[openpgp] Re: Aligning KEM combiner in OpenPGP and LAMPS
Aron Wussler <aron@wussler.it> Mon, 02 December 2024 16:46 UTC
Return-Path: <aron@wussler.it>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8309AC151525 for <openpgp@ietfa.amsl.com>; Mon, 2 Dec 2024 08:46:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, TO_EQ_FM_DIRECT_MX=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wussler.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xy3MXClKTfiV for <openpgp@ietfa.amsl.com>; Mon, 2 Dec 2024 08:46:10 -0800 (PST)
Received: from mail-4018.proton.ch (mail-4018.proton.ch [185.70.40.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B081C14F60E for <openpgp@ietf.org>; Mon, 2 Dec 2024 08:46:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wussler.it; s=protonmail; t=1733157965; x=1733417165; bh=56Vl+rQurkCv93/+e6R2yW4j9y0fBUkptdXZ7RmnqLU=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=F1AUUbkluQeb3fMgIQcqA4avVTm632BUoYbxKW9A7NZTYgkm3ieX+Ay11MJokHSMh 5ma1Ncj5YB4kX2hEA1OXhOyVQ6iax0Hgls9DaUhbBcHoV1KQILDY5bbwQwOfKYCMCh Hx75U7gxB0A5oSZttRl1uZCshMy3EBiVIuD+hm+nM64oEcLWZKm6UxD9BQNRaE31LC RizmJzidbmFbWuV8mqdaS3S2TU4hkR3bSmwoVmcs9QiiIEIkwt1hSAIvKZEf/NcdB7 AUoJpOmmKP+jps3sO+rOYY/801ZUpgvp9cofCzGs7ZM4+PyMnH7zrtX8UZzq9STuZD pOc501MIetTnw==
Date: Mon, 02 Dec 2024 16:45:59 +0000
To: Aron Wussler <aron@wussler.it>
From: Aron Wussler <aron@wussler.it>
Message-ID: <K5CFRyEesSXP2EGv0iA_das1zFkiKT7RgP36GemIJQUpYExMTKSUss4EoRsKoRZlmw5pUpnVeuk6yRWgeMDY8fXrl92IFZ-9YcUvlyRAth4=@wussler.it>
In-Reply-To: <9pre2o3t7W_pzYvQefh92aCFtgF5wZMGwK6p9ZlF5IUpPG2PdOvku-ySmXJD8UrRxiHQ7tY2BIFeShzE-qwfnpYoS8WVGq0cUEhsew0S2Z8=@wussler.it>
References: <9pre2o3t7W_pzYvQefh92aCFtgF5wZMGwK6p9ZlF5IUpPG2PdOvku-ySmXJD8UrRxiHQ7tY2BIFeShzE-qwfnpYoS8WVGq0cUEhsew0S2Z8=@wussler.it>
Feedback-ID: 10883271:user:proton
X-Pm-Message-ID: 5f82668aab5cadf98a9805e508f1f21ef6b6f1a3
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="------bafb64fb499c58e0a2c96756ef567de2cabae9f5900c2a294a04d7e844ba9ac4"; charset="utf-8"
X-MailFrom: aron@wussler.it
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-openpgp.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: CGGFFIRG2PBXUEGHMVINXWFQFYZDIS2L
X-Message-ID-Hash: CGGFFIRG2PBXUEGHMVINXWFQFYZDIS2L
X-Mailman-Approved-At: Mon, 02 Dec 2024 08:48:25 -0800
CC: "openpgp@ietf.org" <openpgp@ietf.org>, Falko Strenzke <falko.strenzke@mtg.de>, Stavros Kousidis <stavros.kousidis@bsi.bund.de>, Johannes Roth <johannes.roth@mtg.de>, John Gray <John.Gray@entrust.com>, Mike Ounsworth <Mike.Ounsworth@entrust.com>, Stephan Ehlen <stephan.ehlen@bsi.bund.de>, "Dang, Quynh H. (Fed)" <quynh.dang@nist.gov>, Sophie Schmieg <sschmieg@google.com>, Bas Westerbaan <bas@westerbaan.name>, Deirdre Connolly <durumcrustulum@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [openpgp] Re: Aligning KEM combiner in OpenPGP and LAMPS
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/kCn_h0jDpOiJkh_Fi2hYqQHEVDo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Owner: <mailto:openpgp-owner@ietf.org>
List-Post: <mailto:openpgp@ietf.org>
List-Subscribe: <mailto:openpgp-join@ietf.org>
List-Unsubscribe: <mailto:openpgp-leave@ietf.org>
Hi everyone, Given that we didn't get much feedback from the list, we decided to implement option 2a: KEK = SHA3-256( mlkemKeyShare || ecdhKeyShare || ecdhCipherText || ecdhPublicKey || mlkemCipherText || mlkemPublicKey || algId || const ) This conceptually aligns us to LAMPS, up to `mlkemCipherText || mlkemPublicKey || algId || const` being the OpenPGP-specific domain separation. We decided to go with this option because: - It aligns with LAMPS, as discussed at the IETF meeting - It preserves security considerations and can be reused for further hybrid KEMs The PR can be found here: https://github.com/openpgp-pqc/draft-openpgp-pqc/pull/161 Cheers, Aron -- Aron Wussler Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 On Tuesday, 12 November 2024 at 10:55, Aron Wussler <aron@wussler.it> wrote: > Hi everyone, > > This thread sparks from an open MR [1] from Mike, and a brief sync we had between the authors after IETF 121. > > Our problem statement in short: our KEM combiner is SP800-108 based, and this is not okay for FIPS compliance because we use X25591 and X448 in the construction. At IETF 121 it was suggested to align it with LAMPS, given that draft-ietf-lamps-pq-composite-kem has a FIPS-compliant SHA3 combiner based on SP800-56C. > > The PR [1] changes the combiner to the following construction: > > SHA3-256(mlkemKeyShare || ecdhKeyShare || ecdhCipherText || ecdhPublicKey || domSep) > > Now, this is missing the algorithm ID, but added that it would fit most of the criteria expressed on the list in the past [2]: > ✓ Compliant with NIST SP800-56C, as a one-step function (as in section 4, omitting the counter). > ✓ Having the ML-KEM first, and therefore appearing as a key derivation for ML-KEM, with X25519/448 as part of the "fixedInfo". > ✓ Using SHA3-256 (approved hash in FIPS 202). > ✓ Having a trailing domain separation. > ✗ Containing the ML-KEM public key and ciphertext. > > Regarding the last point, that's the only one not met, we had extensive discussion on the OpenPGP list and it seems like there are some voices for including those[2]. We had decided to err on the safe side, and include those. Now, this is not set in stone, and can be changed if the list wishes to. > > In order to have a single construction that works, I would propose the following concrete options: > > 1a. KDF(mlkemSS || tradSS || CT || PK || Domain) > where CT = "tradCT" and PK = "tradPK" for LAMPS, and CT = "mlkemCT || tradCT" and PK = "mlkemPK || tradPK" for OpenPGP > > 1b. KDF(mlkemSS || tradSS || CT || Domain) > where CT = "tradCT" and Domain = "tradPK || Domain" for LAMPS, and CT = "mlkemCT || tradCT" and Domain = "algID" for OpenPGP, and we drop PKs in OpenPGP (needed according to [3], and we already have "tradPK" in the ECDH KDF deriving tradSS) > > 2a. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain) > where Domain is "Domain" for LAMPS, and "mlkemCT || mlkemPK || algId" for OpenPGP > > 2b. KDF(mlkemSS || tradSS || tradCT || Domain) > where Domain is "tradPK || Domain" for LAMPS, and "mlkemCT || algId" for OpenPGP, and we drop "mlkemPK" in OpenPGP (same as 1b, not needed according to [3]) > > 2c. KDF(mlkemSS || tradSS || tradCT || tradPK || Domain) > where we drop mlkemCT and mlkemPK in the OpenPGP construction, fully aligning to LAMPS. Note that this would imply re-writing the security considerations, and while this has been proven safe for X-Wing, there are differing opinions on the security of this with ML-KEM 1024. > > All the options with KDF being SHA3-256 only for all options in OpenPGP (LAMPS allows also HKDF-SHA256). > > Out of these concrete instantiations, I would like to know if there is any preference or if you see any issue. It would be ideal if we could align (modulo different "Domain" definition) with both draft-ietf-lamps-pq-composite-kem and draft-ehlen-openpgp-nist-bp-comp (that at the moment points to the main pqc draft for the KEM combiner). > > Cheers, > Aron > > [1] https://github.com/openpgp-pqc/draft-openpgp-pqc/pull/159 > [2] https://mailarchive.ietf.org/arch/msg/openpgp/HP5uSF4X1bYyuGOMOHed42mH6aQ/ > [3] https://doi.org/10.1007/978-3-319-76578-5_7 > > -- > Aron Wussler > Sent with ProtonMail, OpenPGP key 0x7E6761563EFE3930 > > > > _______________________________________________ > openpgp mailing list -- openpgp@ietf.org > To unsubscribe send an email to openpgp-leave@ietf.org
- [openpgp] Aligning KEM combiner in OpenPGP and LA… Aron Wussler
- [openpgp] Re: Aligning KEM combiner in OpenPGP an… Simon Josefsson
- [openpgp] Re: Aligning KEM combiner in OpenPGP an… Aron Wussler