IETF Logo Mail Archive

Re: [CFRG] How will Kyber be added to HPKE (9180)?

John Mattsson <john.mattsson@ericsson.com> Thu, 24 November 2022 18:01 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C501DC14F741 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 10:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CyHdxkJ72QCs for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 10:01:28 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20604.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::604]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56DE7C14CE24 for <cfrg@irtf.org>; Thu, 24 Nov 2022 10:01:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vyz5Gp1KVZ+jfOFPUb9ZAzdEOQ/HOQHxfTS/ZgkXXM1fT6N4351lks4ZdB3dX5nSrbcpmHHOXruwsN78AQPdjzs4uj5YCTqfeSD7now1EZxWIiqINjPPJvXgD4keccU+iUJXTvHFtiVXQ2BCMCVfVjaZsDLodIccso/H/zw455gGNvWtmR3gupzyuh4e7Mrr5nxkrziBY+QdG+yw6c3bJ0n1J1NlUWjySmANVRWABeSJ8GsWJSJcO7VM1QgHaEY2A0/rJYOcKRFooXUilXtJL2Hh7wPEmJT7ACResSKSlHd1A2xJEKQRTAPOGFooeZLwvbeP1zL4st1k2K07ZMO/qg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=reem/WfjTXGuPNPYTxFfrKOF3fojapI6WjgNU9GoI10=; b=aIt5OqV/i9fGiR1vyYefCCzrbpOxtiwaaU7KRlV761Ul4RNCQzHU0ckhl8x9sbQqvXdLqJAAGFQri/pSUMLhpSSYoRzWw1LVIzKXVmXMNckUArvgL89aGcNQzT0/NBPuAmCpoyEbDhHvnDMB8FO58dAKI3yObT4uPZMCCSWVUkkeAYiNqBxhS5fHnMKFrTHU9q7esRdy7U09DynvtpMTDgzHWeKcyidEQ3FiB9jG1/qD/GWXLEUq8z9ONOV96hnn3Ri1qnCMc4/490WWw8qNXNm336j1/UR2TyRGvoYnoWZ0UufQWF21i+ApuA+RTeHvX2L3Oe5TzY6mLavnllfzIg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=reem/WfjTXGuPNPYTxFfrKOF3fojapI6WjgNU9GoI10=; b=RI7NoAERBULp1wN6iIvpLS/VaEjwox7Z9xm1rA9iUHwjennPkNWez+2yTK7z2ccEd4jasaLcNa6jRvDI3u1VwHS90/VMjTgrieFIHPUyxubWgiwG0216dsiBqVJBo/h3dIrgM2qMkF/sxJDGHOe7ESlkQ4nl8kZ7BvcLw+aX3Uo=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by DBBPR07MB7450.eurprd07.prod.outlook.com (2603:10a6:10:1ea::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.17; Thu, 24 Nov 2022 18:01:23 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::99e7:5b55:a0ca:8a73]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::99e7:5b55:a0ca:8a73%6]) with mapi id 15.20.5857.017; Thu, 24 Nov 2022 18:01:23 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Neil Madden <neil.e.madden@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] How will Kyber be added to HPKE (9180)?
Thread-Index: AdkAEPxtXXF6fq1ySd2H7QCIyE8HRAACZQ0AAADXn4AABBYN8A==
Date: Thu, 24 Nov 2022 18:01:23 +0000
Message-ID: <HE1PR0701MB3050EDBDAFD56B3742FB0164890F9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald> <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com>
In-Reply-To: <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|DBBPR07MB7450:EE_
x-ms-office365-filtering-correlation-id: 4aefdd34-0e20-4117-19d8-08dace45e5f2
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pWyaZPvtOveCYeY0f2scOD1E7VIrkgjUPlB4PNQuwfIG9v/g6vmqGf+BWFs9yn0R/EpBIdVoyuhAcscNKRLPFJqoUXOT28kG2wHLdqrinM5B7LmU+o4a1/rnLGNIyXZJ+Y0LCyCzleuramyx8ntSIbf573o+8AWwcMfh52/MjY0++inlqER4vFtN8HEqsAZmxE5NNMYmuXVyr/xVkvCKLebeCyKPOzBBb/MLBTqmQH7oNMe1bkXrTx60VSi0FIdQoPWshzDCyClI3kzNJO8604bAg+CVbb+uMaV29EfINzQ82RkxGkGZxzIp16oa8L+7UAkt0oCyrdVilHteuuWEm6gslnnrHfO9EGhMgdIVWiD6RRshndunYHcBerLQpfIKSm3VXgnX4jAFdS2AYtWJMkuZw+pTTb3zDmvwKKWcAd0pAVARnO6Byz9akgnvqOMqkRuzfB2Yhlc5MMGBjFBWnigfOVV6p590LobiwuirnqjMvkrnsyEb3CKPuyNqS86KSrzOrJXnAUONbbMMnTEXLP9DQw1olAAnUVUywy3ebosC3rF7GzIPrNplDkv9hcjBCcaFfUo4uBJMq0bCThWLQCtv5LOJgN9XUfdeA6+aUNUQk7ygFmj94uKoa7OUOaVLiJtAO3XPMacK5JPX0MsYyI+TnAQzAtitz4LMLJFR22poR6PBH6S0m2icnqhJSqqhjV+MD1tZUsIvgENMSjSiQA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(39860400002)(366004)(376002)(136003)(346002)(451199015)(44832011)(33656002)(2906002)(5660300002)(316002)(122000001)(186003)(66476007)(86362001)(66556008)(64756008)(76116006)(110136005)(52536014)(66446008)(38070700005)(8936002)(91956017)(83380400001)(9686003)(26005)(71200400001)(478600001)(53546011)(66946007)(8676002)(55016003)(82960400001)(4326008)(41300700001)(38100700002)(7696005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7Be3xAq1C8WLg5c7AD2V2W77p4j3j3lyDIR8hG/sPczzrvQQeNtNefaIrZV1CmkLGIldlmE2JLxIhMH1K5AUi2UsCrvtI8DbWlxZwTnvajMTfB0Nm6Jb6Oakp5wa0Ni/1xnybnE/kdY8wgmcapVOWidYGHZ4yugLRyGFLInvP/AJN/8sk7HuliZEhlJdXBlVQQ4jDVxVc+wS8FjKV9SVmnWhq4UFVVCnDUS2ZY+objWV9OnlaTaWLnGYA98yzQXwg45msrgmsuiqn8z2CGbmoi2AhQG23oi1kBaXNtycWXYCIh8x/RVWi6DFWM7yxSL7v6r2dYnim1XP4uu7SzBYVgq2QZsRea2SKHrOC1h8Z9ojWBpfnN+/yg7ts8UVHC9Lu2WTEjMxSXZV2FxB9SkE1tSQsZjRDMVW/AOsDctPJZACnQC76Eqz+xaTlkGEo64rrZZszDUWqWnqYn2Ima656Q/Nvl15rcUpgz+KK1pehCv12WZ/+Q0J8sBw2QccOZw/9fYyirOjFz2NkNJAG+XzZ3MeJGYEFhXQun0znf1OURQaI4Tq2MdXslnvhWhjA/3OEa4/wKoZS90CIEtnsEKNzYOomPyvKh8jC3MPXiEP4gaVr/QL5XOKJ2zzmJhxNpr8n+cGWf2SYCqG7CGXDdV8FjylG//jAFYuie5zZR74xVUllDJtwDfm+CvjWGHZd6C5IdFBmbJMlHyDqC3aoRTft0NiO5H7KUEPXuwyFVDF8D5k6o7PQTJ2zmbvMZkXJ3giETXxk+qP4agXLtWSdGn82DAocaT0CxkFTZCM2pVgubQ9BanmrRi9NFrQvmQFtBpb4Zpgxb1/udYXShDZFqjYGnPjWvsiyHA34Q7Jd/UobvpbUMto3o60lruURB30C2eUD0B/Wz1kOSEItsKo1gpnc3CKzasIOJLrZdMV2t8CH4W5gLYM+GI0F8+sYCfjVIYCcAw7Z1b3kC3KCW6iWsoYPYIOmTAbOJ2rS9hpbDP+2yE5xdOAICh1IqUrWZSeRKB5H2VycMYSZGPDMiHF4i1t5UOYtOxafalugLwvmw0sVDcgxpC18H2kh+F7mLRpAEpEMGt6e/nylVorTFaoYvnecbJbbhm0L6Eb13W4/aQgnBouhbqTkIQqAmfJ9Xpi38FEtuuJlT1XFeT2XNfxj9Fjm3dWf1orhdQ0Cgd1dsnGNvvQEhCBZwj8DMzav/p0RBHaScW6xLlmnUwM+opijzxY1eRkCrLX+gRDqr2AHwSUt4k5UUctEcUWaiC1HlE3xAN4zfxpKWubChc2++wetBeL2hkNxKvfLgU2WTQPC1J5L1N0RK7Sbnm38imFYsoD+FUuJmTTZFv7PSVIzWqqd4RaXNZzG9nT634GXnPadLB+55XoAgXg77+p62JtWsnHya0mdAe7bWDHkTVc+PVJtxFAFwjQRAYbHo8uV+tzuZA39zYCLwFrXNlOKW1yLu+pV2s9Z+aVns+BAFAilLiR41gCU5fmeUtxjZRuNoBztn9HnRVLHdAtVgVHjNk0dWNespUoVv717IeEKVWfko4/4dhmBIFfyQngX++2Aec787JiCpfsfnumD5yyLI/havsfsssz/3BtVvvZF3zhoplGclxSteVdR/jeIhdVAbHQeNlrEtE=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050EDBDAFD56B3742FB0164890F9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4aefdd34-0e20-4117-19d8-08dace45e5f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2022 18:01:23.1635 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GPC7oWQ+WPjbkKNmLmsL4ZuyWkeuF6zwLgqY6LYWG9Dt7+IskXfDi5q9MvRrAF1Ibu4JAKgiveE/Mt6xTG9IjPuwP11eGWpCqZH9XnDYqMo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR07MB7450
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nSt0w3Vdoyhso9zVky9DIIAqQAA>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 18:01:32 -0000

Nail wrote:
>Isn't there a straightforward generic construction of an >AKEM from a normal KEM plus a (PQ) signature scheme >that could be used here? i.e., run the KEM and then sign >the encapsulated key? Obviously this would produce quite >large encapsulations, and a "key-pair" for such an AKEM >would then be two key-pairs encoded into one (with a >covering self-signature to prevent tampering). In principle >this seems doable?

I think that is a good idea. But I think the construction should probably be:


  *   Add the recipient identity to the message.
  *   Sign the message with Dilithium
  *   Encrypt [recipient ID, message, signature] with HPKE-Kyber

That is probably a good solution for CMPv3

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org> on behalf of Neil Madden <neil.e.madden@gmail.com>
Date: Thursday, 24 November 2022 at 17:00
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org <cfrg@irtf.org>
Subject: Re: [CFRG] How will Kyber be added to HPKE (9180)?

On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:

On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:

Hi CFRG!

Background: we are working to add KEM support to Certificate
Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
will eventually be 4210bis). We are planning to accomplish this by
supporting HPKE (RFC 9180) as a new message protection mechanism in
CMPv3 and hoping that we can inherit Kyber more-or-less for free once
HPKE supports it.

Question "how": How will Kyber be added to HPKE? I assume there will
be an equivalent to section 4.1 that defines KyberKEM with its own
Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
but making use of Kyber internally? The Kyber2018 paper [1] figure 3
defines an authenticated Kyber exchange that looks like it should
easily fit into the existing HPKE APIs. In other words, will
supporting 9180 now with abstractions around those 4 functions allow
for easy drop-in of Kyber later?

Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
interfaces is optional is to allow for KEMs that do not allow non-
interactive authentication, like the post-quantum ones.

In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
is CSIDH (not to be confused with totally broken SIDH/SIKE), and
security of that in both classical and quantum settings is subject to
debate.

Isn't there a straightforward generic construction of an AKEM from a normal KEM plus a (PQ) signature scheme that could be used here? i.e., run the KEM and then sign the encapsulated key? Obviously this would produce quite large encapsulations, and a "key-pair" for such an AKEM would then be two key-pairs encoded into one (with a covering self-signature to prevent tampering). In principle this seems doable?

-- Neil

v2.23.0 | Report a Bug | By Email