Re: [lamps] Which PQC KEMs can be used for composite encryption?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 17 September 2021 13:19 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 682DB3A191D for <spasm@ietfa.amsl.com>; Fri, 17 Sep 2021 06:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=i5PBsYBh; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=0AvRomWe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d165FLwuGwSh for <spasm@ietfa.amsl.com>; Fri, 17 Sep 2021 06:19:47 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64F793A18F8 for <spasm@ietf.org>; Fri, 17 Sep 2021 06:19:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6299; q=dns/txt; s=iport; t=1631884787; x=1633094387; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ZiUp4rZmTb2YJcU8J6S8K0bNGgvwB6+OZ+aTRwRNEPA=; b=i5PBsYBhJmJOmWuuXU56WpN4a6Buy/AXvfn+mMD0ishUznbA5HS1FIIs vVgjfuYbU0mld+sSrB2CbLz6Hz/ST/Sj0h1KmW2RhWke6C+KbPbwkE8QV kBsSVjoC1kvE8uX5i+SrQgQUz39KC6K2UZRIe48NdNcE9dCdue0q0McTK Y=;
X-IPAS-Result: =?us-ascii?q?A0ArAAC1lERhl5RdJa1aGQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?RIBAQEBAQEBAQEBAQFAgVmBUykoflo3MQOIDAOFOYgIA5pcgUKBEQNUCwEBA?= =?us-ascii?q?Q0BASoGEQQBAYR9AoJHAiU4EwECBAEBAQEDAgMBAQEBBQEBBQEBAQIBBgQUA?= =?us-ascii?q?QEBAQEBAQGBCIVoDYZCAQEBAQMBARAoBgEBLAsBCwQCAQgRBAEBHxAnCx0IA?= =?us-ascii?q?QEEAQ0FCBqCTwGCVQMvAQ6lZAGBOgKJajV4gTOBAYIIAQEGBASFChiCNAMGg?= =?us-ascii?q?ToBgn6EEYJ3g30HIByBSUSBFUOCNzA+gmIBAQKBHwoBEgEjBTGDFYIuh0pCD?= =?us-ascii?q?gsGMisLFBQbECACORgQFS0GE1QBCAIRKZEkrC4KgyuKQJQ8FINmi2eXOJYcj?= =?us-ascii?q?ESUG4RQAgQCBAUCDgEBBoF4ImtwcBU7gmlRGQ+OIAwNCYEEAQKCSYUUhUp0A?= =?us-ascii?q?jYCBgsBAQMJhkeJMQEB?=
IronPort-PHdr: A9a23:uybpthQ/uXcVFNqA4t9JJk3aPdpso1vLVj580XJvo75Le76ouZXvI EKZ4u9i3xfFXoTevvRDjeee86XtQncJ7pvJtnceOIdNWBkIhYRz/UQgDceJBFe9IKvsaCo3T 8hHXUVuuXC2LUYTH9zxNBXep3So5msUHRPyfQN+OuXyHNvUiMK6n+C/8pHeeUNGnj24NLhzN x6x6w7Ws5p+vA==
IronPort-Data: A9a23:aqTCUKMfnNl5OBbvrR16l8FynXyQoLVcMsEvi/4bfWQNrUom1jQHm DYdDTyFbP6DNDTze4xwaNjko0ICvsPXnYVhTHM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmh1qpwPkcFhcwnD/1WlTahSQ6hfzgqobUUraeY3ggHFA8Ek/NtDo68wIHqt8w6TSGK1vlV ePa+6Uz73f8hlaYmkpNg06ygEsHUMba4Vv0jXRiDRx/h2IyolFOZH4pyQ5dGFOjKmVcNrbSq +8uV9hV9EuBl/smIovNfroW7iTmT5aKVTVihEa6VICP3EBQ/hc4iZ8eKesdSkRJoTjOmM9Yn YAlWZyYEW/FP4XWk+gbFhJfCSw7ZPcA877cKn/5usuWp6HEWyKzmLM1UwdnZstBprYf7WJmr ZT0LBgWYBSeh/i72pqwS/JngYIoK8yD0IY35S47lWuDVq1/KXzFa/nQ18JD/Wg7vMttDdTda esAOTU/US2VNnWjPX9OWM5hw49EnELXaCVRs1e9pKcr7S7U1gMZ+JzgN9zUd5qgX9henUuCu krd8m/kBBwGcteYzFKt83alnO7LnD7gRosbDrSQ6fNugFrVzWsWYDUNW1+moeO0kBviA9leM EcTvCEpqIA+8UWxRZ/8UgG25nmesXY0fttTHqsd9QeW1a3O/wbMWjAJSCJbdcc68sQxQBQm0 