[openpgp] Re: WG: BSI view on KEM combiners

Phillip Hallam-Baker <phill@hallambaker.com> Sat, 14 September 2024 16:26 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A618C18DB88 for <openpgp@ietfa.amsl.com>; Sat, 14 Sep 2024 09:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.654
X-Spam-Level:
X-Spam-Status: No, score=-1.654 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fut96HZktf32 for <openpgp@ietfa.amsl.com>; Sat, 14 Sep 2024 09:26:43 -0700 (PDT)
Received: from mail-oa1-f53.google.com (mail-oa1-f53.google.com [209.85.160.53]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92225C15153F for <openpgp@ietf.org>; Sat, 14 Sep 2024 09:26:43 -0700 (PDT)
Received: by mail-oa1-f53.google.com with SMTP id 586e51a60fabf-27b7a1480bdso1381445fac.2 for <openpgp@ietf.org>; Sat, 14 Sep 2024 09:26:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726331203; x=1726936003; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1Wde8xFXJWjacTmGluc6wKFP/IBRc7jJzyOVWIGU/+w=; b=HjZow0pu2shtNZ3CHpnawWiY6+Dlw7wPx0pp/V21b0ePnRX6Kmw6oyyVo7iZqcJIce T0wrvjflYuTw7Q2RKrTs3CCLxRBGKd9Sv54zLLiiXVduRKiUgowLg/U/mTljZKNT0k94 O/N/sWzNZ4+w2und1FDZZnvNp86ZhhkEG9fzAYH5KPDTXQjayWls3rAr5V9EFSkTPqhx pn+xDkQAJRqA+d5o69TpQoOq42TwKebPBHMWN493QO2wY/8GMZb/vvqkpVgBC5TdHesa 6irVYdwwnennl8pqR2okmIaz/wauJd3gKgos2LuoR5O4eHnb//sJQfw/RnfAmqMBcyw3 m/2g==
X-Forwarded-Encrypted: i=1; AJvYcCWGYofzX5tXYmPMNV94Yk2N2xFPTDKn3K7t45EVqZMdkqZVuij9g0bS8QebtnR1QXo0VYbusWvw@ietf.org
X-Gm-Message-State: AOJu0YwS5sH/3vj4I/cNx/u8racs3sALuOmbDv3hY+hgQobgdNaxXj2u 93plmZ7M6MYtfVflbPHAexzZ4zo8d8RPofSydlRK/nI/N6xj0PbcstIpI43q2Pi69wW9yNi5KB/ efFXYPxf3Pv/5tsQlK3QKb0wgNxXsJ56J
X-Google-Smtp-Source: AGHT+IG8A/AqDk44aPS0Qzzf2P1lqiby3Hh2LmK0RrEdTI8af4x4i12eVQJU66GemPOG9bYlSWMeMTyTT0GK706qn7k=
X-Received: by 2002:a05:6871:28f:b0:278:a70:d9e3 with SMTP id 586e51a60fabf-27c3f0ede02mr6030595fac.5.1726331202626; Sat, 14 Sep 2024 09:26:42 -0700 (PDT)
MIME-Version: 1.0
References: <528f96b5-b342-407a-b5f7-2e8afc16f1b8@mtg.de> <2907C129-93F1-4D66-B741-4FC85ED1DF9F@nohats.ca>
In-Reply-To: <2907C129-93F1-4D66-B741-4FC85ED1DF9F@nohats.ca>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Sat, 14 Sep 2024 12:26:31 -0400
Message-ID: <CAMm+Lwj1+O1whL1Xf_ZypD9t8rQ5TAmG9Z4O9V3VWFk=dN7VGA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: multipart/alternative; boundary="00000000000018f233062216ce38"
Message-ID-Hash: NY6BTTUWUJOBQMT2GEK4NSU2Y5GP6HGO
X-Message-ID-Hash: NY6BTTUWUJOBQMT2GEK4NSU2Y5GP6HGO
X-MailFrom: hallam@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Falko Strenzke <falko.strenzke@mtg.de>, openpgp@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: WG: BSI view on KEM combiners
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/LfycDin-LlOjnTTM463ejTEpIsc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

I have read this thread several times and find very little direct technical
content or citations I can follow to descriptions of that content. The KEM
combiners mailing list seems to have very little discussion of what was
discussed on their calls.

What is it about combining KEM and ECC outputs that is supposed to be so
difficult that HKDF does not already address it? Sure, we have to make sure
that we achieve domain separation in signatures. But in the encryption
domain, either the output can be used to decrypt/authenticate or it cannot.

I am rather skeptical of any company being bought into any particular
approach to PDC at this point in time that a technical choice between
combiners would cost 'millions of dollars' unless a patent were at issue.
Come to that, the notion that BSI has come to a firm conclusion AGAINST a
particular approach and does not have a concise rationale seems unlikely.

We have an IETF combiner function for KEM and ECC, it is called HKDF and if
there is a reason not to use HKDF (KEM + ECC) then we should be fixing HKDF.