IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: How will Kyber be added to HPKE (9180)?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Thu, 24 November 2022 16:04 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91016C14F748 for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 08:04:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-gt1B2frq8U for <cfrg@ietfa.amsl.com>; Thu, 24 Nov 2022 08:04:16 -0800 (PST)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FE6CC14F73E for <cfrg@irtf.org>; Thu, 24 Nov 2022 08:04:16 -0800 (PST)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AO7KCgT004010; Thu, 24 Nov 2022 10:04:14 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=BKZnmL6nkdE3lpTupGmLAkdpQsA5o+7/LWifClyXy5g=; b=dh2WvtotIPGrW0VXD3FnRjinGqMPw+ZHGVlrAu+OBXg7FG4dbzcP/Kdj/I08U9tE85sX vXyDlkFbgyUlNg6fNb7ae7lobGyro1VU6Gn6bPInruFKfBZomAcMsb6jM8t3K8L5Dheo KipXUtzsP48cmialuJrZXwla1AjKCMX0q+t8MjBgxQEkoyAT1sR1NBkHZQ7mtR20mTF2 JaL62tNwWEZk47C8BvnA8MhKLIgYheR36rj2jSIQMnv8b7mLeQowgkwa+dznAUYE/Cmi vP+Wv7Jqv60awtkWWWoyArzQwZNauNsY/8cZlUFKeShNRwcshc7kycsqXIHFWYXU1wWm DQ==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2046.outbound.protection.outlook.com [104.47.56.46]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3kxvq6ue83-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 24 Nov 2022 10:04:13 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JvhUbMSfQNO/6X4QhoKkLiXkrn2cku2y6EEONsiFf58qevqwWqh65r9dJfCb+AL0dWD99XVAISlwN64LpbUF4PknSUoTKVSoftSkjw2aOUYSLpa437yWreTMIuMEmR+dlotVFX96cNvcmihH4VRvEmOexRaygtp9qYFmHDvV+79t0t+IeCpMyjhwN/VMz5eIKwETC9uiBOcXb7dGkV5LSKqBUlRlOn1UmQ+FIgwLiTbnxzs4qoYg9S3vNUatEsO4mjTTMqF+jkRfLepWrCNGxqQB0gKrEHXkLqvblGMJXfXNBUrj8naMCWGbVA7WJvJEcso9Uga/lGgzfCknqqvELw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BKZnmL6nkdE3lpTupGmLAkdpQsA5o+7/LWifClyXy5g=; b=NPbKfFi0mrN9dSzsEGE3ef8BGcLrcsTmPWWExa02hyH1ZqSC2W6dyCQJofRapNezI7ciNNnTol2uOXbBxxqV3gNa0nxwcsybIfZzm/WbEiBIrGe0Rk/CjtA05E9o0Eni+EmGcwim04onMMZTEim9pCzXnwoF+2kEQySrdubk2Vul7ddoDiZL7vjLqH+Mii0gcpFul/U0OJqiIKUmAaoks8OvZTfj0TReYOzMb/mrWrWtndo83nXTA4Ft5/DBB4OxUCaGhlkD5i75zt16rEUXtejSGGwP/ZgobKGA+jA9XZSjd+r5KUoyQKnfnDOxwIKNzupQQ3C+BMWZWg5e2GV1tA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by DM4PR11MB5454.namprd11.prod.outlook.com (2603:10b6:5:399::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.19; Thu, 24 Nov 2022 16:04:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%9]) with mapi id 15.20.5857.019; Thu, 24 Nov 2022 16:04:11 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Neil Madden <neil.e.madden@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)?
Thread-Index: AdkAEPxtXXF6fq1ySd2H7QCIyE8HRAACZQ0AAADXn4AAAAqtoA==
Date: Thu, 24 Nov 2022 16:04:11 +0000
Message-ID: <CH0PR11MB5739444E17F33F29F6CB71689F0F9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CH0PR11MB57392DCA742E5F9D3D30EF6F9F0F9@CH0PR11MB5739.namprd11.prod.outlook.com> <Y3+PkLzkHFFFG0Hi@LK-Perkele-VII2.locald> <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com>
In-Reply-To: <A8593A5F-3345-42FC-A34A-0DBC3DC873F1@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|DM4PR11MB5454:EE_
x-ms-office365-filtering-correlation-id: 5c0c7394-2b87-43ba-0519-08dace3586a5
