[openpgp] Re: Aligning KEM combiner in OpenPGP and LAMPS
Simon Josefsson <simon@josefsson.org> Tue, 12 November 2024 12:27 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A8F5C151701 for <openpgp@ietfa.amsl.com>; Tue, 12 Nov 2024 04:27:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=josefsson.org header.b="pYkOzjmU"; dkim=pass (2736-bit key) header.d=josefsson.org header.b="hBEEJqUT"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o1I1uY6-Ed1q for <openpgp@ietfa.amsl.com>; Tue, 12 Nov 2024 04:26:59 -0800 (PST)
Received: from uggla.sjd.se (uggla.sjd.se [IPv6:2001:9b1:8633::107]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCF3DC151553 for <openpgp@ietf.org>; Tue, 12 Nov 2024 04:26:58 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=ed2303; h=Content-Type:MIME-Version:Message-ID:In-Reply-To :Date:References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding :Content-ID:Content-Description; bh=1eoyb9GADKYLdOM2pDBzXAj9mclYxW48qqBnsj0B6Vs=; t=1731414416; x=1732624016; b=pYkOzjmU+fDS2l1nyZGRXqjAa8EaU2bxUS/uYpf0eg0s/pKBIJvFu6fYrVMnDuMxCUNgEbF4xxn Rf5YizVEMBQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=josefsson.org; s=rsa2303; h=Content-Type:MIME-Version:Message-ID: In-Reply-To:Date:References:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=1eoyb9GADKYLdOM2pDBzXAj9mclYxW48qqBnsj0B6Vs=; t=1731414416; x=1732624016; b=hBEEJqUTf1gsn1MwbOqBKZNGJtONq1CVNEOE7Y9tDBzbCoiR17WcqrM67XRvGhOHNSX2IX6F9VE lEadr8vM/tmnLIsXAV3j1uIG2dlQxtfCBdKK5xh61UYWEUJGzeda2EtrgQMWTXF6sAbdtMasMvsmW 96zKZwm2e1i2x/v89yLBvuL40DHSZ87T2lO26fI+SoxpMnelDJi6d/1T/gTt+Y2V7TnLAHtEMDKFu qifDP0YPWEZHXLIPnDVNA9kb6xUHiKmOiI8plmLasOTsyQJp+h0XGLJ39xkmDWmZa4i5U4U94JQoq ErPGR0GHM6XIIsNpmUnRoqUToaRbuu/l7XNnHdy04uPOr4ATyrdEK0JI1OIvtty5DVQBZfW8Pb7Gr 86UsAXDDLZdNU3c8ksoMRINCSs4pI6kT3l3xaxo7R7OLcEUJ5KgeT37IZyciIetY4ot1ApECY;
Received: from h-178-174-130-130.a498.priv.bahnhof.se ([178.174.130.130]:52944 helo=kaka) by uggla.sjd.se with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <simon@josefsson.org>) id 1tApyj-00Clo0-Du; Tue, 12 Nov 2024 12:26:41 +0000
From: Simon Josefsson <simon@josefsson.org>
To: Aron Wussler <aron@wussler.it>
References: <9pre2o3t7W_pzYvQefh92aCFtgF5wZMGwK6p9ZlF5IUpPG2PdOvku-ySmXJD8UrRxiHQ7tY2BIFeShzE-qwfnpYoS8WVGq0cUEhsew0S2Z8=@wussler.it>
OpenPGP: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt
X-Hashcash: 1:23:241112:openpgp@ietf.org::Z6l4jSyQ8iRcAtLv:AqnE
X-Hashcash: 1:23:241112:aron@wussler.it::wfvtiiTk7a9ASvYG:CEWN
X-Hashcash: 1:23:241112:sschmieg@google.com::xM3VftznaRA8tu3y:9Ck+
X-Hashcash: 1:23:241112:bas@westerbaan.name::ROLbAvCpUpdNzQi7:CDUZ
X-Hashcash: 1:23:241112:john.gray@entrust.com::5Fbjm4eoZOUElNYv:6u6a
X-Hashcash: 1:23:241112:quynh.dang@nist.gov::gCzPx2N4w5aeUZ9Z:QZ+t
X-Hashcash: 1:23:241112:johannes.roth@mtg.de::O82ZJS7VKi60NhJm:OrnW
X-Hashcash: 1:23:241112:durumcrustulum@gmail.com::P6kXM1eGMjSnZAl6:F2U/
X-Hashcash: 1:23:241112:stephan.ehlen@bsi.bund.de::ISCrZL3a49ulH4tJ:JZQ9
X-Hashcash: 1:23:241112:mike.ounsworth@entrust.com::wTkcxm/2r4AcjCMh:cBVg
X-Hashcash: 1:23:241112:stavros.kousidis@bsi.bund.de::5RWPf5uCZLiiYQ46:lgYB
X-Hashcash: 1:23:241112:falko.strenzke@mtg.de::+QDcD8IcFv9s6o3H:0culQ
Date: Tue, 12 Nov 2024 13:26:52 +0100
In-Reply-To: <9pre2o3t7W_pzYvQefh92aCFtgF5wZMGwK6p9ZlF5IUpPG2PdOvku-ySmXJD8UrRxiHQ7tY2BIFeShzE-qwfnpYoS8WVGq0cUEhsew0S2Z8=@wussler.it> (Aron Wussler's message of "Tue, 12 Nov 2024 09:55:24 +0000")
Message-ID: <874j4cab8z.fsf@kaka.sjd.se>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-MailFrom: simon@josefsson.org
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: TX6SXHQ7GMKU6B5BWUDXHHADMXIGZMNW
X-Message-ID-Hash: TX6SXHQ7GMKU6B5BWUDXHHADMXIGZMNW
X-Mailman-Approved-At: Tue, 12 Nov 2024 04:28:02 -0800
CC: "openpgp@ietf.org" <openpgp@ietf.org>, Falko Strenzke <falko.strenzke@mtg.de>, Stavros Kousidis <stavros.kousidis@bsi.bund.de>, Johannes Roth <johannes.roth@mtg.de>, John Gray <John.Gray@entrust.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>, Stephan Ehlen <stephan.ehlen@bsi.bund.de>, "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>, Sophie Schmieg <sschmieg@google.com>, Bas Westerbaan <bas@westerbaan.name>, Deirdre Connolly <durumcrustulum@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Aligning KEM combiner in OpenPGP and LAMPS
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/0yLY1aRvQRDDrwstx_egABDRb-A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Aron Wussler <aron@wussler.it> writes:
> In order to have a single construction that works, I would propose the following concrete options:
>
> 1a. KDF(mlkemSS || tradSS || CT || PK || Domain)
> where CT = "tradCT" and PK = "tradPK" for LAMPS, and CT = "mlkemCT || tradCT" and PK = "mlkemPK || tradPK" for OpenPGP
>
> 1b. KDF(mlkemSS || tradSS || CT || Domain)
> where CT = "tradCT" and Domain = "tradPK || Domain" for LAMPS, and CT = "mlkemCT || tradCT" and Domain = "algID" for OpenPGP, and we drop PKs in OpenPGP (needed according to [3], and we already have "tradPK" in the ECDH KDF deriving tradSS)
>
> 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
> where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId" for OpenPGP
>
> 2b. KDF(mlkemSS || tradSS || tradCT || Domain)
> where Domain is "tradPK || Domain" for LAMPS, and "mlkemCT || algId" for OpenPGP, and we drop "mlkemPK" in OpenPGP (same as 1b, not needed according to [3])
>
> 2c. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
> where we drop mlkemCT and mlkemPK in the OpenPGP construction, fully aligning to LAMPS. Note that this would imply re-writing the security considerations, and while this has been proven safe for X-Wing, there are differing opinions on the security of this with ML-KEM 1024.
I believe it would be nice to pick a safe combiner that aligns with
requirements from as many PQKEM's we may want to plug into PGP as
possible. Otherwise we will end up with a different combiner for
different hybrids eventually. I have described Chempat [1] that uses
this construct:
H = SHA3-256
hybrid_pk = concat(receiver_pk_TKEM, receiver_pk_PQKEM)
hybrid_ct = concat(sender_ct_TKEM, sender_ct_PQKEM)
hybrid_ss = H(concat(ss_TKEM,
ss_PQKEM,
H(hybrid_ct),
H(hybrid_pk),
context))
Reviewing your options above, I believe the Chempat combiner has better
properties than all of the above. In particular:
* Always include all shared secrets, ciphertext and public keys in what
is KDF'ed, to bind all values to the resulting secret.
* Hash the potentially very long PQ ciphertext and/or public keys, for
embedded applications that offload crypto to a separate co-processor
and have limited storage for long data.
* Put the most trusted algorithm (X25519/X448) outputs earlier in the
hash input string.
Still, I'm happy though that we have left the earlier broken design and
that we are moving in the right direction.
/Simon
[1] https://datatracker.ietf.org/doc/html/draft-josefsson-chempat-00
- [openpgp] Aligning KEM combiner in OpenPGP and LA… Aron Wussler
- [openpgp] Re: Aligning KEM combiner in OpenPGP an… Simon Josefsson
- [openpgp] Re: Aligning KEM combiner in OpenPGP an… Aron Wussler