqjkNHfWwZ4>
Subject: Re: [CFRG] What I want from the "KEM hybrids"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 08:46:07 -0000

Filippo Valsorda writes:
> Speed is of the essence.

Indeed, attackers are already recording user data in the hopes of
decrypting it with future quantum computers:

   https://www.forbes.com/sites/andygreenberg/2013/06/20/leaked-nsa-doc-says-it-can-collect-and-keep-your-encrypted-data-as-long-as-it-takes-to-crack-it
   https://www.bbc.com/news/technology-25588605

Applications that haven't upgraded already should upgrade _right now_
from (e.g.) X25519 to X25519+KEM, for some choice of KEM that hopefully
resists quantum computers. Maybe the KEM will be broken---it's deeply
concerning to see how the security levels of lattice systems keep
dropping---but that possibility isn't an excuse for inaction; we should
be _trying_ to protect the confidentiality of user data.

> Every week between the day FIPS 203 is
> published and the day these hybrids are specified is pretty much
> directly pushing back deployment.

Note that waiting for FIPS 203 in the first place is also pushing back
deployment. There's a specific reason that choosing Kyber has been
creating this type of delay for years: the text of

   https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf

indicates that NIST has a patent license only for the exact version of
Kyber that has appeared in a "NIST Special Publication or Federal
Information Processing Standard". NIST modified round-3 Kyber to produce
a draft of FIPS 203; hasn't issued FIPS 203 yet; hasn't said that FIPS
203 will match the draft; and, despite my December 2022 question on this
point, hasn't published the license's definition of "EFFECTIVE DATE". So
any application using Kyber today could easily be outside the license.

Furthermore, Yunlei Zhao said in

   https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ

that "Kyber is covered by our patents". Those patents (for example,
https://patents.google.com/patent/CN107566121A/en) predate Kyber and
haven't seen any comments from NIST. There's a clear inventive for
companies to wait to see a buyout of those patents or a convincing
public analysis of why these patents _don't_ cover Kyber.

Of course, big enough companies can go ahead without serious risks since
they won't be put out of business by a patent lawsuit, and then patent
holders have a clear incentive to act within six years in the U.S. (see
https://www.law.cornell.edu/uscode/text/35/286) three years in China,
etc. But this doesn't guarantee safety after that period, and having
smaller companies wait for years on deployment is a security problem.

There are alternatives that as far as we know are patent-free and that
applications can simply roll out right now, such as NTRU-HRSS. But this
says something important about combiner design: we want a combiner that
isn't going to fail when Kyber is replaced with an alternative.

It's already well known how to achieve this: simply have the combiner
hash the transcript. The combiner is then simply asking the input KEM to
be IND-CCA2, which is exactly what most KEMs were explicitly designed to
achieve.

X-Wing doesn't hash the transcript. This creates unnecessary load on
security reviewers to figure out what happens if Kyber is replaced with
NTRU-HRSS, and---if the result is a security disaster, or if security is
unclear---to split efforts between a Kyber-specific combiner and a safer
combiner. So X-Wing should be changed to hash the transcript.

To be clear, many KEMs have been shown to _not_ provide IND-CCA2. See
https://cr.yp.to/papers.html#qrcsp for statistics. But asking KEMs for
further security properties beyond the standard IND-CCA2 property makes
failures even more likely.

---D. J. Bernstein