Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
Nimrod Aviram <nimrod.aviram@gmail.com> Sat, 26 November 2022 14:17 UTC
Return-Path: <nimrod.aviram@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E954C14CF19 for <cfrg@ietfa.amsl.com>; Sat, 26 Nov 2022 06:17:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wx6ybBlXszpX for <cfrg@ietfa.amsl.com>; Sat, 26 Nov 2022 06:17:45 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D31BC14F736 for <cfrg@irtf.org>; Sat, 26 Nov 2022 06:17:45 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id f7so9822476edc.6 for <cfrg@irtf.org>; Sat, 26 Nov 2022 06:17:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0OCSeT/RIapQInFNNFSqw2VTrzU73tY0dUA1hGSzHeU=; b=XBfBq9VIfTH5tEjdqupjq77j4nb57ND2EEH6WE0FrwdChpvyzkkkgyhv9wJbpoq/43 Krb+7c4rKwF4wpf3jLNn//l9uftMt0c3xwgHSe60j4q/i4cKSm1A1uMcWbTxrHqjXt10 ZdgzpGgP6I+81GEyF6+MBCa1Vjpy71o4Qs235z8CkAI7JH78IaySkb0+un+11zmS5HW+ Bnc5BaxSFLuqpjYnbIBEZ7FtZSH4roTojM16/X5+v/+BfwQBZJ30BbDOz/oGp39ZzY8f f1xgo7ZmioHcUlcr2G+zWrkaq7mtSBwMo9JVortf+zB29Qszj1KdwzJSbWA+h5G3wR4C YPtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0OCSeT/RIapQInFNNFSqw2VTrzU73tY0dUA1hGSzHeU=; b=5X6KxI6yKYGbiOYdb3V0gFwzTN8dkqDWuMQ6P37FduFOGRT7svHr8cX7Tux2MXileM 3+WsZLtKVdTeQ8w/Qjs+aszRXsx+tvpFH5W2ak+9S3PHuqljfRVyeabJCalan8RrVERp lAL1IDtaFxhx+zygN+9fJWhCWZooXq9ON4kAgfyTRyeI+y6EIDcCSNb6bEHMLgotYlCR PnEMvoSBQPO+6rr4el+8WFNZSJ83GdA2VykKY/Jk8y2Lkjg5ANHGM63rqEKEDLANlGlV heNt+szF2bSm0nRq90LfgYTuf8RhwO5wnhXnrS/6er8dIvZOQz0dfkTQQaYQd6klPPID 4KeQ==
X-Gm-Message-State: ANoB5pn7poukBp1CpjaTKQiErQm4Fdhi0R48ugpF6qbzcdoFj8PcSuqq wgi+n4hGyllIMoLuTgZj1mUI/rPj/gJP5cFSzX3trnkO2dA=
X-Google-Smtp-Source: AA0mqf5ve0/M88sQgrnY7Jc62Vukwb1V6KCTwMXEF+VH7mx/JcwhWUqJiBvIyfhSX3mIZz3VbeW853oYL7CFOa1+dVE=
X-Received: by 2002:aa7:cc8a:0:b0:464:1296:d5d4 with SMTP id p10-20020aa7cc8a000000b004641296d5d4mr39271589edt.83.1669472262652; Sat, 26 Nov 2022 06:17:42 -0800 (PST)
MIME-Version: 1.0
References: <166942925722.40317.11729364720866332715@ietfa.amsl.com> <CH0PR11MB5739B3970AACEED27E94C7519F119@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB5739B3970AACEED27E94C7519F119@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Nimrod Aviram <nimrod.aviram@gmail.com>
Date: Sat, 26 Nov 2022 16:17:31 +0200
Message-ID: <CABiKAoTyjE8Vg-UJvWj6Nai7DuvwOTHpk2O19VCQ8n86PyXb4g@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000002d879005ee604dc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zc6GKDAne93oqQbCALKcG8FG1C8>
Subject: Re: [CFRG] FW: [EXTERNAL] New Version Notification for draft-ounsworth-cfrg-kem-combiners-00.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Nov 2022 14:17:49 -0000
Hi Everyone, A few remarks off the top of my head: - I think Douglas and myself are agreed about the facts, but politely disagree on their interpretation. There are no known attacks against this construction when the underlying hash function is collision resistant. There are also no known proofs of this construction, under any assumption. The disagreement is whether this state merits using the construction (I think not, Douglas thinks yes, and he also has good practical reasons for recommending this construction). - "considered to be a dual PRF in practice" - I am unsure what this statement is based on. Who considers it a dual-PRF in practice? - As referred to in this document, ECDH and Edwards curve DH indeed use a KDF internally to produce the shared secret. However, one could easily read "ECDH" and understand that to mean g^xy over the appropriate group, without using a KDF. I would suggest clarifying that somehow even in the Abstract, though I'm not sure exactly how. best, Nimrod On Sat, 26 Nov 2022 at 04:25, Mike Ounsworth <Mike.Ounsworth= 40entrust.com@dmarc.ietf.org> wrote: > Hi CFRG! > > How to combine the output of two KEMs into a single shared secret is > coming up in a bunch of places: 1. anywhere that's doing KEM/PSK hybrids 2. > anywhere that’s doing Post-Quantum / Traditional hybrid KEMs (TLS, CMS, > OpenPGP, JOSE/COSE, etc), and 3. anywhere that’s trying to replace a > static-static DH with KEMs needs to do a KEM in each direction and combine > them (see my recent thread “How will Kyber be added to HPKE?”). > > At TLS 113, Douglas Stebila presented draft-ietf-tls-hybrid-design and a > discussion ensued about whether KDF( ss1 || ss2 ) is a sound choice of > combiner with Stebila saying “It’s fine” and Nimrod Aviram saying “But we > could do better with a real Dual PRF!”