IETF Logo Mail Archive

Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt

Mike Ounsworth <Mike.Ounsworth@entrust.com> Sat, 26 November 2022 14:28 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 565EDC14CF10 for <cfrg@ietfa.amsl.com>; Sat, 26 Nov 2022 06:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.996
X-Spam-Level:
X-Spam-Status: No, score=-6.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lW2zPS7ZNSQe for <cfrg@ietfa.amsl.com>; Sat, 26 Nov 2022 06:28:18 -0800 (PST)
Received: from mx08-0015a003.pphosted.com (mx08-0015a003.pphosted.com [185.183.30.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50A53C14F6E7 for <cfrg@irtf.org>; Sat, 26 Nov 2022 06:28:18 -0800 (PST)
Received: from pps.filterd (m0242863.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 2AQ7i1Jn003466; Sat, 26 Nov 2022 08:28:15 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=mail1; bh=Kf/5v44ZRj8KhRiz2jCRNAxp/qS/j4KddJSsLKWtaQ8=; b=fyOZkYKYge9KP5pqm4q7OmCRLuZO3wS0Qca3IIctbm++7/qukkWnyHK+g5fNQmlcvZVs FbzAh4pVnUG01uoMqAFsu9HY4HCX0PdEhiLcEqQ+aG6egSlxpu+gXZ136kg1QM5C1fT2 3cv5rJ6BClXjsgjMkQY/6qrn152Glut0ZC+kWBPsP7OxWzlSV/yxVDtqWG6IUoazOP4P pJzbbeug0eE8FV4JztKv5ZJuDYiTboMsuww+naCSuzwkeN/dQ/lI0sNwq6SeN+5g7E4d fC5FWcRvnNK4nFpulbMziluwHlbGgYCi7STR1Z96yYvuN5lf1VDq3nmUpwotcs5/5pqY Qg==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3m3env8qhx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 26 Nov 2022 08:28:15 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n2iKCIdNKZwrdjrF6R5Hu1TZrn3CEjwXwRNCUuUGgg418TpOTliyFirOna5aW8NTfFGx0SxH6Ieq2RmeRnJXChgRpzhJuKWkZyyU+SZOiY4jlMa4ypVTQ1q/bQ6SwMLR8zCzankZn5Izklm2SE8H3fgRDVJRHVypuSGPXMGPiyWBX0e91HGwvjyVrBhOXwCK7RYgd2+BIQb3ql4t90WM+Q3hMU0DqxD++Ufd18xKGkz1GEbxDUYRAoWd4ALonXiWyK4/kgFYZrLaME7Db73KKl+QVPEkZVW0HAjYtiAUEUFsu26eLs0hfs3nSgR0LBxl+LnYLV5gmw8nmqxmuYLgJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kf/5v44ZRj8KhRiz2jCRNAxp/qS/j4KddJSsLKWtaQ8=; b=TjKXhbbxfxUK9kiOxSwF+Wx06xfZ4iVtoLdj8devQAiP4EaxB58g4CqUUZP/BaxNZxk86TLCQhTvsa0GR5bkXfG0819+kjtTaA3SrBL9STU1c0ErciuERR0g5+cRPHsAPIKJgVBCu3FkypGFz7OO+TckNLFUphfNWhuJs7Pv62pXGX5WFOY27DEa26M7rWUaR5MFk1uPKz6Auyi2i+hUT0D79pwNVBkji7swDfMy/L/HUEN9WZVkzq3eV20xcwM95pFeWuv4cLiSdLFqfpRsZ0EIG0rG8VDzIEtPl5yYO/zb3i91OC2Bum5OwJHeXPv0NzCKBPzb+hYHO9V4gR17JA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CO1PR11MB5092.namprd11.prod.outlook.com (2603:10b6:303:6e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.20; Sat, 26 Nov 2022 14:28:11 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::a95:6d:ab71:f8e1%9]) with mapi id 15.20.5857.021; Sat, 26 Nov 2022 14:28:10 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: Nimrod Aviram <nimrod.aviram@gmail.com>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
Thread-Index: AQHZAT2+M2GObc38jEOGbetYv86SMK5QeQnAgADIH4CAAAE+kA==
Date: Sat, 26 Nov 2022 14:28:10 +0000
Message-ID: <CH0PR11MB5739ACF5CBE1E3F0966C5D609F119@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <166942925722.40317.11729364720866332715@ietfa.amsl.com> <CH0PR11MB5739B3970AACEED27E94C7519F119@CH0PR11MB5739.namprd11.prod.outlook.com> <CABiKAoTyjE8Vg-UJvWj6Nai7DuvwOTHpk2O19VCQ8n86PyXb4g@mail.gmail.com>
In-Reply-To: <CABiKAoTyjE8Vg-UJvWj6Nai7DuvwOTHpk2O19VCQ8n86PyXb4g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR11MB5739:EE_|CO1PR11MB5092:EE_
x-ms-office365-filtering-correlation-id: a51def7f-61b0-407f-f11c-08dacfba71f8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: NfVT8U3bbHtRRJ66mWgqpqW6lXWdiKvzeB8ciekK8XKWqgVjfTWKY5rdAsRAYOpGFG/Hr20yp6+1h3TT8Z/AjPbQ344T7TY+WBaWX2u5kl1M5o7YyUuT+QZYhxoVq7E8/4yDNa+wXlICZGNSlMZbuppeZtqA8+/W/TrgmCbjfZhbt3Jkfd/mi1ImF+F4JAPopNWIbR20iPfQ1RJR9IvdtA+VhVAGx/iGcyjblgO2RSnjIJBcCyhJVWURckjX+APNiiF/O0oVGJwzQwKNsGrcpdfthuUaqqmbii/2xa3D7GSchcAyqpNa/cD+5luptqVIXilgms+j6n+GOBw/PyeiQwaAo2IVJCWGhRzjIrxn6EMORPc6jDCyDXKeu2Ue6G3Qs8nRlb06eGHdgCyB6fIGkuUiwL21LnxMOL8MiYH34pE3HxqaunFb2R0o8NsgSHnlgbMhdG85N0b+0sUMdVMP7Fgrzvmvg1Xb/qxq0lPnDTj/pqE1MWWQSeK5yqEln3uLH6ISoifWBXdl5Gf8dNpvZ/YG2d6UNDyLY1P/YVGV7zFIsIf8ZJOLtSesoF/UhPESg8L5i0a4OwCV0rR0DQpY8vHqmMunecMNFSGKOrSH4m62jrP+DkImlvzmO8+nq1nGvwQh9smCKyQF0lZ5zZ6JswRml4phmpk7j94EUAkBRJMJ4o9phHghmktP7TOCwTGNNrOHxgz+lS3csE/AouqDzw0Uib0cJxlwMHjoFakVETA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(396003)(366004)(376002)(136003)(39850400004)(346002)(451199015)(6506007)(7696005)(9686003)(966005)(478600001)(53546011)(316002)(26005)(6916009)(4326008)(66556008)(8676002)(66946007)(66446008)(76116006)(66476007)(64756008)(66899015)(71200400001)(66574015)(15650500001)(41300700001)(8936002)(52536014)(5660300002)(186003)(83380400001)(2906002)(4001150100001)(38100700002)(122000001)(166002)(38070700005)(33656002)(55016003)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tzMlTZ7N2Cpx+bT4g15/BFlfbtXC8gYsYcrgOEcuX1SJDRBI2m3oiTt74Z65/6qbGnI/6AokildfN5AOxHU7um9rqR9n/2Ugtfirb8qVHm2Bo7Jf2RyLhPO4LHJkCQVIzMZXTyrtgw7LhbbVrYFvkssArb28rZOaO8f1FKormarDBmPX23gln30b7pvqJnEHNImldIVol6zwtgpplaAxLcySTbQOXzEDm2Ey4tHvqUE7TMXZoV2J7tJFdvwNnbpk+ZHjgvR2ns+9MsiBcJ3ecAfEO5JxuOA+bQ2dk1ot9Zx5+TnLcN2cA2tbEFPI/eS1lMZGWiNMY5o0YIxVFzvsmBCZhqRA+aCQ2WsRbEuIUFZplYJZUgWRc8K9lCqFYn2JnMeCc/XfYlhHzOpJV3QncGEVKhJvzN0ZxJi0xqCyaqg6i41PtRg1U3nSWHBV17XdVSTVajPC/ik3mzX5myT60QnFaCyGg6ZG+xPD1+vuc8wGOCVHYJX4QvlpgVW2HeNGu3hZ5ilHONnCGAnP0xUDPvQp9LxN6+njR6oiyaG2xcs93H5hJNtHO0bFG+pLEXcjU4UUu5IMmjQ590isZ3CfgoUCn9tZdHo8rjrd0vsFsjx52qmEvZz/pI6051r0gx/Rt/iB6pfg86N7XvrYDn3NkSvJZy1x908DojxVhKxz67IX+tBCZgHtoZqEBw415yGQPlxGQ+HoipJslIlHci7/A0/dpkFe4Pu0iDBfPFczRcQdcHiO9PyXJP9qRCE/Vs9qAs7K6cmblpRWTkHOJHMDiVna2JIb4tQdycQVlEZHL3Ou4MtCQvQcIfBTF1dWyS0HwvgEIwtyK/ASKPCiv5z8seb7nEN8nlQgZzGWScivt3iM5jW2dH+oaR0PL/aSHb6Ua48nebQeYQS6CCXrgT3uJtiMhrsafIj/U0VIDBXjGKNxIQBOpJvI0J3aeTE913xnOrnGa2K1z6JOj+YQxdfm+HPPGZagQqAEaXIeipH1fHxNjTc64FYzm8WQH0esqY+ELFRbopYpTgjyo2KknK68uNkOJpMvF4zwiLnL4BD60NOiNm2WwTogsBgo5ABr3qKqvpuTOMC/SGEodCIs0hD69+plMOw/4xp/CiGWURdiVvIs+WckBS4JKul5f4rdNKDA0nVH0ZBKUzUcS9866w+1dtNCRU85xsTYJJGzxAZU1uKf80S49+88ckh42v+5ESlX5okOb62rmDRU8blz2KslNJ083rEKsgajcZx/iw4LelwhKlhF+7heVj7l1CvSW28uvkL20wqiuhsaJfbK/eqSPwA74YCCj0+SNBEeNNik+WK+pBYqp74QKtpKRn0OKtSv80Fl2Jd+YJf5hRXeSweJl8i2IoSOvFFDznQynQ94EFgI55A8WFDbOcJHnC2Kgp2qBj1M4ZJevYdNyBC9l8vfBnP/241kosweH5Mbo6aOSlKUs114qx/NavCaGz8qHJvD/zNG6cru6Hw+fXdTYaqsBY4getpkkD4rklBkboW2yYVhER83Gry8japYe9nC19G90E7K2HM55Cgpq/xOu/85NWm3FYLadFNl3ASXsV8CFvIp6I/fTQa7/2W+bj9gNCvTfDbNhojFdqyHyULNzRBtLA==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB5739ACF5CBE1E3F0966C5D609F119CH0PR11MB5739namp_"
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a51def7f-61b0-407f-f11c-08dacfba71f8
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Nov 2022 14:28:10.8728 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: se7j91tsbd7GzgTY7seO0SQR6cTIMR3jrTi4iyj5208Qbhw0LUf3xvd22bWbCAOEdpoYK85FqPWMh9x8czlhrUC6FHWnUIQHrh+7HD6JTBc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5092
X-Proofpoint-GUID: XsnVHL_lg1xZXcFNFGXNLxubX-VXaX1p
X-Proofpoint-ORIG-GUID: XsnVHL_lg1xZXcFNFGXNLxubX-VXaX1p
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.895,Hydra:6.0.545,FMLib:17.11.122.1 definitions=2022-11-26_10,2022-11-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 lowpriorityscore=0 bulkscore=0 phishscore=0 clxscore=1015 malwarescore=0 adultscore=0 priorityscore=1501 suspectscore=0 mlxscore=0 mlxlogscore=999 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2210170000 definitions=main-2211260116
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wxlCNDKH0k2Upw6YJ7nN1pKyJdM>
Subject: Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 14:28:23 -0000

