Re: [CFRG] [EXTERNAL] Re: How will Kyber be added to HPKE (9180)?
Karthik Bhargavan <karthik.bhargavan@gmail.com> Thu, 24 November 2022 16:17 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBFB5C14F728 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 08:17:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCNwlrX9ZtVi for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 08:17:20 -0800 (PST)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7FA6C14F73E for <cfrg@irtf.org>; Thu, 24 Nov 2022 08:17:20 -0800 (PST)
Received: by mail-yb1-xb31.google.com with SMTP id i131so2282716ybc.9 for <cfrg@irtf.org>; Thu, 24 Nov 2022 08:17:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mpMNtxnUYXjCX89ei2ccIRW9/BT23mz5ryzgo3LKtvY=; b=nxfwDfi6R5l8EC4DwpFxNry248AbKUDuQnlrPRB+crAQz1mp0VzT3wOTEQyL1Q7CmC 4XsX/Dv+fcF6e6URxZFkaeiRjqCCTfHO/wqR+9TtIc9c8uI5nzqiqAxlSCfliH1qSLS5 t9Hc1IATsPbjKiGghMzbcI80ThVSCFcQc2psL0uPEUCQfEol9LKstLp6z6HGNGw+/c8g zXMhteHIqT4iyDYr6jZw+aLRYkGfteTdq66CgMwUztePGjm3u3WFCi2UTadRNAOVT1pP JDoaIcYR06I09fvy5+KEF7GzqQwPV0pga0ZUng/vLoYvUk9TnTuquvMOVx6Ux9D+NfE/ 2M0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mpMNtxnUYXjCX89ei2ccIRW9/BT23mz5ryzgo3LKtvY=; b=7lW8oQxTQqIlpB9xdBT/AydJiXAWKbVov6SBp6l4A1dkc9vIyWuVmPnmYWLQAjuQ9G h2HQhdm4B2YmUN6PGoh+I7b5V9TUTeIDV1NdW4aefsACTTCmW+wxQ1Zmu9nQCV9GiK1O epKLzAcWjX/3nGfHr/6VHr6MvIqi5GigmdkME9Dh3mVHiFrxRX22HBg9u43b3xv7RoQa 3pUHeb1bPYQHRLPftPc4PA7u9jS+XfFg8xSf5GA9AGD7O9HiTNtQCrP5b8Kk32oRgxGN 5KHXWu4nYYAiYbC2HFt8ZpMT0HlHmgPPuwPRKK0Q7cmiqLl7LnkuDBxjg41VHl+RQhVJ llWg==
X-Gm-Message-State: ANoB5pmCfhqJtHA/2W3R4oUFRmMA1HJs1lcl23t2Kxqu2/wWLoQNLjNF gaK2tq5SyntFFEbeyrpxPMBx1XEVoW1aPPMtlLg=
X-Google-Smtp-Source: AA0mqf5wSZmVd7tCPD3r4VS+NtGeLmz7cYQEdmQAbhQwTBszbNnmlQa/sduvYS2NRb/K5W29qDNCyyUqCipwA8ZuY4s=
X-Received: by 2002:a25:8743:0:b0:6f0:c9e7:68bf with SMTP id e3-20020a258743000000b006f0c9e768bfmr5859989ybn.78.1669306639242; Thu, 24 Nov 2022 08:17:19 -0800 (PST)
MIME-Version: 1.0
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald> <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com> <CH0PR11MB5739444E17F33F29F6CB71689F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739444E17F33F29F6CB71689F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Thu, 24 Nov 2022 17:17:08 +0100
Message-ID: <CA+_8ft5SxUjEMuWXACd_yF6H5DUwBYFA=VeGXeOzSFhdNw_NvQ@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: Neil Madden <neil.e.madden@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000040db6505ee39bd85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/orqSZ78R-I-u2Q_M4LzBP6Sudd0>
Subject: Re: [CFRG] [EXTERNAL] Re: How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 16:17:25 -0000
HPKE is designed as a one-shot construction, whereas Figure 3 of the Kyber [2018] paper is an interactive two message key-exchange protocol. So HPKE will not fit your needs if this two-message protocol is what you require. KEM-TLS using Kyber may be closer to what you need, if it gets standardized (https://kemtls.org/) -Karthik On Thu, Nov 24, 2022 at 5:04 PM Mike Ounsworth <Mike.Ounsworth= 40entrust.com@dmarc.ietf.org> wrote: > Thanks Neil. > > > > But wouldn’t that require the client to have a long-term signature key? > That is not our case; we need to derive MAC keys in cases where both client > and server have Kyber certificates. > > > > The general question of “how” is out-of-scope here; I’m just trying to ask > if this is possible with RFC9180 + some future extension to support Kyber. > > > > --- > > *Mike* Ounsworth > > > > *From:* CFRG <cfrg-bounces@irtf.org> *On Behalf Of * Neil Madden > *Sent:* November 24, 2022 10:01 AM > *To:* Ilari Liusvaara <ilariliusvaara@welho.com> > *Cc:* cfrg@irtf.org > *Subject:* [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)? > > > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > ------------------------------ > > > > On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > > > On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote: > > Hi CFRG! > > Background: we are working to add KEM support to Certificate > Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which > will eventually be 4210bis). We are planning to accomplish this by > supporting HPKE (RFC 9180) as a new message protection mechanism in > CMPv3 and hoping that we can inherit Kyber more-or-less for free once > HPKE supports it. > > Question "how": How will Kyber be added to HPKE? I assume there will > be an equivalent to section 4.1 that defines KyberKEM with its own > Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and > AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1), > but making use of Kyber internally? The Kyber2018 paper [1] figure 3 > defines an authenticated Kyber exchange that looks like it should > easily fit into the existing HPKE APIs. In other words, will > supporting 9180 now with abstractions around those 4 functions allow > for easy drop-in of Kyber later? > > > Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth* > interfaces is optional is to allow for KEMs that do not allow non- > interactive authentication, like the post-quantum ones. > > In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap > is CSIDH (not to be confused with totally broken SIDH/SIKE), and > security of that in both classical and quantum settings is subject to > debate. > > > > Isn't there a straightforward generic construction of an AKEM from a > normal KEM plus a (PQ) signature scheme that could be used here? i.e., run > the KEM and then sign the encapsulated key? Obviously this would produce > quite large encapsulations, and a "key-pair" for such an AKEM would then be > two key-pairs encoded into one (with a covering self-signature to prevent > tampering). In principle this seems doable? > > > > -- Neil > *Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they > are addressed. If this message has been sent to you in error, you must not > copy, distribute or disclose of the information it contains. Please notify > Entrust immediately and delete the message from your system.* > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Karthik Bhargavan
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Ilari Liusvaara
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… John Mattsson
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? John Mattsson
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Orie Steele
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Neil Madden
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Kampanakis, Panos
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Ilari Liusvaara
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Peter Gutmann
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Peter Gutmann
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Richard Barnes
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Bas Westerbaan
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Orie Steele
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: How will Kyber be added… Mike Ounsworth
- Re: [CFRG] How will Kyber be added to HPKE (9180)? Thom Wiggers