IETF Logo Mail Archive

Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761

Peter C <Peter.C@ncsc.gov.uk> Fri, 12 May 2023 21:49 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B13C137395 for <cfrg@ietfa.amsl.com>; Fri, 12 May 2023 14:49:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDenmc_fz2qc for <cfrg@ietfa.amsl.com>; Fri, 12 May 2023 14:49:03 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-cwlgbr01on070d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe14::70d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30040C137394 for <cfrg@ietf.org>; Fri, 12 May 2023 14:49:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E7TOUXwEqWPegEus+1ybKkFaW4vjmH7AW2UZR0YxNMVgqr6jNgx9TOto/ch+QikoiOo6tJhQ/iHy5pmJBxoUcUUFeUU8IgfmfYMGwAKhnc4VOie2kP/RnzsZjqj3ct0KsT5gvLJ07xmMInXkh2PBpaCNTGiQHBirnGGNEBj5RbAFBF68Wia97NrLOiBQhA4L5rQ6oCaZDfJpwG5M3cXpaBbuMJyO2LD/zR93RMRnufnRaac0qKXpw+UZzJUry35Sn51rBVXzQKgf8wlRJEUi4aZarmC3MkWNtRA7IC74Mpq6lp0cYAwVKZB/1pokB74BXRSpVh9dQlmrj6ENGReoIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=F9KuRFbO2NGT7xbrZz2vbhVq9nAtN13PSkhwaIaBHnA=; b=LmTPZG03zrBTdtVcO47tsAzg4R7/NXG1JBQXAQTzEV3Sx4cHdi2MN2ACfkthlm9/Ck37PqL2XwfDK8wCLk9HFkiWS+XlbnOPZ70QREKGGZxXXscSBN0x1+F2KXQ7B32TJh4p+0IEvykN7t+7vGnbauKKZhyX2ass3JIqYaSkxsXDAY6cm3eXppys6Zen+Y2475z56OnnWhDC8A4QmmJsDKA2NV2gl2Ain5jjIGqyJT9ScqNonLBBPZBzKI0zhgw1RcX2NwjKikId5WdPUYwkENyos9CWg2mGP7HP11b6ML5Zw5WCnzJBnXwmaQ2Xqnd42DBIz7Q2tnz/aT6fZKm5lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F9KuRFbO2NGT7xbrZz2vbhVq9nAtN13PSkhwaIaBHnA=; b=XIo7sHyLNkhwEFZ6cJ/TM1g3lRTyB632iwDZdpyjK+kUizn2xXkr7bRiBGEBkk1q8Tgmo203TMw1bqGb7ntL+fKYiAZkj0VMPkUAx+jeQUFBfYXj69+BCKIg74Z7Dof2Ycvmu9U/ZnjRszKTCjyP4ALMTINYgHi0yT+HNIdsbQZbyIV9bAea/J7huxK6RFM1VmttRCFwySaASSRBHinGkptlObhGX0yrZHfFSeCmZG3mfdtk0rAm3oIUNYF2kHh+AzB55s28NkZwKRvpcH6Y8jCVPmA74S82dT4YWwWVyuM8dIAAXSZePExipUv4e5pM4sptEiup+IDWZw1bgf4jcg==
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1e3::6) by LO6P123MB6597.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:2b6::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6387.27; Fri, 12 May 2023 21:48:58 +0000
Received: from LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::93f6:c43:1b75:465d]) by LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM ([fe80::93f6:c43:1b75:465d%6]) with mapi id 15.20.6387.023; Fri, 12 May 2023 21:48:58 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
Thread-Index: AQHZhNgBZnC23HkfEk2VANv4UP2jo69Wt9EAgAAsNoCAACvtAIAADITQ
Date: Fri, 12 May 2023 21:48:58 +0000
Message-ID: <LO2P123MB4927ABC0807EDA8ECD5B3F1CBC759@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM>
References: <871qjm4ikm.fsf@kaka.sjd.se> <CAN8C-_LmurEBGA-e6YjNd2W0f+1gajqoSAq-F-fHOugbJO0xBg@mail.gmail.com> <CH0PR11MB57396AE5BFC2FA681425A7BC9F759@CH0PR11MB5739.namprd11.prod.outlook.com> <LO2P123MB492793A5C785D17ECDF2C6ABBC759@LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM> <CH0PR11MB57397C6048EF71AC477B268B9F759@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB573955922D5A757483440B389F759@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB573955922D5A757483440B389F759@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB4927:EE_|LO6P123MB6597:EE_
x-ms-office365-filtering-correlation-id: 558d0d42-957c-42aa-e855-08db5332b0f6
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lGe7oU3kXBsKRFkE6R/dkVlxRSeBq5ifKHmZI2dFF2nAeQEncRw3WkswOuWIV7xJCNNQ8NnoACaQvswxtYVEhGQNCHaBRezETk8OeFym54GTZnBoaoaBM2OOYt4n/4cWG79Gk5JrbK4g+EACv0a7O9Y0TlEIKDzFxw4Dk3uxUHxGOQMKKEgYEdk7xHfMuBgs68geem/Ys2dGaBaJ/D35myC1480CRreN3BVr7BrB0br3pcIo8UEODOcXU1jDVPEr1GCFuAWOdRV//tyf8sUFQ/QOK3hsiUO8PoxjB8HpFEiPBx7ZANh1UX4GhNFNA+X/K6pz2zXqnbeVA1VUQOsvVJJMGH7E8o5805NKFPlTjTl5wKnR3aqe0AdqyHbbcuUeREF9bttZTIivkLnzERIdGQPkGAZtggRStTsIdEslFD1ePau9dDAH9p1brMO+bTrudLenJDWF+UkjiA0DD5rJvwhbIbpTLbhsFOq56lFyiSYB3gfIHxvVYG5ChmFema0qZAmx3aECTV1N9A+tnZBC1dF1MZl/DgKgl73F5D/Z0H/o3rU8LKUOxNV4/R8Sf0zR0XgVGGDSjCDKhbOK+NTaUfOx0+Bn9D6OCm8QVDs1GFO1L40HFO/19geQc5A0MR15
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(39860400002)(346002)(376002)(396003)(366004)(451199021)(478600001)(8936002)(8676002)(52536014)(5660300002)(2906002)(86362001)(38070700005)(33656002)(6916009)(66446008)(4326008)(82960400001)(66556008)(64756008)(76116006)(66476007)(122000001)(316002)(66946007)(55016003)(41300700001)(38100700002)(186003)(6506007)(26005)(9686003)(83380400001)(71200400001)(7696005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9OS8hqKBqPiWT3KbWgbsV7zDaU4BfpqaMF6h0zzZ/n37OnXk38zXDn+9IrrvYeAq07Fpk/85m8F+3uHh1S80iObjGp6ETwDvSaFxB7B4IfMrVtnLHlH47/mWUky39F0hkh+y6nc4SEXYtZdw+aR9W61EEyfeeCRqsH1NRuUlGN1a6ikIv/VchyYVjs7V6iL7mLaeZXGaMOHaC5ZEvikvNchyI7XvDy492P8uu4C42l+FJusIp89DCNY7OjNfXS0UpaabsKx5b8Fyf0LsbklbllgxrNISKNFoVUQSMW4IKEd8FtB1A5DstcqgHaPGokxABkFtgEefFvYjDvd6pgazVXoreF9rzA32tqX2DRiU0wD9ESmqA2POVbbs/ndb2E24gJTLOjDzlQMKWzRMJERKSXclfAPRR+CBMvz6oaQDTbNzZ7+kdeeqJUjTnKt2JGBzRN6UYm8fFxG723kmPW0OgV7nMlIgbp5zFppPmKtmGxYSB958dZxkE7ikcDHKmICXtdrWBkfroI0yvp2Ba+l5Ho+drxUp6LmjlBk5OqpKiOz9z5pQbDG3dLdDI/wjgpA4Cz/gjKJSXChMV8bzUxYvSR9fPrkMz7nS/mvF1A4K/72tvT8YQP9sYLpdI57Ybsbyuf5WWbEN4XcpcwW2rRUBLTO0wbXORH16hnwPxEPFjk8ALcGOSvsTVpbYRIHahMd6lVPOWktGHDhgMkfc2CwUMDKoNX6RVtr7IxhMirMqYPY/5ZcykYbOIrdORx418ceGMv6lgWAHrWbFiPKyPrhjtLsccD73M1JA8uhThyoGUWd4tbizS9hZ/nJVAv7f0FCwjw4mnXyjEv/U3l56051jyZB5y3acmLX4YbgiPtuY2aF5t+GgKavf08yprFvapN6KBnz0rDcMs1bAJHDbf+EPQGcTGLL9okUtMaCpYGj2uoi0i87I5ZoX+84+UuRMri3JOo+3/kLdjO/7slioE6xXiuN4vnira2bfiw0xQYlBt1WsRbQNONPSIu60ZxO5JnRbaOHnB37IXbQbVHtov/xLfReIR2CWGZCY+n6mRsXKNk7hzoVyTBXl2S8vwsrMz/lyPo4Q3k4RPp2dNErtraTrqS01KM3iC8jMxeHvYFJoP6UMOAtJLo1k4K9XZ/4JRgvWkotPbfqdDNkO1AGDECIMIbn0lDFrPZqoA3WbkHzqBGlyN1vUsqXAFc17VBejZ0nz8QjFsbGwsGqDQnO5RkLCxoxAIL141NFNYquR8pFERkx3TcNhj+iyUqj4d9dUSsV18jBmgCAA+rprfkNwiu26dpteVOxptAr2H+mkkEkXHxYQOVv5LZPLukollnHgKrvKa/vnR93uBuoUjkHyC1mb9QoOCb6VQlX7jny4xpqQ/7/YXwuj/mu9iFDxEx1/sQQKpPvo7NP1FYnG5PZxr8CG0GcqalHEsb5aTzNqR+5UFLewu5srPIGKhyCZsYN+UCWC1PXh4elC+Mgieuj72vhWINnbG3kSAE35mzTlcUldQp34gaZWSsYTRIgNJwJvAnIbmnIrYETmFpc1u43wr0OHMplmfilG1kWBdRKnmXZCFdpIImoUgqNbMZLRh7JvdQZP
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB4927.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 558d0d42-957c-42aa-e855-08db5332b0f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2023 21:48:58.5292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MyspfojAY/LeDhZnj3IVEuJvz/TmpV5LulNdduA51hSSWppSBDRfCNkhs3us4Vi9pD58LFc3NPJqJbVhELzOfg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO6P123MB6597
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/twyyuf3JJ53EzJPjYMTdFK0KOHE>
Subject: Re: [CFRG] [EXTERNAL] Re: Streamlined NTRU Prime: sntrup761
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 21:49:07 -0000

Mike,

> Thinking on this a bit more since I sent my last reply.
> 
> Streamlined NTRU Prime is IND-CCA2 as per [1] section 7.1. 
> X25519 may or may not be IND-CCA2 depending on the
> implementation consideration noted in the security
> considerations of RFC7748.

Sorry, I don't think I was clear enough.  The part of the RFC 7748 security considerations I meant was:

"Designers using these curves should be aware that for each public key, there are several publicly computable public keys that are equivalent to it, i.e., they produce the same shared secrets.  Thus using a public key as an identifier and knowledge of a shared secret as proof of ownership (without including the public keys in the key derivation) might lead to subtle vulnerabilities."

Clamping in X25519 means that for any private key a we have [a]Q = O when Q is a point of small order.  (This is the non-contributory issue you quoted.)  However, it also means that given any public key B we can easily compute a different public key B' = B + Q that gives 

[a]B' = [a](B + Q) = [a]B + [a]Q = [a]B + O = [a]B;

i.e., the same shared secret.  (This is the equivalent public key issue quoted above.)

Equivalent public keys are the consequence of an intentional design choice, not an implementation issue.  Vanilla X25519 viewed as a KEM is not IND-CCA secure, even if you hash the shared secret (without including the ciphertext) and limit it to a single oracle call.  For IND-CCA security, you really need something much closer to DHKEM from RFC 9180.

> The combiner proposed in this draft:
> SHA2-512(K1||K2)
> Is IND-CCA2 if-and-only-if both of the underlying KEM
> primitives are. IE it propagates the weaker of the two
> properties.

I was only arguing that the specific sntrup761+x25519 hybrid construction is not IND-CCA secure.  I don't think it's necessarily true in general that an IND-CCA attack on one of the component KEMs always leads to an IND-CCA attack on the hybrid KEM.    

> Whereas draft-ounsworth-cfrg-kem-combiners-03:
> KDF(counter || k_1 || ... || k_n || fixedInfo, outputBits)
> k_i = H(ss_i || ct_i) Is IND-CCA2 if either underlying KEM
> primitives are. IE it propagates the stronger of the two properties.

Again, I'd be cautious about claiming this in general.  There was a discussion of whether existing IND-CCA security proofs adequately covered this construction.  I'm not sure what the outcome of that was, but I suspect it depends on the specific assumptions you are making.  On the other hand, hashing the shared secrets with the ciphertexts does block IND-CCA attacks that rely on equivalent ciphertexts.

Peter

Peter Campbell
Industry Liaison and International Standards
peter.c@ncsc.gov.uk

v2.23.0 | Report a Bug | By Email