IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 05 August 2022 18:05 UTC

Return-Path: <prvs=6216cd1fed=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5D0C138FCA; Fri, 5 Aug 2022 11:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.803
X-Spam-Level:
X-Spam-Status: No, score=-1.803 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VosaRtfsEjoj; Fri, 5 Aug 2022 11:05:50 -0700 (PDT)
Received: from MX3.LL.MIT.EDU (mx3.ll.mit.edu [129.55.12.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C2F3C1907DE; Fri, 5 Aug 2022 11:05:46 -0700 (PDT)
Received: from LLEX2019-3.mitll.ad.local ([172.25.4.125]) by MX3.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 275I5abi152948 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 5 Aug 2022 14:05:36 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=kNo2gU7anSrNLjgDc2tJHXHmwn5zYW0FSptjrt6A+8yJxUU+PpTCAhnpPG/O3lpkj1+0Wj4AwWy6q2Xo6HUYw8fFIAe4XmG81OnnIXPBEDo4ejuW2XHlRS1PGbIARMvJXfIpZIY0WmKhJonxsjyXNZq44bwH4hjIz/QrwEMRqxtTBjV12fZ4F1zxaM+COBOMr1TvAHyQ81Ddft/ysrcct1p+/B1q6e4x7GuxMuAhXNlCw7QCp6wwBc635WPgnibTZ6qvlEw0gIWN4k/r9cllGKXLa6Rg7X0PaQcBlPq3c/4Pb7RmeMf1bOjRi0XEUwXvJRkxy0ciAawlD+d/TVgCGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rDO8P+nndVg4pD9Jhn+SlRbLI06NV9AjXXhE6mSMYWc=; b=y/xthBK9Xoi6ARAtE8P29TZBWYM8OItggwM8B71nHV+Ldlt+k/H/GpjVC7IdSTSmWZfZPJi8x8KkltkcSNW/6OvmWRInSWn9CUhK301yVKRZ/gQ4OtLnLXZ6NYGS6fj2ecfN1R2dK04xirVh05VIz1oEdY6xQ2X2aSeTs+7sUgvClCFtjPK8UH+IGiQ5K/Xq4u7ttREv8nP5pEmvWW3deuqQmvLv7Su8vRGkJEFMetKCkuRRdolQhREOhRVKYxPKD7gRpum2UXBY/Wy4ld6diAkmgBgYVF2Bjm28Gr0XoNyfhsgoaluufRmwdbfllSkQtXj7nz2gpmPDPZtAbCl9pw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Thom Wiggers <thom@thomwiggers.nl>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?
Thread-Index: AQHYqOo1oQm4ARZDZESomMj8HeADwq2gid2A///NMoA=
Date: Fri, 05 Aug 2022 18:05:42 +0000
Message-ID: <104ACB77-C264-4605-A650-E5CFE2A2ACBB@ll.mit.edu>
References: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com> <5CD18980-6C52-4CCA-8EF0-F7C45D1CB0F1@getmailspring.com> <CAMm+LwjfWGWR2StRtQGbahcyq+L+CGHdmsu7ZVHO8PyCnepDFg@mail.gmail.com> <950A7700-0514-416A-A0BC-43C9CB85628B@ll.mit.edu> <YuzUV9OyBUhlFTwt@LK-Perkele-VII2.locald> <CABzBS7nG-i6kmcvLT+Sr2s1D0m+quhPnUWeajpXc6o7fBw47wg@mail.gmail.com> <CH0PR11MB573935F7A00290145B50E8BB9F9E9@CH0PR11MB5739.namprd11.prod.outlook.com> <DM8PR14MB523735BF8559A1B6DB04C648839E9@DM8PR14MB5237.namprd14.prod.outlook.com>
In-Reply-To: <DM8PR14MB523735BF8559A1B6DB04C648839E9@DM8PR14MB5237.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1fcac72c-62ef-43bd-7423-08da770d1c61
x-ms-traffictypediagnostic: BN0P110MB1354:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hEDBuLlCaCzKb6gSUXMucqSpYrZruYyESnZLizDaePkwyqvVTKskXFCRvG5JD2HITRmvdIrpBfokfSVd1pRsKIePkUjZ6H0e+rwNBbwY+RnsyZbwsZxwg5IvpwHKd4M8iya1jAbM3ZC3UbS4H9hRkRoKDBPrWFl+uvfQtwxV5aBk7IgCgagRUXMiuwWf8O1QAlarVBmOtBcDQVGmRmGU1WTbaOrcF0fXe5RMmkbCEHaVzyGH1qWrJ0GbRazkkMCfnJNJ7V9TqJKaGC/eJFXIyOf/c1PKrUUXJIoQ/SVwrWU/7Rl9XOU12cqFesDg/cwMUc0lIv02wKkZEHB35Cdv+/N8vW7BxO6uhflf+vKZLrqJoxCwx18I72/0MeOu7wI1rHosxWguav25ktZrg74el09qhorAKFEpgcyjkmLVQpakmsa+uui1crI1An9FQ5TYTX/vYqADRXkLT8dlJHnf+XGPMqiZnFIXyQg/a2ws8Cn8uoxbVFKirom8AzyB92CZ+6NMtcso+G2a56n+zz0bHdwWOi3AkW0pe6dZvnG0z5w5axN8HQqD0YEkY2XOT3JTat/qdxKtYqL2PTtV77ZL35JTxjZG4gCRNbVcnMIy4RDpg6NrNm4XHgxy/Twlxk0dTb8ZqmHZlPh9+SU4ynvzXJH/CMA0bXS00JpB0FFcGhe+fl2T+aMcEcXgv/ntYUbxl0xhgS9Z9LwFkOH9JVXJFLgdvMppguVI3B8NI+HyrMPGYIM3Hrkie84/lYy11HDvk913Nkb7dtklclVmfkd1XA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(66446008)(86362001)(966005)(33656002)(166002)(8936002)(5660300002)(8676002)(64756008)(66556008)(66946007)(66476007)(76116006)(2906002)(122000001)(38070700005)(38100700002)(4326008)(2616005)(498600001)(83380400001)(75432002)(99936003)(71200400001)(186003)(6486002)(53546011)(6512007)(26005)(6506007)(110136005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Grsaj72s39cdxL3uvSbUrtDjGfwJwo9F6wmY7xW4c8zWspnti57UkOXOk33wUUYMu+KBKecAZv9Vhg8BO7sTIX0GvrYmje3BrRKi1ppWfOQddBlkdrSITto4EH8pQvmkO9fX4qnktf73WpkC6QYo2eejQL1m54allYhkiSUhW5SXYKWO+EzXGzyX9ymrieRDe4MOt6GGlhs2/AvpxYT5w4cAYdcAANmC6z+wxfdIADdCLmc/sBeZyuDMuMtLPt68+vabj1cI0AT2gCUD3JqxWh/yuQKJKCMe/QIYFPNkqlIkAKrc19lp1NDB4UHqRP8YSBIwqY7Ot++GXq7+8Cm/iLI3Ekm30083pAV3eG/dY+BX4N1I0wgCn7lGsRe0OKiidBYuP3reFtG01v6YF0Cnieh+ihMPeDHIVU1gJhfWlcc=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3742553141_975721963"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 1fcac72c-62ef-43bd-7423-08da770d1c61
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2022 18:05:42.0463 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1354
X-Proofpoint-GUID: G9a6cAluqZGcv241vzLLMro-dyu3oqxP
X-Proofpoint-ORIG-GUID: G9a6cAluqZGcv241vzLLMro-dyu3oqxP
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-05_09,2022-08-05_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 spamscore=0 mlxscore=0 bulkscore=0 malwarescore=0 suspectscore=0 adultscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2208050085
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nY5Dj1y8I_mw-RZxykuLE6a5qws>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 18:05:54 -0000