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4p550/c3Zcm7ufyTV5GWJmQFE6myx9px2nxZPygWVgURsHlqXOV3nOE6vVXQmDfZAQ+QwrRqclY5lcEGyMhB1fNxz3shpUq3wB+xfvLFsQw7WeOE1j2G8fTaVp4Yq8gMMZ7wfyvNU/u1nPi7XNUTLymG8O4fKNR12ImSMuI/MQ1dJGzjH53YYRqPA8dXn/SppqbqliPO2GIuOMW/kxeIKxywqVE23dT4sU/CDSy4zBrx16wG8fHG7Vd8k14PJcnEhyKu8HZBlG70h3cJDqlv7TgEg7QbTcr+RuD9fQXnzyTuepMbmEIwTpE2wd+1u6osUC6whOXeuP0D0Gc4xINrRFNbPtkswh/u130ZbVw46405Lz1f6s+rIA9+JuVoA5fLUwJB07R9B/od8dRIGXFBlEva3Rumb4tN6YhV4GLtkZ/jJQQEpiBZpuhst66hYAoNYWx8Iv27FERtZst/riA63+0989gCU2mqkwpfkiFlq/797Dwkr0NqlnGgYNtjIv8SkRwePhzD2alcM9O/30spDulQCTW/XxA2i4AYHIhjZiOklT6jEzaChgdbfOyhQsNPoQI5lhrSOWGjM8/B4gU1ds2DIXu61wH/ISN62LQ1g95myDiNWr+5dMM66L7eszNFlLY2/CWScW9vePN6kivVu1O8hqsuMHUN33RH/W90E0/jOG3kTy4YwWgv/B9kc13fjNVI7/GgittWUsbVpMZhBg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(136003)(376002)(39860400002)(346002)(396003)(366004)(451199015)(478600001)(71200400001)(66446008)(4326008)(64756008)(9686003)(66946007)(8676002)(76116006)(8936002)(41300700001)(52536014)(316002)(66476007)(6506007)(5660300002)(53546011)(7696005)(110136005)(83380400001)(2906002)(86362001)(55016003)(33656002)(66556008)(122000001)(186003)(26005)(38100700002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qWGi5lWgue7qk23Bw3KLugKErFnJQwTrSCA5If6lxiECqt63H0EeToB1eB1vwEVapKD2g29dWRsMK8e1N1FsdBEXs1/RHg2uiJQGh021A1OLmOgHHIFFWuecs1czHe91kQMVEM8MPRMgyWokmoY5c8ZNAsa53xxyDA6KRAtzIk8j8lDSSLWUlQ81ALfydb3S8x5bEjIu8FOcR/W61gg4wjvwFmJgDKkDeoXMTofdnSZ4TGhGASIURMMq/DLpDC/w87jT5sOZ7dR8w15gWrrM42XuTexz5ycdh6XDQ+VXWb0lQfGj5I5HzjXV8oLl76eNw8cliSQWzQGfZaO4XYcf8xef+mkInFjXuShzQKYgNMMzdC1NmSUn/MEBW3IdMJdRbxPXbvBFWK2rfEhuiDe8AE5GEGVNCBcI5pUaAqvoovt3doLacAWzvuSY3jIdOf9gelWP4kurtb/RZ+mVUJOEwxdkgv3RNt0k0ffLz4xbuAycXvVebbbFXuK5IotPM04KBSIF40tfWGLy10B7f92z4DB4c+vrqMzjuYfDwEulJv1aD28f+FJRLoZzh42DDAr72xcf2plIbsuMq+PLU9SaBkh6ioU2RcpSJygiyfaFRQzleE8o3EUoofnPsxE/2oEfr4Qwj+3FoeO1h4+NYOAZI9Lo0dedCF8Cnjaaq37MHjd51tlTpqeUGrGWlPTK2KA9gJHwV8dmhVYjMIr9gNl1FXMi/l2EZWw2H2vUMJp8QhoC2UoHlamS5l5gSncPpChfKipqtUozIyBmQc7AuJJNPc/NT4tMSavh6RaoIF7gRQ63zWsM6VXngAVRuIuZqxhDuzO9+XKlVeYL0CYjRE3f/51dNWMJ8g+5IPiYI23H3TaH9vel1iTUZE0VX0uKuPx5eR6s4OPujx630TXFr67dy9cGLJAvPI7VTi9yPKC64HXJ6piZeLxwABz6hAO9jPq6AAhh3UX4vfQOrpmtEtwbIJw/mYimNi+tErG97D5FCeCTlOa9eNAkMLGsWtLjpKzTjm5qwFT+Oh1THzPY+RkbtPPpDJe3P3Pb4NnRiOZZ3NZs01S/0d1nxkscvdPgM0iZ95TqST6WYSxLP8phhhnvvdcZlTfTZ4AlO/MO2+aq0sBpwcLq3K48Ofil6lZuPeuxlj6dfVraEG2UjDLjhBxUdl61WIdEjHzWaaj/gi8oKlSQ9k/G2OuwfmQAvxbAYoQrkvFUSWbNFTGZp/VK1Jr/EI1koCSUdw8BYcAdSBophbPKaJ5uLVqLB2sHAUF9ziloPK5GTUnmyfvQ9oh9iAwSKTk7ZtcV1qo7P8IIfPqQkw8TkpaPfyGQKCmI+2Vg13gzh/qwnX1hYitnU2YJ3o8XxQwKZNi2JAGG+Z2BWmK2/7C/gi5xLDK5LNfvOAS/D4QHaBF5oruPkaO8lGeDRgvR2IKs+WVckQ2z4UwwInAX9Yoageb0M/3TudwWV8T6YnY5dgrN6q7tRKlH9UnudLtNTg3VX+IIfEB421/Y55IbI/3kcIV2C5we5ygumGCI+SqFjSd/GyNR2rzMkQOMwamGiOST01clj0ibcRZIbcJPew1ZTzsZB5bt+uUhUk2Kr0xF
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739444E17F33F29F6CB71689F0F9CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5c0c7394-2b87-43ba-0519-08dace3586a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Nov 2022 16:04:11.3427 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mVPtnxwqrc6TF9DGO1LXLtdGDAEoqRTpuA3gyA8MuDkQQ0vfpO898Ba3uptGiudJORIlhcGQTFYvIvqw1rJkXuEIldgqxPBgiqV/Kjs4FEM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5454
X-Proofpoint-ORIG-GUID: fjtC1Ku_xzXp7CsLZDZ8auXqb_32ElIG
X-Proofpoint-GUID: fjtC1Ku_xzXp7CsLZDZ8auXqb_32ElIG
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-24_11,2022-11-24_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 clxscore=1011 priorityscore=1501 impostorscore=0 mlxscore=0 suspectscore=0 bulkscore=0 malwarescore=0 spamscore=0 phishscore=0 mlxlogscore=553 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211240120
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/pjlR5FuCl1ACmMbY0rM857SgTzE>
Subject: Re: [CFRG] [EXTERNAL] Re: How will Kyber be added to HPKE (9180)?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2022 16:04:22 -0000

