[openpgp] Re: WG: BSI view on KEM combiners
Phillip Hallam-Baker <phill@hallambaker.com> Sat, 14 September 2024 16:26 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A618C18DB88 for <openpgp@ietfa.amsl.com>; Sat, 14 Sep 2024 09:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fut96HZktf32 for <openpgp@ietfa.amsl.com>; Sat, 14 Sep 2024 09:26:43 -0700 (PDT)
Received: from mail-oa1-f53.google.com (mail-oa1-f53.google.com [209.85.160.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92225C15153F for <openpgp@ietf.org>; Sat, 14 Sep 2024 09:26:43 -0700 (PDT)
Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-27b7a1480bdso1381445fac.2 for <openpgp@ietf.org>; Sat, 14 Sep 2024 09:26:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726331203; x=1726936003; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1Wde8xFXJWjacTmGluc6wKFP/IBRc7jJzyOVWIGU/+w=; b=HjZow0pu2shtNZ3CHpnawWiY6+Dlw7wPx0pp/V21b0ePnRX6Kmw6oyyVo7iZqcJIce T0wrvjflYuTw7Q2RKrTs3CCLxRBGKd9Sv54zLLiiXVduRKiUgowLg/U/mTljZKNT0k94 O/N/sWzNZ4+w2und1FDZZnvNp86ZhhkEG9fzAYH5KPDTXQjayWls3rAr5V9EFSkTPqhx pn+xDkQAJRqA+d5o69TpQoOq42TwKebPBHMWN493QO2wY/8GMZb/vvqkpVgBC5TdHesa 6irVYdwwnennl8pqR2okmIaz/wauJd3gKgos2LuoR5O4eHnb//sJQfw/RnfAmqMBcyw3 m/2g==
X-Forwarded-Encrypted: i=1; AJvYcCWGYofzX5tXYmPMNV94Yk2N2xFPTDKn3K7t45EVqZMdkqZVuij9g0bS8QebtnR1QXo0VYbusWvw@ietf.org
X-Gm-Message-State: AOJu0YwS5sH/3vj4I/cNx/u8racs3sALuOmbDv3hY+hgQobgdNaxXj2u 93plmZ7M6MYtfVflbPHAexzZ4zo8d8RPofSydlRK/nI/N6xj0PbcstIpI43q2Pi69wW9yNi5KB/ efFXYPxf3Pv/5tsQlK3QKb0wgNxXsJ56J
X-Google-Smtp-Source: AGHT+IG8A/AqDk44aPS0Qzzf2P1lqiby3Hh2LmK0RrEdTI8af4x4i12eVQJU66GemPOG9bYlSWMeMTyTT0GK706qn7k=
X-Received: by 2002:a05:6871:28f:b0:278:a70:d9e3 with SMTP id 586e51a60fabf-27c3f0ede02mr6030595fac.5.1726331202626; Sat, 14 Sep 2024 09:26:42 -0700 (PDT)
MIME-Version: 1.0
References: <528f96b5-b342-407a-b5f7-2e8afc16f1b8@mtg.de> <2907C129-93F1-4D66-B741-4FC85ED1DF9F@nohats.ca>
In-Reply-To: <2907C129-93F1-4D66-B741-4FC85ED1DF9F@nohats.ca>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Sat, 14 Sep 2024 12:26:31 -0400
Message-ID: <CAMm+Lwj1+O1whL1Xf_ZypD9t8rQ5TAmG9Z4O9V3VWFk=dN7VGA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="00000000000018f233062216ce38"
Message-ID-Hash: NY6BTTUWUJOBQMT2GEK4NSU2Y5GP6HGO
X-Message-ID-Hash: NY6BTTUWUJOBQMT2GEK4NSU2Y5GP6HGO
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, openpgp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: WG: BSI view on KEM combiners
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/LfycDin-LlOjnTTM463ejTEpIsc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
I have read this thread several times and find very little direct technical content or citations I can follow to descriptions of that content. The KEM combiners mailing list seems to have very little discussion of what was discussed on their calls. What is it about combining KEM and ECC outputs that is supposed to be so difficult that HKDF does not already address it? Sure, we have to make sure that we achieve domain separation in signatures. But in the encryption domain, either the output can be used to decrypt/authenticate or it cannot. I am rather skeptical of any company being bought into any particular approach to PDC at this point in time that a technical choice between combiners would cost 'millions of dollars' unless a patent were at issue. Come to that, the notion that BSI has come to a firm conclusion AGAINST a particular approach and does not have a concise rationale seems unlikely. We have an IETF combiner function for KEM and ECC, it is called HKDF and if there is a reason not to use HKDF (KEM + ECC) then we should be fixing HKDF.
- [openpgp] WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] BSI view on KEM combiners Kris Kwiatkowski
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker