[openpgp] Aligning KEM combiner in OpenPGP and LAMPS
Aron Wussler <aron@wussler.it> Tue, 12 November 2024 09:55 UTC
Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57AE2C1E724A for <openpgp@ietfa.amsl.com>; Tue, 12 Nov 2024 01:55:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7m4uxroQIe2K for <openpgp@ietfa.amsl.com>; Tue, 12 Nov 2024 01:55:31 -0800 (PST)
Received: from mail-4323.proton.ch (mail-4323.proton.ch [185.70.43.23]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6403C1E723C for <openpgp@ietf.org>; Tue, 12 Nov 2024 01:55:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail; t=1731405327; x=1731664527; bh=MeNLxn7bYsNHNrLHOOTDNQ3rTp4v5n386wE7aQAwi2Y=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector: List-Unsubscribe:List-Unsubscribe-Post; b=LNwJtgZodHLlxiv7TkVoElfsrcC8uirayo9hzQ/iPOBuFrDaiLPFmP3IQ1Y0p6uTy exr8oPZWYDKo/mH6JN7M2d65xGLPnKbk3i0XPCHcUta9B0d0Vpjcqc5yA4p5RXJHG/ q7aECHo115ln1WbeVfgaFk0zEx1hWYfvZa28AnilOiAk4EZn8bHygDqck3rn6Ufu2b awkbKhluHvP+7CYr2DnvgVvzxNO8EAH5oBhEsOi1wE7sYq60XozNZA06cr17AKEGwq 2uG+dpT6NvWpr+7SWMg5zn5BmDiHBfXIK+iEqHHiPvthqYcmkxvO405uAxRVPKhGnM tjJgVKnwmVkTQ==
Date: Tue, 12 Nov 2024 09:55:24 +0000
To: "openpgp@ietf.org" <openpgp@ietf.org>
From: Aron Wussler <aron@wussler.it>
Message-ID: <9pre2o3t7W_pzYvQefh92aCFtgF5wZMGwK6p9ZlF5IUpPG2PdOvku-ySmXJD8UrRxiHQ7tY2BIFeShzE-qwfnpYoS8WVGq0cUEhsew0S2Z8=@wussler.it>
Feedback-ID: 10883271:user:proton
X-Pm-Message-ID: 1a7a2f636fff7e43b1d24bd2467cb846e7df5e08
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------8e843a6d5e9a7f6ed83225a30ab430871ca2455aefd04824e70c2e4ca756e435"; charset="utf-8"
X-MailFrom: aron@wussler.it
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: QG4CAHFDR4KG7PCQLDQRYLVBVXVEUHHM
X-Message-ID-Hash: QG4CAHFDR4KG7PCQLDQRYLVBVXVEUHHM
X-Mailman-Approved-At: Tue, 12 Nov 2024 03:27:40 -0800
CC: Falko Strenzke <falko.strenzke@mtg.de>, Stavros Kousidis <stavros.kousidis@bsi.bund.de>, Johannes Roth <johannes.roth@mtg.de>, John Gray <John.Gray@entrust.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>, Stephan Ehlen <stephan.ehlen@bsi.bund.de>, "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>, Sophie Schmieg <sschmieg@google.com>, Bas Westerbaan <bas@westerbaan.name>, Deirdre Connolly <durumcrustulum@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Aligning KEM combiner in OpenPGP and LAMPS
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/NMTCy707LICtxIhP3Xt1U5C8MF0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi everyone,
This thread sparks from an open MR [1] from Mike, and a brief sync we had between the authors after IETF 121.
Our problem statement in short: our KEM combiner is SP800-108 based, and this is not okay for FIPS compliance because we use X25591 and X448 in the construction. At IETF 121 it was suggested to align it with LAMPS, given that draft-ietf-lamps-pq-composite-kem has a FIPS-compliant SHA3 combiner based on SP800-56C.
The PR [1] changes the combiner to the following construction:
SHA3-256(mlkemKeyShare || ecdhKeyShare || ecdhCipherText || ecdhPublicKey || domSep)
Now, this is missing the algorithm ID, but added that it would fit most of the criteria expressed on the list in the past [2]:
✓ Compliant with NIST SP800-56C, as a one-step function (as in section 4, omitting the counter).
✓ Having the ML-KEM first, and therefore appearing as a key derivation for ML-KEM, with X25519/448 as part of the "fixedInfo".
✓ Using SHA3-256 (approved hash in FIPS 202).
✓ Having a trailing domain separation.
✗ Containing the ML-KEM public key and ciphertext.
Regarding the last point, that's the only one not met, we had extensive discussion on the OpenPGP list and it seems like there are some voices for including those[2]. We had decided to err on the safe side, and include those. Now, this is not set in stone, and can be changed if the list wishes to.
In order to have a single construction that works, I would propose the following concrete options:
1a. KDF(mlkemSS || tradSS || CT || PK || Domain)
where CT = "tradCT" and PK = "tradPK" for LAMPS, and CT = "mlkemCT || tradCT" and PK = "mlkemPK || tradPK" for OpenPGP
1b. KDF(mlkemSS || tradSS || CT || Domain)
where CT = "tradCT" and Domain = "tradPK || Domain" for LAMPS, and CT = "mlkemCT || tradCT" and Domain = "algID" for OpenPGP, and we drop PKs in OpenPGP (needed according to [3], and we already have "tradPK" in the ECDH KDF deriving tradSS)
2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId" for OpenPGP
2b. KDF(mlkemSS || tradSS || tradCT || Domain)
where Domain is "tradPK || Domain" for LAMPS, and "mlkemCT || algId" for OpenPGP, and we drop "mlkemPK" in OpenPGP (same as 1b, not needed according to [3])
2c. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain)
where we drop mlkemCT and mlkemPK in the OpenPGP construction, fully aligning to LAMPS. Note that this would imply re-writing the security considerations, and while this has been proven safe for X-Wing, there are differing opinions on the security of this with ML-KEM 1024.
All the options with KDF being SHA3-256 only for all options in OpenPGP (LAMPS allows also HKDF-SHA256).
Out of these concrete instantiations, I would like to know if there is any preference or if you see any issue. It would be ideal if we could align (modulo different "Domain" definition) with both draft-ietf-lamps-pq-composite-kem and draft-ehlen-openpgp-nist-bp-comp (that at the moment points to the main pqc draft for the KEM combiner).
Cheers,
Aron
[1] https://github.com/openpgp-pqc/draft-openpgp-pqc/pull/159
[2] https://mailarchive.ietf.org/arch/msg/openpgp/HP5uSF4X1bYyuGOMOHed42mH6aQ/
[3] https://doi.org/10.1007/978-3-319-76578-5_7
--
Aron Wussler
Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930
- [openpgp] Aligning KEM combiner in OpenPGP and LA… Aron Wussler
- [openpgp] Re: Aligning KEM combiner in OpenPGP an… Simon Josefsson
- [openpgp] Re: Aligning KEM combiner in OpenPGP an… Aron Wussler