Re: [MLS] MLS Compatibility with PQC
Alexander Sherkin <Alexander.Sherkin@darkmatter.ae> Mon, 25 February 2019 20:01 UTC
Return-Path: <prvs=952db1065=Alexander.Sherkin@darkmatter.ae>
X-Original-To: mls@ietfa.amsl.com
Delivered-To: mls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84518131054 for <mls@ietfa.amsl.com>; Mon, 25 Feb 2019 12:01:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bn_rzEUjXsbK for <mls@ietfa.amsl.com>; Mon, 25 Feb 2019 12:01:02 -0800 (PST)
Received: from smtpext4.darkmatter.ae (smtpext4.darkmatter.ae [185.180.84.5]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 026B113104D for <mls@ietf.org>; Mon, 25 Feb 2019 12:00:58 -0800 (PST)
IronPort-PHdr: 9a23:SryaJhzmkbJ5/2DXCy+O+j09IxM/srCxBDY+r6Qd2uMfIJqq85mqBkHD//Il1AaPAd2Lraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMx+jq1boR2uqABkzo7OfI2VNuBzcr/Bcd4YQ2dKQ8ZfVzZGAoO5d4YCE+4BMvhXrobnoVsBsAWxBROxD+3yyj9HmGX23a470+QnDArL2xAtH9YQv3Xbttr1MrodXv6vzKXS0DvDb+1Z2S3+6IjJdBAsuuyDUqhqccrSzEkgDR/FjkmOpoz/JT+azPoCvnGd4uF9W+yvjGsnpBtwojip3sosjojJhoQWyl/a6Cp5wYA1KcekR058ZN6oCIdQti+bN4tqXsMtXXtotDwmxb0BvJ63ZCkKx4o7xx7RcfCHdJKI4h37WOmMOzh4nnFleLeliBau7Uiv1Pf8WtOu31lUqCdOj9rCtmgV2hDO9sSLUOVx8lmu1DqVygzf8OVJLVwsmabGN5It2KA8moQcvEjZHCL7l1/6gauKekk89Oin9efqbqnjq5KZKYN7lg/+Pborl8GwHes0LAYOUm2a9Om+27Du+Uj0T6lLg/EojKXUto3RK94Bqa6jGQBV154u6xO4Dzi7ztsVhWIHLFdZeBKfiIjpJk3OLOj4Dfihh1Ssly9mx/PYMbzhGZXBN2bMkbj9fbpg8UJT1RA8zcpc55JREL4BPO7zVVHrtNDCFBA2LRS4w+fhCNpjyoMTQX+DDrODPK/Mr1OF6fgjL/SWaIIRpDrxM/0l6OTvjX89l18dZ66p3Z4PZX2kGvRpPUqYbmDqgtgcD2gKpBAyQvHqiFKcSz5TZHeyX6Qn6z4mEo2mF4TDRoW3j7ydwCe0AIdWanpcBV+SCXvobZmLW+8QaCKOJc9sijkEVby6S4I61BGhqhP6y7R9IurT4C0Yuorp1MJp6O3LiREy6Tt0AtyH02GJVG55hWIIRyco3Kxlukx8xQTL7a8tuf1TFdVJ67tjWx08OIWUm/Z+AfjzQhyHZcffG3i8RdDzKDU8Xts3z9IUK319Fs+hjxaLiwOuDq8ckbCGHtoP8q/G3Hn3D8p00XXD3bU9gkNgS8YZZj7uvbJ26wWGX92BqE6ejav/Lak=
X-IPAS-Result: A2kHAAD9SHRc/1oB4AphAxoBAQEBAQIBAQEBBwIBAQEBgVMDAQEBAQsBgQ0BRgWBEQ+BGwqDfpYBghdxSZRNFIErFx0DBQgBAwEYAQoLgUmCdQIXhBg2Bw0BAwEBAQEBAQIBAQEBgQUMgjoiGAQxHC8LBAEBAQEBAQEBASQBAQEBAQEBAQEBAQEBAQEBAQEBAQEUAggzCQMPAQEYAQEBAQMBAQMBHQomEwgCCRACAQgNAQMEAQEGAQEBHwMCAgIFEA8BCxQJCAEBBA4EAQgGgxOCAat2gS8aAoQXAoEPhFYPgn6CfV2DKIEGJYJ0PyZrgxKDHgEBA4ErARIBHAoFAgkKCwoCBgmCQ4JXAolvASUlggCDfYcbhDaHWAcCgkCEEwEoRYNxhQqCIiGBcViFA4MxA4gTj2RBjEECAgICCQIUgU4BgRZaDwgzGnOCbAmCHAMXgQABAgk8ggOFFIU/co1NgR+BHwEB
X-IronPort-AV: E=Sophos;i="5.58,412,1544472000"; d="png'150?scan'150,208,217,150";a="1520137"
Received: from unknown (HELO keys-ext1.darkmatter.ae) ([10.224.1.90]) by ADMSS-00-D-002-DATA2-KDC.darkmatter.uae with ESMTP/TLS/DES-CBC3-SHA; 26 Feb 2019 00:00:53 +0400
Received: from ForcepointDLP ([10.224.1.90]) by keys-ext1.darkmatter.ae (PGP Universal service); Tue, 26 Feb 2019 00:00:52 +0400