Thank you for the review Nimrod!

I look forward to reading the discussion.


I will change the abstract from:

    RSA-KEM, ECDH, Edwards curve DH, and CRYSTALS-Kyber are shown to meet this criteria and therefore be safe to use with the simplified KEM combiner.

To:

      RSA-KEM [RFC5990], ECDH [SEC1], Edwards curve DH [RFC7748], and CRYSTALS-Kyber [I-D.cfrg-schwabe-kyber] are shown to meet this criteria, when implemented as per the listed specification, and therefore are safe to use with the simplified KEM combiner. Care should be taken with implementations that are similar but not identical to those analyzed in this document.

Is that strong enough wording?

---
Mike Ounsworth

From: Nimrod Aviram <nimrod.aviram@gmail.com>
Sent: November 26, 2022 8:18 AM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: cfrg@irtf.org
Subject: Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt

Hi Everyone,

A few remarks off the top of my head:
- I think Douglas and myself are agreed about the facts, but politely disagree on their interpretation. There are no known attacks against this construction when the underlying hash function is collision resistant. There are also no known proofs of this construction, under any assumption. The disagreement is whether this state merits using the construction (I think not, Douglas thinks yes, and he also has good practical reasons for recommending this construction).

- "considered to be a dual PRF in practice" - I am unsure what this statement is based on. Who considers it a dual-PRF in practice?

- As referred to in this document, ECDH and Edwards curve DH indeed use a KDF internally to produce the shared secret. However, one could easily read "ECDH" and understand that to mean g^xy over the appropriate group, without using a KDF. I would suggest clarifying that somehow even in the Abstract, though I'm not sure exactly how.

best,
Nimrod


On Sat, 26 Nov 2022 at 04:25, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org<mailto:40entrust.com@dmarc.ietf.org>> wrote:
Hi CFRG!

How to combine the output of two KEMs into a single shared secret is coming up in a bunch of places: 1. anywhere that's doing KEM/PSK hybrids 2. anywhere that’s doing Post-Quantum / Traditional hybrid KEMs (TLS, CMS, OpenPGP, JOSE/COSE, etc), and 3. anywhere that’s trying to replace a static-static DH with KEMs needs to do a KEM in each direction and combine them (see my recent thread “How will Kyber be added to HPKE?”).

At TLS 113, Douglas Stebila presented draft-ietf-tls-hybrid-design and a discussion ensued about whether KDF( ss1 || ss2 ) is a sound choice of combiner with Stebila saying “It’s fine” and Nimrod Aviram saying “But we could do better with a real Dual PRF!”. As far as I know, this debate is unresolved, so I think we need to document the standard way of doing this with any applicable caveats because people *are* doing this. This draft hopefully is not groundbreaking, just giving us something to point at so we’re all doing it the same way.

Disclaimer: I am not a cryptographer. I would love critique (I’m willing to offer co-authorship) to tighten up the security analysis and the statements about where this construction is and is not safe to use.


---
Mike Ounsworth

-----Original Message-----
From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Sent: November 25, 2022 8:21 PM
To: Mike Ounsworth <Mike.Ounsworth@entrust.com<mailto:Mike.Ounsworth@entrust.com>>
Subject: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________

A new version of I-D, draft-ounsworth-cfrg-kem-combiners-00.txt
has been successfully submitted by Mike Ounsworth and posted to the IETF repository.

Name:           draft-ounsworth-cfrg-kem-combiners
Revision:       00
Title:          Combiner function for hybrid key encapsulation mechanisms (Hybrid KEMs)
Document date:  2022-11-25
Group:          Individual Submission
Pages:          14
URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-00.txt__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPM6QP7PQ$<https://urldefense.com/v3/__https:/www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-00.txt__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPM6QP7PQ$>
Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPnNK1zOA$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPnNK1zOA$>
Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ounsworth-cfrg-kem-combiners__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHP6-WELQQ$<https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ounsworth-cfrg-kem-combiners__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHP6-WELQQ$>


Abstract:
   The migration to post-quantum cryptography often calls for performing
   multiple key encapsulations in parallel and then combining their
   outputs to derive a single shared secret.

   This document defines the KEM combiner KDF( H(ss1) || H(ss2) ) which
   is considered to be a dual PRF in practice, even though not provably
   secure.  This mechanism simplifies to KDF( ss1 || ss2 ) when used
   with a KEM which internally uses a KDF to produce its shared secret.
   RSA-KEM, ECDH, Edwards curve DH, and CRYSTALS-Kyber are shown to meet
   this criteria and therefore be safe to use with the simplified KEM
   combiner.




The IETF Secretariat


Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________
CFRG mailing list
CFRG@irtf.org<mailto:CFRG@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg<https://urldefense.com/v3/__https:/www.irtf.org/mailman/listinfo/cfrg__;!!FJ-Y8qCqXTj2!c7uBku2gPpFbAL8OUkdHCucUEYdhQDXuBQHPdPQJGm_OKf8GOrxNzWe_CCJcCe0u2u1t1eSVbcfXlEmHZUQCTMi5MCrM$>

v2.23.0 | Report a Bug | By Email