[openpgp] Re: WG: BSI view on KEM combiners

"D. J. Bernstein" <djb@cr.yp.to> Mon, 09 September 2024 14:56 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B57C14F747 for <openpgp@ietfa.amsl.com>; Mon, 9 Sep 2024 07:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxtAhy413rUR for <openpgp@ietfa.amsl.com>; Mon, 9 Sep 2024 07:56:58 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 4DB9AC18DB80 for <openpgp@ietf.org>; Mon, 9 Sep 2024 07:56:57 -0700 (PDT)
Received: (qmail 2211 invoked by uid 1010); 9 Sep 2024 14:56:57 -0000
Received: from unknown (unknown) by unknown with QMTP; 9 Sep 2024 14:56:57 -0000
Received: (qmail 389544 invoked by uid 1000); 9 Sep 2024 14:56:49 -0000
Date: Mon, 09 Sep 2024 14:56:49 -0000
Message-ID: <20240909145649.389542.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: openpgp@ietf.org
In-Reply-To: <9D07412D-4112-41A6-847E-F37DF259B1B6@nohats.ca>
Message-ID-Hash: QQJEPTTNSSEBYME2EKXGVQOAT4YZLSUD
X-Message-ID-Hash: QQJEPTTNSSEBYME2EKXGVQOAT4YZLSUD
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: WG: BSI view on KEM combiners
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/V8yMe76mOEnT6Cm26RIEPExNjbc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>

Paul Wouters writes:
      [ regarding draft-connolly-cfrg-xwing-kem: ]
> > > That draft will be adopted in CFRG.
> > Evidence?
> It seems to me, there is consensus for that document

Evidence? Links?

Here's contrary evidence. First, the CFRG discussion of KEM combiners
has had quite a few different proposals that haven't been withdrawn:
e.g., the generic Ounsworth proposal, the much more specific X-Wing
proposal that you're advocating (care to explain why?), and the
intermediate Chempat proposal.

The CFRG chairs proposed adopting the topic; that wasn't controversial.
They also proposed, basically, an informational document covering all
options---but that was controversial. Ultimately the topic was adopted
with a plan of pulling together a design team to evaluate desiderata for
a document:

   https://mailarchive.ietf.org/arch/msg/cfrg/ZYd_q7QP17EtHtvSj60eSeJvkX0/
   https://mailarchive.ietf.org/arch/msg/cfrg/b63jMnt_3VA-wFAGmVyrXTnDY2o/

In July, the design team proposed a path of (A) identifying relevant
security properties, (B) surveying the literature, and (C) specifying
some initial combiners in light of B and A, making sure to cover at
least specific combinations of {P-256,X25519,P-384} and Kyber:

   https://mailarchive.ietf.org/arch/msg/cfrg/CwrVvm-J7o85TEWkG9RJxZwfXDY/

It's certainly not obvious how X-Wing could fit into that plan, given
that X-Wing is by definition specifically X25519+Kyber768. But I
wouldn't say anything is settled here; I'd expect further discussion in
CFRG of how many ECC options should be supported.

Another issue is that, internally, X-Wing uses a combiner whose security
analysis relies on details of Kyber. I've raised objections to this from
a security-engineering perspective; but the more robust Chempat option
(which I favor) has triggered objections that it would cost Google
_millions_ of dollars. Again I wouldn't say anything is settled here.

Certainly no consensus has been declared yet on any specific options,
nor can I imagine how consensus could be declared at this point given
the actual contents of the discussions. When CFRG hasn't declared
consensus, it's weird to see an IETF AD claiming outside CFRG that CFRG
"will" adopt something or that consensus "seems" to exist in CFRG.

> You can always lend a helping hand to the people involved there or
> express your support for the document on the cfrg list to ensure the
> community there is aware.

I've already been providing detailed input to the discussion (see, e.g.,
https://mailarchive.ietf.org/arch/msg/cfrg/8rs9KcfxfKvgn6FKGs7jMenmPQA/)
and in particular pointing out issues in this particular document
(ibid). So I'm baffled by your sentence here.

---D. J. Bernstein