X-PGP-Universal: processed; by keys-ext1.darkmatter.ae on Tue, 26 Feb 2019 00:00:52 +0400
Received: from ActiveEmail (ActiveEmail [127.0.0.1]) by ActiveEmail.localdomain (Service) with ESMTP id A86CE1800094; Mon, 25 Feb 2019 23:57:47 +0400 (+04)
Received: from email.darkmatter.ae (adkdcsvmc002.darkmatter.uae [10.224.74.12]) by ActiveEmail.localdomain (Service) with ESMTP id 88AD91800093; Mon, 25 Feb 2019 23:57:47 +0400 (+04)
Received: from ADKDCSVMC002.darkmatter.uae (10.224.74.12) by ADKDCSVMC002.darkmatter.uae (10.224.74.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1591.10; Tue, 26 Feb 2019 00:00:51 +0400
Received: from ADKDCSVMC002.darkmatter.uae ([fe80::2cfe:4c2f:6749:c622]) by ADKDCSVMC002.darkmatter.uae ([fe80::2cfe:4c2f:6749:c622%12]) with mapi id 15.01.1591.008; Tue, 26 Feb 2019 00:00:51 +0400
From: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae>
To: Richard Barnes <rlb@ipv.sx>
CC: "mls@ietf.org" <mls@ietf.org>
Thread-Topic: [MLS] MLS Compatibility with PQC
Thread-Index: AdTK6u/TqKU4F6B6RHCF92dbQJyksf//8CkA//s/jcA=
Date: Mon, 25 Feb 2019 20:00:51 +0000
Message-ID: <956c4f3a40594c889fd9ac5197c57258@darkmatter.ae>
References: <40c09894a54d4d319539185d5372ce73@darkmatter.ae> <CAL02cgRHePtGnMx8P5=X0fFowF6--oRY6-3ivRmyoLY7+9C50w@mail.gmail.com>
In-Reply-To: <CAL02cgRHePtGnMx8P5=X0fFowF6--oRY6-3ivRmyoLY7+9C50w@mail.gmail.com>
Accept-Language: en-CA, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.224.74.90]
x-exclaimer-md-config: 77ff947c-8af8-48f1-8d81-f67dcf75dbee
MIME-Version: 1.0
Content-Language: en-US
Content-Type: multipart/related; boundary="_006_956c4f3a40594c889fd9ac5197c57258darkmatterae_"; type="multipart/alternative"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mls/GdNETczsWCHK8hE77RXauQ4_El8>
Subject: Re: [MLS] MLS Compatibility with PQC
X-BeenThere: mls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Messaging Layer Security <mls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mls>, <mailto:mls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mls/>
List-Post: <mailto:mls@ietf.org>
List-Help: <mailto:mls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mls>, <mailto:mls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 20:01:09 -0000
Nice. I think the KEM-based approach will make it much simpler for PQC cipher suite integration. Another part is allowing for PQC signatures such as SPHINCS. Arguably, PQC authenticity may not be such an urgent problem because an attacker needs a quantum computer now to be able to attack message authenticity. In contrast, messages intercepted and recorded now may be decrypted by a quantum compute in the future; hence, the urgent need for PQC for confidentiality.
