Re: [CFRG] Kyber 'interactive key agreement'?
Thom Wiggers <thom@thomwiggers.nl> Tue, 02 August 2022 19:51 UTC
Return-Path: <thom@thomwiggers.nl>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 779E1C14792F for <cfrg@ietfa.amsl.com>; Tue, 2 Aug 2022 12:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomwiggers.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKD8CTdXIMrI for <cfrg@ietfa.amsl.com>; Tue, 2 Aug 2022 12:51:26 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BDDDC14F6E5 for <cfrg@irtf.org>; Tue, 2 Aug 2022 12:51:26 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id y127so25194718yby.8 for <cfrg@irtf.org>; Tue, 02 Aug 2022 12:51:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomwiggers.nl; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=vdG+EnViLiblbqUhROzyP32Ka7zyfPyKyhw4KVFmNo0=; b=iot7r+0akB60pyWVy3QcOg2IRW7wEcbC3kXwuWwQ3CL7d1s4CJGSmy+h7XTYDh1Chk pV0JMUmeUB+J4PR7WEWsgMDzr4zh/Osptvhk6UaKkyH9GO7as96mvjwHyX9YOMlwx6h/ a6E/2b1lEbPEL8KCahywjsnA5YahlxPYHli90=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=vdG+EnViLiblbqUhROzyP32Ka7zyfPyKyhw4KVFmNo0=; b=zAjHaJaEcW2dHxDfQbwwU165U0+/YknVlqO/kn5pocau9C7jHpMX38gptNE75ac4SG n5Br2FARSo9cmPXCIdiSof4pSK8L+qoWo7WqoxeZ1SorHSWhjs9UW6sYAjcUqag3qlst jgAPTccDlsHc01ewffmH1z6erh1jtCYfpHIWNIb6b2gGt/1ash5aKO1ImHzCy5UT7L4N 2pc3iZuEplFn5TSRVD9bxFiBVjC2PQS0oADi7e0accq+IylfTsroLnsLxFRhZE6DA/a9 MB0hXocH0Ur+lOSk4tozwuuPOvCCGgFnUO1zHt/GWz4JnQ6ivcJueV/Ixt6PxU40cbV1 aEiw==
X-Gm-Message-State: ACgBeo3ttnpSnVIYpub9ZkcZ9oTssCLJ/Uj1pTIGNtsM00q7fnli6gYs 9iR94ZxEdPtB7hfvcKeayf0dn1G1tmAK1Y6sj9qKoA==
X-Google-Smtp-Source: AA6agR7dNk1oYCqdr0qkEFvW3RuxO4RrO+gWTpiMYL9A87l48SBQ/+hisvSkkaf/Ud9xUNMh1WWxIXE8+US8WET+dI0=
X-Received: by 2002:a5b:89:0:b0:671:10c6:4618 with SMTP id b9-20020a5b0089000000b0067110c64618mr16454446ybp.27.1659469885238; Tue, 02 Aug 2022 12:51:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAMm+LwiW0=xcFMz=PihjWydK9HWjg34pJskszZPF8L3nvJTc+A@mail.gmail.com> <CAMjbhoUYi4gg=asrgW5D6jxQC4RATK0piZP-bi-+kwFhPUEMmA@mail.gmail.com>
In-Reply-To: <CAMjbhoUYi4gg=asrgW5D6jxQC4RATK0piZP-bi-+kwFhPUEMmA@mail.gmail.com>
From: Thom Wiggers <thom@thomwiggers.nl>
Date: Tue, 02 Aug 2022 21:51:14 +0200
Message-ID: <CABzBS7mK92M2ome+taYVjDcsi_crsjHttm8d63NN0gcO0xF3Hw@mail.gmail.com>
To: Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IRTF CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000006850205e5477138"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/rG2ReOSbnXoDLXyfHIPY_XgymOI>
Subject: Re: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 19:51:30 -0000
Hi Philip,
The most common situations I've found where KEMs don't work as a drop-in
for DH are when you want to do some authentication scheme.
For example, consider the OPTLS/draft-tls-semistatic proposals. In OPTLS,
the client sends over a g^x as usual, but the server takes that public key
and directly combines it with its long-term DH secret s to compute g^{xs}
(which OPTLS uses to compute a MAC). That's precisely the DH operation that
KEMs don't give you. To do OPTLS with KEMs, you need an extra round-trip:
the client needs to first receive the long-term KEM secret before it can
send back an encapsulation.[1] KEMTLS/draft-celi-wiggers-tls-authkem uses
some tricks to do basically that, but avoid the round-trip.
Ephemeral KEM key exchange in TLS (1.3) doesn't have this problem, because
authentication is done via signature. Plain old signatures are generally
non-interactive (putting all of the additional PQ signatures baggage aside).
DH is amazingly symmetric in its operations, and it seems to be turning out
that this property was a big gift.
In some discussions with Trevor Perrin about Noise protocols it seemed that
there are two obvious ways out of this mess (at least for Noise protocols):
an extra round-trip, or adding signatures. Of course, adding either to a
protocol that did not have them is kind of a bummer.
Cheers,
Thom
[1]: This was first discussed, as far as we're aware of, in the master's
thesis of Wouter Kuhnen (OPTLS revisited, section 6.2)
http://www.ru.nl/publish/pages/769526/thesis-final.pdf
Op di 2 aug. 2022 om 19:58 schreef Bas Westerbaan <bas=
40cloudflare.com@dmarc.ietf.org>:
> This might not look like it is a drop in replacement for ECDH,
>>
>
> It is not. But for TLS it is sufficient: client generates a keypair and
> sends pk. Server encapsulates for that pk and returns the created
> ciphertext.
>
>
>> [These routines call indcpa_enc, indcpa_dec which have rather different
>> signatures. But the external interface is drop-in as far as I can see.]
>>
>
> Don't use those.
>
>
>> I did a search on 'malleability' in the Kyber paper and found nothing. So
>> perhaps a clarification of the terms.
>>
>
> The term you want to search for is IND-CCA2.
>
> Best,
>
> Bas
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
- [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Bas Westerbaan
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Andreas Hülsing
- Re: [CFRG] Kyber 'interactive key agreement'? John Mattsson
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Jeff Burdges
- Re: [CFRG] Kyber 'interactive key agreement'? Phillip Hallam-Baker
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Mike Ounsworth
- Re: [CFRG] Kyber 'interactive key agreement'? Ilari Liusvaara
- Re: [CFRG] Kyber 'interactive key agreement'? Thom Wiggers
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] Kyber 'interactive key agreement'? Tim Hollebeek
- Re: [CFRG] Kyber 'interactive key agreement'? Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Tim Hollebeek
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] [EXTERNAL] Re: Kyber 'interactive key … Mike Ounsworth