IETF Logo Mail Archive

Re: [CFRG] Kyber 'interactive key agreement'?

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Fri, 05 August 2022 15:14 UTC

Return-Path: <prvs=6216cd1fed=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94957C15A720 for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 08:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IikY9wfduFtM for <cfrg@ietfa.amsl.com>; Fri, 5 Aug 2022 08:14:31 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BA17C15948A for <cfrg@irtf.org>; Fri, 5 Aug 2022 08:14:30 -0700 (PDT)
Received: from LLEX2019-2.mitll.ad.local (llex2019-2.llan.ll.mit.edu [172.25.4.124]) by MX2.LL.MIT.EDU (8.17.1.5/8.17.1.5) with ESMTPS id 275FEM8C053127 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <cfrg@irtf.org>; Fri, 5 Aug 2022 11:14:22 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=t/CqQhml6Tu+M07lnUXkKgoGKSvLKSuKkuAY8lCj6GSCkDINK/te7UiauqLSHqTrnlTY7YApGiTbTsFV+7JWTh1y+BsZM2D3fH1bnbI0sh01cAxLYLhzh8PuMfBLywE2ryF45modN56MIn02H8UpzRzjCGbFWDxdsN2L5A9j7S0AG89o4iZoidAgwNeevTBMVgEvEYlXgLn/1hQ+ifu0VhMUDJKgZnwVhaRWYXXVNd6SJNrxo8zGD2BbPvgtRRjGbk9o3f+JgghR2DT/hSucEzm9RLKPQlHSp9xMWt5TH3aK5bL7Cstaq8R9pCyJpX1mRTEyoKp0Dgtlc+0y2X69Gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WP2mGVsVU0BKHhtsHkDblbPo8y4q/WEMTjajpdPldmM=; b=mVBqpZJzkX6CF2Y8Vsto8o9uKuOtRUkovYVNjhvHJiWkskQ1xi0WYEH2jWKeKF5+145pWvOeSgEqxjYnS2fw3E14GA/xpF79uULoOfX1n6PvCDs64j094vJ7UstAEIPoevsDM07w6UQ/6C+fUmtlmbe1MGw1xdDwHUFbf0I8nFMnQP5LRjSYegfby6hqEhqTQPOkjFVOVkYjKIQOY7l3UgZKaJljEZGW3nXRfRP48Yx1WijMZgNiqW3lYat/x8BbHoMpSYW/5vpF1RYYjvoUwf6A15vOa1t22eBi6P7woGz4mXF8KGLUsDot7fxczW/J5CY0hXCUQrSgKnoVqSfWnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
CC: IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Kyber 'interactive key agreement'?
Thread-Index: AQHYppjGXporJ4Fe70ayoBQiUElE5a2b5YuAgAAftQCAAu7JAIAAJB+AgAAZEoD//9ZzAIAARiyAgADeAQA=
Date: Fri, 05 Aug 2022 15:14:26 +0000
Message-ID: <5C136E7A-99FC-496C-952F-435F100409F0@ll.mit.edu>
References: <CAMm+LwiGXMUwTiM=7OSTj47F=qxsaXqOqXEvcGedKo1cKAXadA@mail.gmail.com> <5CD18980-6C52-4CCA-8EF0-F7C45D1CB0F1@getmailspring.com> <CAMm+LwjfWGWR2StRtQGbahcyq+L+CGHdmsu7ZVHO8PyCnepDFg@mail.gmail.com> <950A7700-0514-416A-A0BC-43C9CB85628B@ll.mit.edu> <CH0PR11MB57390B55AF072C1706ED04749F9F9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57390B55AF072C1706ED04749F9F9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.63.22070801
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aa614a53-6c7c-4e68-f95c-08da76f52ff4
x-ms-traffictypediagnostic: BN0P110MB1724:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: r0yhfCY2MzBoW4MRIYGMGkYaqqkYi/CAgXAAHFf/wYPVB6e1b4tJ5nHvfdlN8n3IGn2FxpFoe4bZEd852586XBPHaD4y5INqJrdacQQdPU6c6/z8NtsCvdu9TPKqtTLmHQLUInqgPkL9SvYOIkqvl2JyKEZJ/RWO+mqaw3lk9qZ/yZLRNa2zGvFwOICyYErK8H3g1qVqnJEgfkgi+EIo7lmtzcG6zy8YSl+12GdugbNu92zeHWnnw2i7FIS4mSEqufQNebOw1dhJtE6HtWtKY4BjnMUnFVZhYFCLFpEJGAyNk6gM+E2qQ8BHl2e1D9X21gkFkLjLar79tfgEdwFnAw6UWJSTlzRfRizvD3T5iWfVLx4D0bA1aInTrd48+QuIVZXiAk2coMFF7CCDza7SqjjgiiU6bYoXMZgpgbcHfZQebckoPqK6If6Bph7+4ffVmJ4+szM3hMYX0kvDky6hy1+S/0tYg5wFUVG4gnD7nYBQ1PVk0FIrtxqOE3BnZEL3pEuUo/yBc2zEM+e+wLRj59MiBGRJ33yxHgpRGvcH6k0tIz4iMv6kTeoH62hDj8HotPJVY0l5kPCr0Yv5UctqQswkEr7fkPzWqv0X9S6LJqQVADdSVhVH6AluJ9tPvZ0diNQYRceoCuzRm4hfJoYLIaaC5UE53vbTJDZtAzx/ICsZ/KCfkNLUpuzLKLXr7mJ6C9iSDjS1fWM0nbHxH+u6S4zuBd7RL77vaxTWHZWj5OUpHHeRhDc9oGqpC7FOlVoSKrJHw1RTZrR/hKeiI7Fayl98eniu6x/uVkaaxyhZYcs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(2616005)(2906002)(122000001)(966005)(99936003)(6486002)(186003)(8936002)(38100700002)(33656002)(86362001)(6862004)(66446008)(66556008)(53546011)(75432002)(66946007)(4326008)(76116006)(498600001)(66476007)(64756008)(83380400001)(6506007)(71200400001)(26005)(5660300002)(38070700005)(6512007)(8676002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: CTxYL3DruA75o4CAbhCeIiTwsD+vppmrl3mm+M7QdP/mjD9iLunfgmBVyJsh77xQyEPgOv3bB7Sxedj216hCi5WQKkIoymFX2OYnmA3BAjakNkI0QqHOPB673wvs58FPwa7sxjo9oRi/mrpoW6Rx4dAmBxkxfA1clLTXd5a+lnrSIo25xA8LtgX+RDjk5iG4T/FC4WLx5QLNyKWgYxvn9uuO8rueQ+dvHsnsC2WsCyAXvOF4QycYLg08BH3gR/u0H/oXgBK3ieIEmNVYj0UPakHXmRNM+y0uu6PFzoe8Guuhzg9fWiLsmdpnGeCJTedxPh2Rczc2LXDOnN630JK1iFIcGSNvv0c0eV6wmUZwx1Hya8RRdqIm0Szc4AAk0cyybhFy551AlBNXauUMiNgGxj3tGW2ShhAmofixm4HHQtg=
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3742542866_1346212646"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0P110MB1419.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: aa614a53-6c7c-4e68-f95c-08da76f52ff4
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2022 15:14:26.9682 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN0P110MB1724
X-Proofpoint-GUID: XVU6anvSmT62Fo3P-SAfhH86VeTEZjCc
X-Proofpoint-ORIG-GUID: XVU6anvSmT62Fo3P-SAfhH86VeTEZjCc
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-08-05_07,2022-08-05_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 spamscore=0 mlxlogscore=999 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2208050076
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yvzhKdANteSxjunCSeVn1r8ZbJ8>
Subject: Re: [CFRG] Kyber 'interactive key agreement'?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 15:14:35 -0000