Kyber public key length is about 1.5Kb, and private key length is about 3Kb. Sphincs+ public key is 64 bytes, and the private key is 128 bytes.
Two octet length is probably fine for Lattice-based schemes. However, Code-based crypto schemes may have public keys on the order of 1 Mb. Code-based crypto may be considered as one of the most conservative choices so supporting Code-based crypto would be nice if possible.
Thanks.
Alex.
Alexander Sherkin
Software Architect
[cid:image2c07ae.PNG@ef92dce9.428574ae]<http://www.darkmatter.ae>
2 Robert Speck Parkway, Suite 1610
Mississauga ON L4Z 1H8
Canada
MT+1 416 414 7117<tel:+1%20416%20414%207117>
EMAlexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>
darkmatter.ae<http://darkmatter.ae>
[Linkedin]<https://www.linkedin.com/company/dark-matter-llc> [Twitter] <https://twitter.com/GuardedbyGenius>
The information in this email is intended only for the person(s) or entity to whom it is addressed and may contain confidential or privileged information. If you receive this email by error, please notify us immediately, delete the original message and do not disclose the contents to any other person, use or store or copy the information in any medium and for whatever purpose. Any unauthorized use is strictly prohibited.
From: MLS [mailto:mls-bounces@ietf.org] On Behalf Of Richard Barnes
Sent: February 22, 2019 6:16 PM
To: Alexander Sherkin <Alexander.Sherkin@darkmatter.ae>
Cc: mls@ietf.org
Subject: Re: [MLS] MLS Compatibility with PQC
Hi Alex,
Karthik and I have been working on a hybrid PKE primitive in CFRG, with the idea that it could be re-used in MLS:
https://tools.ietf.org/html/draft-barnes-cfrg-hpke-00
In the CFRG discussion of that draft, several folks suggested that we adapt it to accommodate a general KEM. I have a draft-01 of that in the works that does that. So there is something of a plan here!
Another thing that some folks have observed is that the length fields for public keys are two octets long. Would the keys for the schemes you're interested in overflow those fields?
Thanks,
--Richard
On Fri, Feb 22, 2019 at 3:16 PM Alexander Sherkin <Alexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>> wrote:
Hello,
The current protocol draft specifically relies on Diffie-Hellman crypto primitive. This makes perfect sense when classic crypto is used, but may be a limitation when post-quantum crypto (PQC) is required.
If we assume that powerful enough quantum computers will become a reality in the next 10-15 years, any data protected with classic crypto we exchange today will be decryptable by a third party in 10-15 years. Hence, using classic crypto for new systems may not be a good idea.
At the same time, it seems that the protocol is well positioned to rely on KEM crypto primitive. Relying on KEM instead of DH allows for a wider range of options including PQC primitives such as New Hope and Crystals Kyber making the protocol PQC-ready at least from the confidentiality perspective.
To make it more general, KEM primitive may be defined as (C, s) = KEM-Encapsulate(PublicKey) and s = KEM-Decapsulate(PrivateKey, C).
Thoughts?
Thank you.
Alex.
Alexander Sherkin | Software Architect
Tel: | Mob: +1 416 414 7117
Alexander.Sherkin@darkmatter.ae<mailto:Alexander.Sherkin@darkmatter.ae>
The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
_______________________________________________
MLS mailing list
MLS@ietf.org<mailto:MLS@ietf.org>
https://www.ietf.org/mailman/listinfo/mls
- [MLS] MLS Compatibility with PQC Alexander Sherkin
- Re: [MLS] MLS Compatibility with PQC Richard Barnes
- Re: [MLS] MLS Compatibility with PQC Alexander Sherkin