Re: [CFRG] Kyber 'interactive key agreement'?
Thom Wiggers <thom@thomwiggers.nl> Tue, 02 August 2022 19:51 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 779E1C14792F for <cfrg@ietfa.amsl.com>; Tue, 2 Aug 2022 12:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKD8CTdXIMrI for <cfrg@ietfa.amsl.com>; Tue, 2 Aug 2022 12:51:26 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BDDDC14F6E5 for <cfrg@irtf.org>; Tue, 2 Aug 2022 12:51:26 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id y127so25194718yby.8 for <cfrg@irtf.org>; Tue, 02 Aug 2022 12:51:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=vdG+EnViLiblbqUhROzyP32Ka7zyfPyKyhw4KVFmNo0=; b=iot7r+0akB60pyWVy3QcOg2IRW7wEcbC3kXwuWwQ3CL7d1s4CJGSmy+h7XTYDh1Chk pV0JMUmeUB+J4PR7WEWsgMDzr4zh/Osptvhk6UaKkyH9GO7as96mvjwHyX9YOMlwx6h/ a6E/2b1lEbPEL8KCahywjsnA5YahlxPYHli90=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=vdG+EnViLiblbqUhROzyP32Ka7zyfPyKyhw4KVFmNo0=; b=zAjHaJaEcW2dHxDfQbwwU165U0+/YknVlqO/kn5pocau9C7jHpMX38gptNE75ac4SG n5Br2FARSo9cmPXCIdiSof4pSK8L+qoWo7WqoxeZ1SorHSWhjs9UW6sYAjcUqag3qlst jgAPTccDlsHc01ewffmH1z6erh1jtCYfpHIWNIb6b2gGt/1ash5aKO1ImHzCy5UT7L4N 2pc3iZuEplFn5TSRVD9bxFiBVjC2PQS0oADi7e0accq+IylfTsroLnsLxFRhZE6DA/a9 MB0hXocH0Ur+lOSk4tozwuuPOvCCGgFnUO1zHt/GWz4JnQ6ivcJueV/Ixt6PxU40cbV1 aEiw==
X-Gm-Message-State: ACgBeo3ttnpSnVIYpub9ZkcZ9oTssCLJ/Uj1pTIGNtsM00q7fnli6gYs 9iR94ZxEdPtB7hfvcKeayf0dn1G1tmAK1Y6sj9qKoA==
X-Google-Smtp-Source: AA6agR7dNk1oYCqdr0qkEFvW3RuxO4RrO+gWTpiMYL9A87l48SBQ/+hisvSkkaf/Ud9xUNMh1WWxIXE8+US8WET+dI0=
X-Received: by 2002:a5b:89:0:b0:671:10c6:4618 with SMTP id b9-20020a5b0089000000b0067110c64618mr16454446ybp.27.1659469885238; Tue, 02 Aug 2022 12:51:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiW0=xcFMz=PihjWydK9HWjg34pJskszZPF8L3nvJTc+A@mail.gmail.com> <CAMjbhoUYi4gg=asrgW5D6jxQC4RATK0piZP-bi-+kwFhPUEMmA@mail.gmail.com>
In-Reply-To: <CAMjbhoUYi4gg=asrgW5D6jxQC4RATK0piZP-bi-+kwFhPUEMmA@mail.gmail.com>
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Tue, 02 Aug 2022 21:51:14 +0200
Message-ID: <CABzBS7mK92M2ome+taYVjDcsi_crsjHttm8d63NN0gcO0xF3Hw@mail.gmail.com>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000006850205e5477138"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rG2ReOSbnXoDLXyfHIPY_XgymOI>
Subject: Re: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 19:51:30 -0000
Hi Philip, The most common situations I've found where KEMs don't work as a drop-in for DH are when you want to do some authentication scheme. For example, consider the OPTLS/draft-tls-semistatic proposals. In OPTLS, the client sends over a g^x as usual, but the server takes that public key and directly combines it with its long-term DH secret s to compute g^{xs} (which OPTLS uses to compute a MAC). That's precisely the DH operation that KEMs don't give you. To do OPTLS with KEMs, you need an extra round-trip: the client needs to first receive the long-term KEM secret before it can send back an encapsulation.[1] KEMTLS/draft-celi-wiggers-tls-authkem uses some tricks to do basically that, but avoid the round-trip. Ephemeral KEM key exchange in TLS (1.3) doesn't have this problem, because authentication is done via signature. Plain old signatures are generally non-interactive (putting all of the additional PQ signatures baggage aside). DH is amazingly symmetric in its operations, and it seems to be turning out that this property was a big gift. In some discussions with Trevor Perrin about Noise protocols it seemed that there are two obvious ways out of this mess (at least for Noise protocols): an extra round-trip, or adding signatures. Of course, adding either to a protocol that did not have them is kind of a bummer. Cheers, Thom [1]: This was first discussed, as far as we're aware of, in the master's thesis of Wouter Kuhnen (OPTLS revisited, section 6.2) http://www.ru.nl/publish/pages/769526/thesis-final.pdf Op di 2 aug. 2022 om 19:58 schreef Bas Westerbaan <bas= 40cloudflare.com@dmarc.ietf.org>: > This might not look like it is a drop in replacement for ECDH, >> > > It is not. But for TLS it is sufficient: client generates a keypair and > sends pk. Server encapsulates for that pk and returns the created > ciphertext. > > >> [These routines call indcpa_enc, indcpa_dec which have rather different >> signatures. But the external interface is drop-in as far as I can see.] >> > > Don't use those. > > >> I did a search on 'malleability' in the Kyber paper and found nothing. So >> perhaps a clarification of the terms. >> > > The term you want to search for is IND-CCA2. > > Best, > > Bas > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Bas Westerbaan
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Andreas Hülsing
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Jeff Burdges
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Mike Ounsworth
- Re: [CFRG] Kyber 'interactive key agreement'? Ilari Liusvaara
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Tim Hollebeek
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Tim Hollebeek
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth