Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
Mike Ounsworth <Mike.Ounsworth@entrust.com> Sat, 26 November 2022 14:28 UTC
Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 565EDC14CF10 for <cfrg@ietfa.amsl.com>; Sat, 26 Nov 2022 06:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lW2zPS7ZNSQe for <cfrg@ietfa.amsl.com>; Sat, 26 Nov 2022 06:28:18 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50A53C14F6E7 for <cfrg@irtf.org>; Sat, 26 Nov 2022 06:28:18 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AQ7i1Jn003466; Sat, 26 Nov 2022 08:28:15 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=Kf/5v44ZRj8KhRiz2jCRNAxp/qS/j4KddJSsLKWtaQ8=; b=fyOZkYKYge9KP5pqm4q7OmCRLuZO3wS0Qca3IIctbm++7/qukkWnyHK+g5fNQmlcvZVs FbzAh4pVnUG01uoMqAFsu9HY4HCX0PdEhiLcEqQ+aG6egSlxpu+gXZ136kg1QM5C1fT2 3cv5rJ6BClXjsgjMkQY/6qrn152Glut0ZC+kWBPsP7OxWzlSV/yxVDtqWG6IUoazOP4P pJzbbeug0eE8FV4JztKv5ZJuDYiTboMsuww+naCSuzwkeN/dQ/lI0sNwq6SeN+5g7E4d fC5FWcRvnNK4nFpulbMziluwHlbGgYCi7STR1Z96yYvuN5lf1VDq3nmUpwotcs5/5pqY Qg==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3m3env8qhx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 26 Nov 2022 08:28:15 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n2iKCIdNKZwrdjrF6R5Hu1TZrn3CEjwXwRNCUuUGgg418TpOTliyFirOna5aW8NTfFGx0SxH6Ieq2RmeRnJXChgRpzhJuKWkZyyU+SZOiY4jlMa4ypVTQ1q/bQ6SwMLR8zCzankZn5Izklm2SE8H3fgRDVJRHVypuSGPXMGPiyWBX0e91HGwvjyVrBhOXwCK7RYgd2+BIQb3ql4t90WM+Q3hMU0DqxD++Ufd18xKGkz1GEbxDUYRAoWd4ALonXiWyK4/kgFYZrLaME7Db73KKl+QVPEkZVW0HAjYtiAUEUFsu26eLs0hfs3nSgR0LBxl+LnYLV5gmw8nmqxmuYLgJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kf/5v44ZRj8KhRiz2jCRNAxp/qS/j4KddJSsLKWtaQ8=; b=TjKXhbbxfxUK9kiOxSwF+Wx06xfZ4iVtoLdj8devQAiP4EaxB58g4CqUUZP/BaxNZxk86TLCQhTvsa0GR5bkXfG0819+kjtTaA3SrBL9STU1c0ErciuERR0g5+cRPHsAPIKJgVBCu3FkypGFz7OO+TckNLFUphfNWhuJs7Pv62pXGX5WFOY27DEa26M7rWUaR5MFk1uPKz6Auyi2i+hUT0D79pwNVBkji7swDfMy/L/HUEN9WZVkzq3eV20xcwM95pFeWuv4cLiSdLFqfpRsZ0EIG0rG8VDzIEtPl5yYO/zb3i91OC2Bum5OwJHeXPv0NzCKBPzb+hYHO9V4gR17JA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CO1PR11MB5092.namprd11.prod.outlook.com (2603:10b6:303:6e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.20; Sat, 26 Nov 2022 14:28:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%9]) with mapi id 15.20.5857.021; Sat, 26 Nov 2022 14:28:10 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Nimrod Aviram <nimrod.aviram@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
Thread-Index: AQHZAT2+M2GObc38jEOGbetYv86SMK5QeQnAgADIH4CAAAE+kA==
Date: Sat, 26 Nov 2022 14:28:10 +0000
Message-ID: <CH0PR11MB5739ACF5CBE1E3F0966C5D609F119@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <166942925722.40317.11729364720866332715@ietfa.amsl.com> <CH0PR11MB5739B3970AACEED27E94C7519F119@CH0PR11MB5739.namprd11.prod.outlook.com> <CABiKAoTyjE8Vg-UJvWj6Nai7DuvwOTHpk2O19VCQ8n86PyXb4g@mail.gmail.com>
In-Reply-To: <CABiKAoTyjE8Vg-UJvWj6Nai7DuvwOTHpk2O19VCQ8n86PyXb4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CO1PR11MB5092:EE_
x-ms-office365-filtering-correlation-id: a51def7f-61b0-407f-f11c-08dacfba71f8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NfVT8U3bbHtRRJ66mWgqpqW6lXWdiKvzeB8ciekK8XKWqgVjfTWKY5rdAsRAYOpGFG/Hr20yp6+1h3TT8Z/AjPbQ344T7TY+WBaWX2u5kl1M5o7YyUuT+QZYhxoVq7E8/4yDNa+wXlICZGNSlMZbuppeZtqA8+/W/TrgmCbjfZhbt3Jkfd/mi1ImF+F4JAPopNWIbR20iPfQ1RJR9IvdtA+VhVAGx/iGcyjblgO2RSnjIJBcCyhJVWURckjX+APNiiF/O0oVGJwzQwKNsGrcpdfthuUaqqmbii/2xa3D7GSchcAyqpNa/cD+5luptqVIXilgms+j6n+GOBw/PyeiQwaAo2IVJCWGhRzjIrxn6EMORPc6jDCyDXKeu2Ue6G3Qs8nRlb06eGHdgCyB6fIGkuUiwL21LnxMOL8MiYH34pE3HxqaunFb2R0o8NsgSHnlgbMhdG85N0b+0sUMdVMP7Fgrzvmvg1Xb/qxq0lPnDTj/pqE1MWWQSeK5yqEln3uLH6ISoifWBXdl5Gf8dNpvZ/YG2d6UNDyLY1P/YVGV7zFIsIf8ZJOLtSesoF/UhPESg8L5i0a4OwCV0rR0DQpY8vHqmMunecMNFSGKOrSH4m62jrP+DkImlvzmO8+nq1nGvwQh9smCKyQF0lZ5zZ6JswRml4phmpk7j94EUAkBRJMJ4o9phHghmktP7TOCwTGNNrOHxgz+lS3csE/AouqDzw0Uib0cJxlwMHjoFakVETA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(366004)(376002)(136003)(39850400004)(346002)(451199015)(6506007)(7696005)(9686003)(966005)(478600001)(53546011)(316002)(26005)(6916009)(4326008)(66556008)(8676002)(66946007)(66446008)(76116006)(66476007)(64756008)(66899015)(71200400001)(66574015)(15650500001)(41300700001)(8936002)(52536014)(5660300002)(186003)(83380400001)(2906002)(4001150100001)(38100700002)(122000001)(166002)(38070700005)(33656002)(55016003)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tzMlTZ7N2Cpx+bT4g15/BFlfbtXC8gYsYcrgOEcuX1SJDRBI2m3oiTt74Z65/6qbGnI/6AokildfN5AOxHU7um9rqR9n/2Ugtfirb8qVHm2Bo7Jf2RyLhPO4LHJkCQVIzMZXTyrtgw7LhbbVrYFvkssArb28rZOaO8f1FKormarDBmPX23gln30b7pvqJnEHNImldIVol6zwtgpplaAxLcySTbQOXzEDm2Ey4tHvqUE7TMXZoV2J7tJFdvwNnbpk+ZHjgvR2ns+9MsiBcJ3ecAfEO5JxuOA+bQ2dk1ot9Zx5+TnLcN2cA2tbEFPI/eS1lMZGWiNMY5o0YIxVFzvsmBCZhqRA+aCQ2WsRbEuIUFZplYJZUgWRc8K9lCqFYn2JnMeCc/XfYlhHzOpJV3QncGEVKhJvzN0ZxJi0xqCyaqg6i41PtRg1U3nSWHBV17XdVSTVajPC/ik3mzX5myT60QnFaCyGg6ZG+xPD1+vuc8wGOCVHYJX4QvlpgVW2HeNGu3hZ5ilHONnCGAnP0xUDPvQp9LxN6+njR6oiyaG2xcs93H5hJNtHO0bFG+pLEXcjU4UUu5IMmjQ590isZ3CfgoUCn9tZdHo8rjrd0vsFsjx52qmEvZz/pI6051r0gx/Rt/iB6pfg86N7XvrYDn3NkSvJZy1x908DojxVhKxz67IX+tBCZgHtoZqEBw415yGQPlxGQ+HoipJslIlHci7/A0/dpkFe4Pu0iDBfPFczRcQdcHiO9PyXJP9qRCE/Vs9qAs7K6cmblpRWTkHOJHMDiVna2JIb4tQdycQVlEZHL3Ou4MtCQvQcIfBTF1dWyS0HwvgEIwtyK/ASKPCiv5z8seb7nEN8nlQgZzGWScivt3iM5jW2dH+oaR0PL/aSHb6Ua48nebQeYQS6CCXrgT3uJtiMhrsafIj/U0VIDBXjGKNxIQBOpJvI0J3aeTE913xnOrnGa2K1z6JOj+YQxdfm+HPPGZagQqAEaXIeipH1fHxNjTc64FYzm8WQH0esqY+ELFRbopYpTgjyo2KknK68uNkOJpMvF4zwiLnL4BD60NOiNm2WwTogsBgo5ABr3qKqvpuTOMC/SGEodCIs0hD69+plMOw/4xp/CiGWURdiVvIs+WckBS4JKul5f4rdNKDA0nVH0ZBKUzUcS9866w+1dtNCRU85xsTYJJGzxAZU1uKf80S49+88ckh42v+5ESlX5okOb62rmDRU8blz2KslNJ083rEKsgajcZx/iw4LelwhKlhF+7heVj7l1CvSW28uvkL20wqiuhsaJfbK/eqSPwA74YCCj0+SNBEeNNik+WK+pBYqp74QKtpKRn0OKtSv80Fl2Jd+YJf5hRXeSweJl8i2IoSOvFFDznQynQ94EFgI55A8WFDbOcJHnC2Kgp2qBj1M4ZJevYdNyBC9l8vfBnP/241kosweH5Mbo6aOSlKUs114qx/NavCaGz8qHJvD/zNG6cru6Hw+fXdTYaqsBY4getpkkD4rklBkboW2yYVhER83Gry8japYe9nC19G90E7K2HM55Cgpq/xOu/85NWm3FYLadFNl3ASXsV8CFvIp6I/fTQa7/2W+bj9gNCvTfDbNhojFdqyHyULNzRBtLA==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739ACF5CBE1E3F0966C5D609F119CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a51def7f-61b0-407f-f11c-08dacfba71f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2022 14:28:10.8728 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: se7j91tsbd7GzgTY7seO0SQR6cTIMR3jrTi4iyj5208Qbhw0LUf3xvd22bWbCAOEdpoYK85FqPWMh9x8czlhrUC6FHWnUIQHrh+7HD6JTBc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5092
X-Proofpoint-GUID: XsnVHL_lg1xZXcFNFGXNLxubX-VXaX1p
X-Proofpoint-ORIG-GUID: XsnVHL_lg1xZXcFNFGXNLxubX-VXaX1p
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-26_10,2022-11-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 bulkscore=0 phishscore=0 clxscore=1015 malwarescore=0 adultscore=0 priorityscore=1501 suspectscore=0 mlxscore=0 mlxlogscore=999 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211260116
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wxlCNDKH0k2Upw6YJ7nN1pKyJdM>
Subject: Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 14:28:23 -0000
Thank you for the review Nimrod! I look forward to reading the discussion. I will change the abstract from: RSA-KEM, ECDH, Edwards curve DH, and CRYSTALS-Kyber are shown to meet this criteria and therefore be safe to use with the simplified KEM combiner. To: RSA-KEM [RFC5990], ECDH [SEC1], Edwards curve DH [RFC7748], and CRYSTALS-Kyber [I-D.cfrg-schwabe-kyber] are shown to meet this criteria, when implemented as per the listed specification, and therefore are safe to use with the simplified KEM combiner. Care should be taken with implementations that are similar but not identical to those analyzed in this document. Is that strong enough wording? --- Mike Ounsworth From: Nimrod Aviram <nimrod.aviram@gmail.com> Sent: November 26, 2022 8:18 AM To: Mike Ounsworth <Mike.Ounsworth@entrust.com> Cc: cfrg@irtf.org Subject: Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt Hi Everyone, A few remarks off the top of my head: - I think Douglas and myself are agreed about the facts, but politely disagree on their interpretation. There are no known attacks against this construction when the underlying hash function is collision resistant. There are also no known proofs of this construction, under any assumption. The disagreement is whether this state merits using the construction (I think not, Douglas thinks yes, and he also has good practical reasons for recommending this construction). - "considered to be a dual PRF in practice" - I am unsure what this statement is based on. Who considers it a dual-PRF in practice? - As referred to in this document, ECDH and Edwards curve DH indeed use a KDF internally to produce the shared secret. However, one could easily read "ECDH" and understand that to mean g^xy over the appropriate group, without using a KDF. I would suggest clarifying that somehow even in the Abstract, though I'm not sure exactly how. best, Nimrod On Sat, 26 Nov 2022 at 04:25, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:40entrust.com@dmarc.ietf.org>> wrote: Hi CFRG! How to combine the output of two KEMs into a single shared secret is coming up in a bunch of places: 1. anywhere that's doing KEM/PSK hybrids 2. anywhere that’s doing Post-Quantum / Traditional hybrid KEMs (TLS, CMS, OpenPGP, JOSE/COSE, etc), and 3. anywhere that’s trying to replace a static-static DH with KEMs needs to do a KEM in each direction and combine them (see my recent thread “How will Kyber be added to HPKE?”). At TLS 113, Douglas Stebila presented draft-ietf-tls-hybrid-design and a discussion ensued about whether KDF( ss1 || ss2 ) is a sound choice of combiner with Stebila saying “It’s fine” and Nimrod Aviram saying “But we could do better with a real Dual PRF!”. As far as I know, this debate is unresolved, so I think we need to document the standard way of doing this with any applicable caveats because people *are* doing this. This draft hopefully is not groundbreaking, just giving us something to point at so we’re all doing it the same way. Disclaimer: I am not a cryptographer. I would love critique (I’m willing to offer co-authorship) to tighten up the security analysis and the statements about where this construction is and is not safe to use. --- Mike Ounsworth -----Original Message----- From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> Sent: November 25, 2022 8:21 PM To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>> Subject: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt WARNING: This email originated outside of Entrust. DO NOT CLICK links or attachments unless you trust the sender and know the content is safe. ______________________________________________________________________ A new version of I-D, draft-ounsworth-cfrg-kem-combiners-00.txt has been successfully submitted by Mike Ounsworth and posted to the IETF repository. Name: draft-ounsworth-cfrg-kem-combiners Revision: 00 Title: Combiner function for hybrid key encapsulation mechanisms (Hybrid KEMs) Document date: 2022-11-25 Group: Individual Submission Pages: 14 URL: https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-00.txt__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPM6QP7PQ$<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-00.txt__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPM6QP7PQ$> Status: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPnNK1zOA$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPnNK1zOA$> Htmlized: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ounsworth-cfrg-kem-combiners__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHP6-WELQQ$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ounsworth-cfrg-kem-combiners__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHP6-WELQQ$> Abstract: The migration to post-quantum cryptography often calls for performing multiple key encapsulations in parallel and then combining their outputs to derive a single shared secret. This document defines the KEM combiner KDF( H(ss1) || H(ss2) ) which is considered to be a dual PRF in practice, even though not provably secure. This mechanism simplifies to KDF( ss1 || ss2 ) when used with a KEM which internally uses a KDF to produce its shared secret. RSA-KEM, ECDH, Edwards curve DH, and CRYSTALS-Kyber are shown to meet this criteria and therefore be safe to use with the simplified KEM combiner. The IETF Secretariat Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. _______________________________________________ CFRG mailing list CFRG@irtf.org<mailto:CFRG@irtf.org> https://www.irtf.org/mailman/listinfo/cfrg<https://urldefense.com/v3/__https:/www.irtf.org/mailman/listinfo/cfrg__;!!FJ-Y8qCqXTj2!c7uBku2gPpFbAL8OUkdHCucUEYdhQDXuBQHPdPQJGm_OKf8GOrxNzWe_CCJcCe0u2u1t1eSVbcfXlEmHZUQCTMi5MCrM$>
- [CFRG] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Nimrod Aviram
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Nimrod Aviram