Thanks Neil.

But wouldn't that require the client to have a long-term signature key? That is not our case; we need to derive MAC keys in cases where both client and server have Kyber certificates.

The general question of "how" is out-of-scope here; I'm just trying to ask if this is possible with RFC9180 + some future extension to support Kyber.

---
Mike Ounsworth

From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Neil Madden
Sent: November 24, 2022 10:01 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: cfrg@irtf.org
Subject: [EXTERNAL] Re: [CFRG] How will Kyber be added to HPKE (9180)?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________

On 24 Nov 2022, at 15:36, Ilari Liusvaara <ilariliusvaara@welho.com<mailto:ilariliusvaara@welho.com>> wrote:

On Thu, Nov 24, 2022 at 02:49:33PM +0000, Mike Ounsworth wrote:

Hi CFRG!

Background: we are working to add KEM support to Certificate
Management Protocol v3 (CMPv3) (draft-ietf-lamps-cmp-updates, which
will eventually be 4210bis). We are planning to accomplish this by
supporting HPKE (RFC 9180) as a new message protection mechanism in
CMPv3 and hoping that we can inherit Kyber more-or-less for free once
HPKE supports it.

Question "how": How will Kyber be added to HPKE? I assume there will
be an equivalent to section 4.1 that defines KyberKEM with its own
Encap(pkR), Decap(enc, skR), AuthEncap(pkR, skS), and
AuthDecap(enc, skR, pkS) - ie the same interfaces as for DHKEM (4.1),
but making use of Kyber internally? The Kyber2018 paper [1] figure 3
defines an authenticated Kyber exchange that looks like it should
easily fit into the existing HPKE APIs. In other words, will
supporting 9180 now with abstractions around those 4 functions allow
for easy drop-in of Kyber later?

Kyber does not support AuthEncap/AuthDecap. The whole reason why Auth*
interfaces is optional is to allow for KEMs that do not allow non-
interactive authentication, like the post-quantum ones.

In fact, the only possibly-PQC algorithm to support AuthEncap/AuthDecap
is CSIDH (not to be confused with totally broken SIDH/SIKE), and
security of that in both classical and quantum settings is subject to
debate.

Isn't there a straightforward generic construction of an AKEM from a normal KEM plus a (PQ) signature scheme that could be used here? i.e., run the KEM and then sign the encapsulated key? Obviously this would produce quite large encapsulations, and a "key-pair" for such an AKEM would then be two key-pairs encoded into one (with a covering self-signature to prevent tampering). In principle this seems doable?

-- Neil
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email