[CFRG] Kyber 'interactive key agreement'?
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 02 August 2022 17:52 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D1CC14CF15 for <cfrg@ietfa.amsl.com>; Tue, 2 Aug 2022 10:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.41
X-Spam-Level:
X-Spam-Status: No, score=-1.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.248, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uzXkwOpvkxt for <cfrg@ietfa.amsl.com>; Tue, 2 Aug 2022 10:52:53 -0700 (PDT)
Received: from mail-oa1-f44.google.com (mail-oa1-f44.google.com [209.85.160.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5052CC14F747 for <cfrg@irtf.org>; Tue, 2 Aug 2022 10:52:48 -0700 (PDT)
Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-10bd4812c29so18036204fac.11 for <cfrg@irtf.org>; Tue, 02 Aug 2022 10:52:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=U/4CKsBPfUvVEyygS/b06gJoKBrePMt9Fpb9oeuMGNM=; b=eo6QooLlMPzTmOQ+R2LzgICeuJPBwF+NtchJ0X+dFaMumrxD106GsUv8x1mFkpSbrj AcONESjHKHd+O8DPoLfhw6hcqHVI80P2TXjLbeFwMDQADrAgPiICfeuH+40FC0lpPiAE CHJOeD/bw40Q3Cqzk2xGpaMcTP3gEDv6yAdoO0f2jG9Pe944XAaKwzuyKxh5Pum6p8M3 SiBzeBK9OiC1dTet3cUI3TGCnr0OTCOKRQ6bzzca2kMhMFOWPcDPtvPBc1aEbNmJqe1O QMY4iWuGMfpdOXgnb9JndLUjg+zzKk16Q6C1cc+JWAxPMS+O+nqVtYkjfb9zhnod6l/W oCOg==
X-Gm-Message-State: ACgBeo3k/5/RXjpp7sDCcn9fDEELmquMkS4xzeZc16AFoKQMfro9azOW Jsvsw/G247SRfbT8Ph40ZiHWzSfnTHUg0XnHhwyksVVG6L4Exg==
X-Google-Smtp-Source: AA6agR6x8E83YRMw7+Ru7OH/z+7tiPM3YZI8kd9l/X6PHjbTj9qJjJbzeWBNvL3VOr91roZIV3rVLekZ2X5b3+KRSag=
X-Received: by 2002:a05:6870:9590:b0:de:27ca:c60c with SMTP id k16-20020a056870959000b000de27cac60cmr300208oao.108.1659462767118; Tue, 02 Aug 2022 10:52:47 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Tue, 02 Aug 2022 13:52:37 -0400
Message-ID: <CAMm+LwiW0=xcFMz=PihjWydK9HWjg34pJskszZPF8L3nvJTc+A@mail.gmail.com>
To: IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000c090ec05e545c8ef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/nnk4ysjiNn4MOUhszKVVwDOYf5s>
Subject: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 17:52:57 -0000
I am trying to understand the precise set of constraints imposed by Kyber
after looking at the source code. In particular I note the existence of
functions with the following signatures:
int crypto_kem_keypair(unsigned char *pk, unsigned char *sk)
int crypto_kem_enc(unsigned char *ct,
unsigned char *ss,
const unsigned char *pk)
int crypto_kem_dec(unsigned char *ss,
const unsigned char *ct,
const unsigned char *sk)
Where:
sk is a sequence of bytes describing a private key
pk is a sequence of bytes describing a private key
ss is a sequence of bytes being the shared secret
ct is a sequence of bytes being the ciphertext
This might not look like it is a drop in replacement for ECDH, but it is
close enough to being a drop in for ElGamal Encryption using ECDH.
[These routines call indcpa_enc, indcpa_dec which have rather different
signatures. But the external interface is drop-in as far as I can see.]
I did a search on 'malleability' in the Kyber paper and found nothing. So
perhaps a clarification of the terms.
I have the following scheme for a PQC hardened version of the DARE format:
https://www.ietf.org/archive/id/draft-hallambaker-mesh-dare-15.html
In the standard DARE ECDH exchange, there are two/three inputs to the KDF
and two outputs
Input 1: A unique per message salt
Input 2: Result of the ECDH key agreement
Output 1: The initialization vector
Output 2: The encryption key
Output 3: The authentication key (if needed)
So it seems to me like all I have to add to get to PQC is to have three
inputs to my KDF:
Input 1: A unique per message salt
Input 2: Result of the ECDH key agreement
Input 3: Result of the Kyber key agreement
Am I missing something? If so, what am I missing?
An introduction to this stuff that does not assume familiarity with a
decade of work on applying lattice theory to crypto would be very much
appreciated. I have managed to avoid COVID so far but my ability to
concentrate is much reduced after the Guillain-Barré incident.
It also occurs to me that the NIST/NSA objection to 'hybrid' systems might
well be based on very different assumptions to those of us in the IETF
community. As a design goal, it seems to me that we absolutely have to get
to the point at which we can trust pure PQC systems without a backup
conventional crypt scheme. They think in terms of decades-long procurement
cycles.
I am looking to ship experimental code this year. IETF is looking to have
standards in a few years. Both are shorter than NIST/NSA timelines. There
is absolutely no way I am going to be convinced Kyber is safe enough to be
used on its own in the next five years and it does not provide the
threshold capabilities I need even if it does. At least not yet.
- [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Bas Westerbaan
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Andreas Hülsing
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Jeff Burdges
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Mike Ounsworth
- Re: [CFRG] Kyber 'interactive key agreement'? Ilari Liusvaara
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Tim Hollebeek
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Tim Hollebeek
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth