IETF Logo Mail Archive

Re: [Pqc] Hybridizing with preshared keys

Bas Westerbaan <bas@cloudflare.com> Wed, 06 September 2023 21:25 UTC

Return-Path: <bas@cloudflare.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EACDC151074 for <pqc@ietfa.amsl.com>; Wed, 6 Sep 2023 14:25:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prVAWMjFgEbk for <pqc@ietfa.amsl.com>; Wed, 6 Sep 2023 14:25:44 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25C52C14F74A for <pqc@ietf.org>; Wed, 6 Sep 2023 14:25:44 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id a640c23a62f3a-99bf1f632b8so23241866b.1 for <pqc@ietf.org>; Wed, 06 Sep 2023 14:25:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; t=1694035542; x=1694640342; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ys2+Sf+0jkdXLTMvewWAWE2cPivK7bzwstDTPT5G8hI=; b=SW8EIBmDiNyXGqOfSJGmB/1dxbxnNIJ5WyI7GU2nJgj9K9yBtWU9fAUo/5Tokbz/Zg 9xydlAJe49RqgD43UZ+viriKPPvwQiFydhWvJYeXGOCnUMcvVxbhlnX4/8w5xBk3H0if Ll93t5xs0rdZjIkMAhtZq1CmEXINrZBNSoTEY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1694035542; x=1694640342; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ys2+Sf+0jkdXLTMvewWAWE2cPivK7bzwstDTPT5G8hI=; b=C2rdOeGL8M4UMEsXfCaXJ+JMrekEVWzzGtwcc7WTSUaDtSxcuQUjHNvOfB62A7z2Hk DS9EaaTyjlO8dnTTAWf1Cd9yyB9r9psDwT2GEPlYDa6SUjXMcZoaZxM8PYJ0IpjNadi1 RRbnH6fmrH9pDmgYXfych35WcZ2keGi1MO9XaJZ0NFmsseM7oVaVLS4o1Cb+Yyxo0PLo J32/qgfNqehamUNWur8/KwG5C7pF+4VCPFvNDvQKDdy2+mpl7z+cgLQM7Or3sRVg5itY GJ8STHYAAcxR2tc0j6RLYNVje+5KvIuwm+S036RhGCX4PIy7oOg7WMcSfsQ2wpC0F8FG Mkqg==
X-Gm-Message-State: AOJu0YySOICMB8L8mrcT/GDpjuIrDvJgSo8OpZwfmqv+szPWhk8WUFrP LUkyOUoeWR24E24EByf8TS+lbUCjIRFOUPZP0mGtzg==
X-Google-Smtp-Source: AGHT+IGZXo4K1wgYDRayI80a/sHgHP33CgTCAUD0q6EGERmErKGz5XUs/ppHWNV2fhGri8+UYAkKHL0bAiUVBSOFAsU=
X-Received: by 2002:a17:907:7627:b0:9a1:9284:11b with SMTP id jy7-20020a170907762700b009a19284011bmr2872297ejc.7.1694035541751; Wed, 06 Sep 2023 14:25:41 -0700 (PDT)
MIME-Version: 1.0
References: <C9039ED4-E246-4351-AF49-DF666B6ABE97@icann.org> <CAC2=hnevMca8D6CXB-n-XYuk+-zZSsXE_icqGDProMkRuFWjEw@mail.gmail.com> <E46FE553-42D5-47E4-AE1D-4D449EDBEC67@icann.org> <D84D168B-46A2-4500-A1C9-D3EC242109EE@gmail.com>
In-Reply-To: <D84D168B-46A2-4500-A1C9-D3EC242109EE@gmail.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Wed, 06 Sep 2023 23:25:30 +0200
Message-ID: <CAMjbhoW9f-EmhStgEU6tia7HaniPBs80FybbvQ8LpXKsBggxqw@mail.gmail.com>
To: Douglas Stebila <dstebila@gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, "pqc@ietf.org" <pqc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b4c76a0604b762b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/kd6NM-DJjrzYji5Km5Nq2nLDO80>
Subject: Re: [Pqc] Hybridizing with preshared keys
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Sep 2023 21:25:47 -0000

I agree with Douglas for a slightly more abstract reason: you need to know
*which* preshared key to mix in, and the KEM abstraction doesn't give you
that context, whereas in the protocol you are able to have it.

On Wed, Sep 6, 2023 at 11:22 PM Douglas Stebila <dstebila@gmail.com> wrote:

> For TLS, there is the hybrid KEM/DH mechanism in [1].  But as that is
> already taking place in the context of the TLS handshake, it seems to me
> that it is not the right place to mix in a pre-shared key: just use TLS's
> existing PSK mechanism.
>
> Douglas
>
> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/
>
>
> > On Sep 6, 2023, at 11:25 AM, Paul Hoffman <paul.hoffman@icann.org>
> wrote:
> >
> > Arrrgh. I was being too subtle/cute. Let me try again.
> >
> > Greetings again. Some people are actively suggesting that one way to
> make a quantum-safe KEM is to mix a preshared key with a classical KEM or a
> PQC KEM. There are different ways that those preshared keys are distributed
> to the two parties.
> >
> > My question is: of the hybrid KEM approaches that are being standardized
> in the IETF, which are and are not useful for mixing in preshared keys?
> >
> > --Paul Hoffman
> >
> > --
> > Pqc mailing list
> > Pqc@ietf.org
> > https://www.ietf.org/mailman/listinfo/pqc
>
> --
> Pqc mailing list
> Pqc@ietf.org
> https://www.ietf.org/mailman/listinfo/pqc
>

v2.23.0 | Report a Bug | By Email