IETF Logo Mail Archive

Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 12 April 2024 12:34 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55316C151995; Fri, 12 Apr 2024 05:34:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_Td5iHDC4Gt; Fri, 12 Apr 2024 05:34:06 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43E0EC14F6E4; Fri, 12 Apr 2024 05:34:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id EDC2E3898B; Fri, 12 Apr 2024 08:34:04 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id dEUYDOs-wBmh; Fri, 12 Apr 2024 08:34:04 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 428C738988; Fri, 12 Apr 2024 08:34:04 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1712925244; bh=asynB6H4IxaSH+75g8pxaXFkPaOK2PdVxLO3Jxe8FDM=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=qX9mIXUBxWTNdojuqOXlsxsMNlPS1H6B3rj2HSxMLLqq4wEqmpNmXtUbbfBSXaBl0 E44+rL12WRt/iyOsbHQGayGNxMPu+NM+wLAR3ycmyse5uzADaDbGgJkwY7LUk+ypTL W7MdH4iZsN3vee7wf4upmUe5QXeO7UV0AcJL35cD1xTpjbEGqDzRPQFZEeIeYolDSG 7KRKF1h2nvXXMsBqK3yjApRXLsbeHk9tu7BU3ZpmlQt9Po+EPe0mwhzEP6chB/5ReG EPCF7AdYxcyqeVTCzj4LS9yxbhhFWRTZ36Anf22Z/pOODr8TdnrxdWENQkE7N7XL9F ucNG6+NCsBQ3A==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 3E39F11F; Fri, 12 Apr 2024 08:34:04 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>
cc: Russ Housley <housley@vigilsec.com>, Deirdre Connolly <durumcrustulum@gmail.com>, LAMPS <spasm@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>
In-Reply-To: <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com> <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 12 Apr 2024 08:34:04 -0400
Message-ID: <353.1712925244@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/u-DnhCD63utMgVsm7I8MfJVghfM>
Subject: Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 12:34:10 -0000

Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
    > I still would like to see an analysis of whether the PK is always available
    > at decryption time. I would like to hear from smartcard, HSM, IoT, TPM type
    > people about whether it's fair to assume that the CMS / JOSE / COSE / etc
    > layer of a decryption routine will have access to the public key at
    > decryption time, or whether that will force some folks into awkward

It's not an argument that one sees at all levels of API today, but I think it
could be added.

    > re-architecturing exercises. For example, if someone has a TPM architecture
    > where only the wrapped private key is stored locally (cause why would you
    > ever need to encrypt for yourself?), then I could see that being an annoying
    > architecture change to also keep the public key. On the other hand, ML-KEM
    > is greenfield, so maybe it's ok to say "When ML-KEM; your private key object
    > MUST contain the public key".

+1


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email