>    Uri said:
>   > In fact, the KEM (crypto_kem_enc(), to be specific) tells
>   > the caller what the shared secret will be. This reduces the
>   > need for the “post-processing” of the shared secret with KDF
>   > to actually generate symmetric keys for the subsequent traffic protection
>
> This is actually a point of contention.

Not really - just different applicability areas. Please see below.

> I know that the NIST round 3 KEM candidates all finish with a round
> of SHAKE, and so have this property, but I have not seen any global
> definition of KEM that requires this property.

Certainly. My point was that for some *specific* classes of KEM (such as NIST PQC KEMs) this property holds.

> For example, RFC 5990 which takes RSA-KEM and turns it into a Key Transport specifically
> does that “post-processing” (RFC 5990 p. 13):

Which, probably, is a good thing for RSA-KEM.

> So, unless I'm missing something, if you're designing a crypto protocol
> WHERE CHOICE OF ALGS IS LEFT TO runtime config, then I think you still
> need to run the shared secret through a KDF to be sure.
> (I would love to be wrong about this ...)

It so happens that I am not permitted to leave parts, such as selection of algorithms, to somebody else's control. So, in *my* case, algorithms are pre-defined at the design phase, with the properties and constraints that define potential successors (security properties, performance properties, etc.). 

I agree that in general, post-processing the KEM output with KDF is necessary in some cases, and doesn't hurt in pretty much all cases. As I said, we also use KDF, even though our "building blocks" do not require it.

Overall, good points.

Thanks!


    From: CFRG <cfrg-bounces@irtf.org> On Behalf Of Blumenthal, Uri - 0553 - MITLL
    Sent: August 4, 2022 4:49 PM
    To: Phillip Hallam-Baker <phill@hallambaker.com>; Jeff Burdges <burdges@gnunet.org>
    Cc: IRTF CFRG <cfrg@irtf.org>; Bas Westerbaan <bas=40cloudflare.com@dmarc.ietf.org>
    Subject: [EXTERNAL] Re: [CFRG] Kyber 'interactive key agreement'?

    WARNING: This email originated outside of Entrust.
    DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
    ________________________________________
    I’m not sure I fully understand this discussion, but let me jump in. ;-)

    IMHO, for the “protocol engineers” there’s nothing to understand about the NIST PQC algorithms, except that

    a. These algorithms are all Key Encapsulation Mechanisms, and not Key Agreement mechanisms like, e.g., (EC)DH(E). In that sense, logically they are quite similar to the old now-deprecated RSA key encapsulation, where the client would generate a random symmetric key, encrypt it with the server’s RSA public key, and send this “encapsulated” symmetric key to the server. Thus, you cannot use them directly as a replacement for DH, period. You can create a Key Agreement protocol that uses NIST PQC KEMs as building blocks.
    b. Luckily, PQC algorithms do some processing – NIST API does not even allow the caller to pass in the symmetric key to wrap/encapsulate. In fact, the KEM (crypto_kem_enc(), to be specific) tells the caller what the shared secret will be. This reduces the need for the “post-processing” of the shared secret with KDF to actually generate symmetric keys for the subsequent traffic protection, though all the protocols I’m aware of, including mine, do apply KDF to the KEM output.

    You wrote that one can use Kyber as a drop-in replacement for ECDH. IMHO, it’s not quite correct, because in DH both sides contribute to the algorithm output, and here the control is on the “wrapper” side…
    --
    V/R,
    Uri

    There are two ways to design a system. One is to make it so simple there are obviously no deficiencies.
    The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                         -  C. A. R. Hoare


    From: CFRG <mailto:cfrg-bounces@irtf.org> on behalf of Phillip Hallam-Baker <mailto:phill@hallambaker.com>
    Date: Thursday, August 4, 2022 at 16:18
    To: Jeff Burdges <mailto:burdges@gnunet.org>
    Cc: CFRG <mailto:cfrg@irtf.org>, Bas Westerbaan <mailto:bas=40cloudflare.com@dmarc.ietf.org>
    Subject: Re: [CFRG] Kyber 'interactive key agreement'?



    On Thu, Aug 4, 2022 at 2:47 PM Jeff Burdges <mailto:burdges@gnunet.org> wrote:


    On Aug 4 2022, at 6:38 pm, Phillip Hallam-Baker <mailto:phill@hallambaker.com> wrote:
    > Having discussed this in other forums, it appears to me that the
    > fundamental problem here is that we need more than a ten minute
    > introduction to PQC algorithms before the protocol development
    > community can fully get to grips with what is going on.

    Yes.

    You'll want to understand the Fujisaki-Okamoto Transform (FO)
    https://blog.cryptographyengineering.com/2018/07/

    In essence, Alice's key would be vulnerable if she completed a key
    exchange with a maliciously constructed public key, so instead Bob
    reveals his secret key in an encrypted payload inside the first protocol
    move.  Alice simply aborts if she cannot recompute the public key Bob provided.

    NIST appear to have chosen the parameters for this competition with extreme subtlety. People who are finding problems here appear to be looking inside the black boxes NIST drew. They drew those boxes for a reason


    The description of the parameters seems to be misleading some:

    int crypto_kem_enc(unsigned char *ct,
                       unsigned char *ss,
                       const unsigned char *pk)

    int crypto_kem_dec(unsigned char *ss,
                       const unsigned char *ct,
                       const unsigned char *sk)

    Where:

    sk is a sequence of bytes describing a private key
    pk is a sequence of bytes describing a private key
    ss is a sequence of bytes being the shared secret
    ct is a sequence of bytes being the ciphertext

    But in DH terms, ct is not a ciphertext, it is a key agreement blob and ss is the key agreement output.

    If we write the signatures as:

    Wrap (byte[] public, out byte[] recipientData, out byte[] sharedSecret)
    UnWrap (byte[] private, byte[] recipientData, out byte[] sharedSecret)

    We can see that Alice can't mistakenly reveal data by encrypting to Mallet's maliciously formed public key because Alice does not use her private key in the Wrap operation.

    I know I can drop Kyber into my key exchange schemes for the Mesh because I can write the exact same signatures for ECDH.


    RSA has serious issues as a result of the algorithm providing plaintext recovery and the fact that the security provided is not constant across all the bits.

    As you say, for Noise, this is a drop in replacement. ss, is never used for any purpose other than to feed a KDF.

    I am neither surprised nor particularly concerned about Signal's Axolotl ratchet. The notion that we should make use of all the available shared entropy when rekeying is a good principle. The Signal approach to this seems to be overly inflexible.


    Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email