[openpgp] Re: WG: BSI view on KEM combiners
"D. J. Bernstein" <djb@cr.yp.to> Mon, 09 September 2024 14:56 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B57C14F747 for <openpgp@ietfa.amsl.com>; Mon, 9 Sep 2024 07:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxtAhy413rUR for <openpgp@ietfa.amsl.com>; Mon, 9 Sep 2024 07:56:58 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 4DB9AC18DB80 for <openpgp@ietf.org>; Mon, 9 Sep 2024 07:56:57 -0700 (PDT)
Received: (qmail 2211 invoked by uid 1010); 9 Sep 2024 14:56:57 -0000
Received: from unknown (unknown) by unknown with QMTP; 9 Sep 2024 14:56:57 -0000
Received: (qmail 389544 invoked by uid 1000); 9 Sep 2024 14:56:49 -0000
Date: Mon, 09 Sep 2024 14:56:49 -0000
Message-ID: <20240909145649.389542.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: openpgp@ietf.org
In-Reply-To: <9D07412D-4112-41A6-847E-F37DF259B1B6@nohats.ca>
Message-ID-Hash: QQJEPTTNSSEBYME2EKXGVQOAT4YZLSUD
X-Message-ID-Hash: QQJEPTTNSSEBYME2EKXGVQOAT4YZLSUD
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [openpgp] Re: WG: BSI view on KEM combiners
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/V8yMe76mOEnT6Cm26RIEPExNjbc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Paul Wouters writes: [ regarding draft-connolly-cfrg-xwing-kem: ] > > > That draft will be adopted in CFRG. > > Evidence? > It seems to me, there is consensus for that document Evidence? Links? Here's contrary evidence. First, the CFRG discussion of KEM combiners has had quite a few different proposals that haven't been withdrawn: e.g., the generic Ounsworth proposal, the much more specific X-Wing proposal that you're advocating (care to explain why?), and the intermediate Chempat proposal. The CFRG chairs proposed adopting the topic; that wasn't controversial. They also proposed, basically, an informational document covering all options---but that was controversial. Ultimately the topic was adopted with a plan of pulling together a design team to evaluate desiderata for a document: https://mailarchive.ietf.org/arch/msg/cfrg/ZYd_q7QP17EtHtvSj60eSeJvkX0/ https://mailarchive.ietf.org/arch/msg/cfrg/b63jMnt_3VA-wFAGmVyrXTnDY2o/ In July, the design team proposed a path of (A) identifying relevant security properties, (B) surveying the literature, and (C) specifying some initial combiners in light of B and A, making sure to cover at least specific combinations of {P-256,X25519,P-384} and Kyber: https://mailarchive.ietf.org/arch/msg/cfrg/CwrVvm-J7o85TEWkG9RJxZwfXDY/ It's certainly not obvious how X-Wing could fit into that plan, given that X-Wing is by definition specifically X25519+Kyber768. But I wouldn't say anything is settled here; I'd expect further discussion in CFRG of how many ECC options should be supported. Another issue is that, internally, X-Wing uses a combiner whose security analysis relies on details of Kyber. I've raised objections to this from a security-engineering perspective; but the more robust Chempat option (which I favor) has triggered objections that it would cost Google _millions_ of dollars. Again I wouldn't say anything is settled here. Certainly no consensus has been declared yet on any specific options, nor can I imagine how consensus could be declared at this point given the actual contents of the discussions. When CFRG hasn't declared consensus, it's weird to see an IETF AD claiming outside CFRG that CFRG "will" adopt something or that consensus "seems" to exist in CFRG. > You can always lend a helping hand to the people involved there or > express your support for the document on the cfrg list to ensure the > community there is aware. I've already been providing detailed input to the discussion (see, e.g., https://mailarchive.ietf.org/arch/msg/cfrg/8rs9KcfxfKvgn6FKGs7jMenmPQA/) and in particular pointing out issues in this particular document (ibid). So I'm baffled by your sentence here. ---D. J. Bernstein
- [openpgp] WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] BSI view on KEM combiners Kris Kwiatkowski
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners D. J. Bernstein
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Ehlen, Stephan
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Daniel Huigens
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Falko Strenzke
- [openpgp] Re: WG: BSI view on KEM combiners Paul Wouters
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker
- [openpgp] Re: WG: BSI view on KEM combiners Phillip Hallam-Baker