Russ isn’t the only LAMPS chair who hates params, he’s just more vocal than me 😊

 

In case it matters (it may not 😉), in our protocols there are no “KDF parameters”, as all that is pre-defined and thus is implicit on the wire. 

 

We do not favor prolonged negotiations (“just do what you’re told” sums it up nicely 😉). 😃 

 

TNX

 

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Mike Ounsworth
Sent: Friday, August 5, 2022 12:40 PM
To: Thom Wiggers <thom@thomwiggers.nl>; Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key agreement'?

 

Thom said:

> Alternatively, another KDF is still fairly cheap.

 

At least in LAMPS-land, doing another KDF often means carrying another set of KDF params on the wire, and we all know how much Russ hates params :P

 

---

Mike Ounsworth

 

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Thom Wiggers
Sent: August 5, 2022 4:23 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: IRTF CFRG <cfrg@irtf.org>
Subject: [EXTERNAL] Re: [CFRG] Kyber 'interactive key agreement'?

 

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

Hi,

 

Op vr 5 aug. 2022 om 10:27 schreef Ilari Liusvaara <ilariliusvaara@welho.com>:

One still needs KDF. There is no guarantee that KEM directly allows
variable-length output (KYBER does, as the final output stage is
SHAKE-256) and even if it does, that the implementation supports that
(the reference KYBER one does not).

 

As far as I know, the output length of the shared secrets in the current version of Kyber is part of the spec and the Known-Answer Tests (KATs); so even if it is using a XOF there, you're strictly speaking not allowed to change it.

 

Now, the current KATs have lots of things to be desired, and probably fix too many things. They even cover the secret keys, which is probably not great for lots of applications. Also, this all might change for the final version that NIST standardizes. If you want variable length outputs you may want to start a chat with NIST ;-)

 

Alternatively, another KDF is still fairly cheap.

 

Cheers,

 

Thom





-Ilari

_______________________________________________
CFRG mailing list
CFRG@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email