. As far as I know, this debate is > unresolved, so I think we need to document the standard way of doing this > with any applicable caveats because people *are* doing this. This draft > hopefully is not groundbreaking, just giving us something to point at so > we’re all doing it the same way. > > Disclaimer: I am not a cryptographer. I would love critique (I’m willing > to offer co-authorship) to tighten up the security analysis and the > statements about where this construction is and is not safe to use. > > > --- > Mike Ounsworth > > -----Original Message----- > From: internet-drafts@ietf.org <internet-drafts@ietf.org> > Sent: November 25, 2022 8:21 PM > To: Mike Ounsworth <Mike.Ounsworth@entrust.com> > Subject: [EXTERNAL] New Version Notification for > draft-ounsworth-cfrg-kem-combiners-00.txt > > WARNING: This email originated outside of Entrust. > DO NOT CLICK links or attachments unless you trust the sender and know the > content is safe. > > ______________________________________________________________________ > > A new version of I-D, draft-ounsworth-cfrg-kem-combiners-00.txt > has been successfully submitted by Mike Ounsworth and posted to the IETF > repository. > > Name: draft-ounsworth-cfrg-kem-combiners > Revision: 00 > Title: Combiner function for hybrid key encapsulation mechanisms > (Hybrid KEMs) > Document date: 2022-11-25 > Group: Individual Submission > Pages: 14 > URL: > https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-cfrg-kem-combiners-00.txt__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPM6QP7PQ$ > Status: > https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-cfrg-kem-combiners/__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHPnNK1zOA$ > Htmlized: > https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ounsworth-cfrg-kem-combiners__;!!FJ-Y8qCqXTj2!aPvv_rJks1wNuj0CCg60vTBx5sKodPpctz4m4qHmeEIw9ZGQiX7UPrkt6DOYBe5GmsAjyimBoUGZ2j0NzeCyjHP6-WELQQ$ > > > Abstract: > The migration to post-quantum cryptography often calls for performing > multiple key encapsulations in parallel and then combining their > outputs to derive a single shared secret. > > This document defines the KEM combiner KDF( H(ss1) || H(ss2) ) which > is considered to be a dual PRF in practice, even though not provably > secure. This mechanism simplifies to KDF( ss1 || ss2 ) when used > with a KEM which internally uses a KDF to produce its shared secret. > RSA-KEM, ECDH, Edwards curve DH, and CRYSTALS-Kyber are shown to meet > this criteria and therefore be safe to use with the simplified KEM > combiner. > > > > > The IETF Secretariat > > > Any email and files/attachments transmitted with it are confidential and > are intended solely for the use of the individual or entity to whom they > are addressed. If this message has been sent to you in error, you must not > copy, distribute or disclose of the information it contains. Please notify > Entrust immediately and delete the message from your system. > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [CFRG] FW: [EXTERNAL] New Version Notification fo… Mike Ounsworth
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Nimrod Aviram
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Mike Ounsworth
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Blumenthal, Uri - 0553 - MITLL
- Re: [CFRG] FW: [EXTERNAL] New Version Notificatio… Nimrod Aviram