1aTlJXoCCBh9rqPRhqgGqy8tzi+P20eKnUPIHZeCwAE+NLk5oo0i3ojU+qPDoaY0IXnQQr6m AmvsTk/pLYNp8NM0LqSqAWvby2XmnTZcuIkzlyJBTv1tVIoPNDNi5+AsgKKsakbRGqNZhzQ4 idcwZj2APUmVMnVzESwrPMx8KZFDhpvGAfdil5mBZU68DLFF5WLIt0IsGgWyKuEzq85ldLBe kTfv0Za44VeeSLwBUOWX25TI5lxpUQDPY24PhwxUjaoSsMtHONg1Ho3DXN8J0i3zCARfVgXY P93i/pA6Er274w6nVJaoM9Di9cWKtwWngs/uLiilU38iOrCDJJrYehbbTNikdzVHIvd8FmKr L6zxuOhyg5UV6XFczLL/IsIRW3m3lBqXMyr+5U/SwJ3GSI/QDtJI6aImdsJItU194wIxrag1 izsASdwlQug7VWZcl/iQi44N9vSsWNX8CtT0doEZg3zhRDOoO+Hsc8iSnfAVeJ7rbcykaEtF KBtlgfpKq0ndwkrMg81NfHVxLGOvjzy7e5SF0JJuAQCQqM=
IronPort-HdrOrdr: A9a23:95BBwqzmKj406GLFErmRKrPxdOgkLtp133Aq2lEZdPULSK2lfp GV8sjziyWatN9IYgBepTiBUJPwJk80hqQFn7X5Wo3SHDUO2VHYbb2KiLGD/9SOIVyEygcw79 YET0E6MqyNMbEYt7e43ODbKadb/DDvysnB7o2yowYPPGNXguNbnnpE422gYytLrXx9dOIE/e 2nl7N6TlSbCBAqR/X+IkNAc/nIptXNmp6jSwUBHQQb5A6Hii7twKLmEjCDty1uEQ9n8PMHyy zoggb57qKsv7WQ0RnHzVLe6JxQhZ/I1sZDPsqRkcIYQw+czzpAJb4RH4FqjgpF5t1H22xaye UkZC1QZ/ib3kmhOV1dZyGdgDUIngxesUMKgmXo8EcL6faJNA7STfAx2L6wtnDimhUdVBYW6t MW44vRjeslMTrQ2Cv6/NTGTBdsiw69pmcji/caizhFXZIZc6I5l/1TwKp5KuZKIMvB0vFsLA CuNrCq2N9GNVeBK3zJtGhmx9KhGnw1AxedW0AH/siYySJfknx1x1YRgJV3pAZOyLstD51fo+ jUOKVhk79DCscQcKJmHe8EBc+6EHbETx7AOH+bZV7nCKYEMXTQrIOf2sR42Mi6PJgTiJcikp XIV11V8WY0ZkL1EMWLmIZG9xjcKV/NFQgFCvsurqSRn4eMCoYDHRfzPWzGovHQ1cn3WPerKc pbEKgmd8PeEQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.85,301,1624320000"; d="scan'208";a="773022331"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Sep 2021 13:19:46 +0000
Received: from mail.cisco.com (xbe-rcd-001.cisco.com [173.37.102.16]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 18HDJjOc003301 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 17 Sep 2021 13:19:46 GMT
Received: from xfe-rtp-003.cisco.com (64.101.210.233) by xbe-rcd-001.cisco.com (173.37.102.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 17 Sep 2021 08:19:45 -0500
Received: from xfe-aln-002.cisco.com (173.37.135.122) by xfe-rtp-003.cisco.com (64.101.210.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Fri, 17 Sep 2021 09:19:45 -0400
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-002.cisco.com (173.37.135.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Fri, 17 Sep 2021 08:19:45 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eJvmY6FoK7YF+WFEorgeJkVziqjqKujwMey09sztBx2xnAYQXGo9Ue6i/KqbQolOLCuVHBbUwKNMBMNHnwcwNh3xmnQQTbELrqQ2bvEOlIioZTEx3dBpPFajG1RqsSrLqMddRLQQgkCY3e/KBTvej79BEqMXkAz8sYIlHOPdwG/NbGYObkW1x1cDZD5l06+wy8P9CgpiBTsBX5QQFottb2u3DGn+LB6omCXd32WvotQE5ICsIMZmiz4KTz1rX1Kk2Z3NTmmlB+4ZAWYZSTjqmfNdmLEQn1cCZcUs3mSbpmgtvQPKhCRbNzuWEq/juYoG2mo5Km5XP2ABby0lMbt2WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=d9zKghiTsxfN+ySUNiZP2YA7HcjHdiS4aI0FCn2jbVE=; b=lTTyw0aOdaLyLMyj82Ae1RIlW/JC/ZC1OvM+2qkxBT89lvfvUQmzoZop+EGFrTtFD8qHdi1n6rAFMXJV9CRyXxcLG2jDA3Yeg+oGMFpOXr7a7tNPHlj8Yi1cYD0ol2/nHO0yNhQEcheR1gYUB5N37yXoYsrbSbeM3LmGjKQvqDV4DdI8/Rq4+w1rQYADWwTEoUCALG4mbFl9d4QcQ2AzkHmAK9t0OPN6tpamSUQEy95MseZEx4iGLlfGLpykSZnr7gqY+f/n9CPWmiPHF3YHRWUn4boue6ToAlo2mFLQfgWuMn3CVenbvFp3cg7EfH4SAwiSEUUuE1MQC7oayJiidQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d9zKghiTsxfN+ySUNiZP2YA7HcjHdiS4aI0FCn2jbVE=; b=0AvRomWe+a8d+lGFLSEhVo6s4lNSHZlak7I5ojAHL9xDgMqrhxBz2UTULoEEyTm9hPplzXIq9HTSDNLJc1baN1f+pqbSkn8gY048GKBqSCin/MLx7MC25kK3gkBLWA7uSzH6Im+klHJ+c5SFkT1o2TB6binjmJAjmM4gdKh9sKY=
Received: from BL3PR11MB5682.namprd11.prod.outlook.com (2603:10b6:208:33d::18) by BL0PR11MB3236.namprd11.prod.outlook.com (2603:10b6:208:60::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.16; Fri, 17 Sep 2021 13:19:43 +0000
Received: from BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::489e:fc66:a924:b5e]) by BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::489e:fc66:a924:b5e%3]) with mapi id 15.20.4523.017; Fri, 17 Sep 2021 13:19:43 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, Ilari Liusvaara <ilariliusvaara@welho.com>, "Bruckert, Leonie" <Leonie.Bruckert@secunet.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Which PQC KEMs can be used for composite encryption?
Thread-Index: AdeqG5+virMmP+tFQ5WeytN7CFzMdAAR0uAAACc3HDAAD4x/AAAhIqjQ
Date: Fri, 17 Sep 2021 13:19:43 +0000
Message-ID: <BL3PR11MB5682358515782AD20685EA1FC1DD9@BL3PR11MB5682.namprd11.prod.outlook.com>
References: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com> <YUJBEi0mupUbcyvA@LK-Perkele-VII2.locald> <BL3PR11MB56822BD25C6CD932BC13CB14C1DC9@BL3PR11MB5682.namprd11.prod.outlook.com> <CH0PR11MB57396E062999898D5CDC0B3B9FDC9@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57396E062999898D5CDC0B3B9FDC9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 189aa303-125d-475a-c460-08d979ddd03d
x-ms-traffictypediagnostic: BL0PR11MB3236:
x-microsoft-antispam-prvs: <BL0PR11MB323651209CC4EF9DE0626C42C1DD9@BL0PR11MB3236.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gnmLPf4fmxN0itMLdaQcQ71Cq2P72XLjHsWOfecCUiBDmnlhibGVPD65KqpouDDsLqrcKAVwtY3/K3F4oSqwZtxaj8/+o5BFfnjsthg4GurYmQ3edbN1N/YCxnJ8cAlpznUeZAxYroI+iYDO4Fts5+YhIdZKo/D4sNDnm/5ZRNu1PAYXfxJxrdiTeKKU1NkFKSb1b0x5fUZUkQ0ja4FmJmXCyOvXTTDf/IcirgeW86R98+ao4Cr4EiokVsn3B8QsReMStvr6pTCBexq6G1Iig4uzjNNKFM9L9PYs+3CFhm6SM8yyh3T+6tOki24ggQ/nKYuKBjlF83Y6OPKYpcG3R6TAycseSa45aEE+7gZhet8FY8PIM3OulMGkSmf7ekjMaITn4amNpbK3pvy+XDZbZhuPYm3Q8kbgIVdUUdn3Hvfk0E7sLtq2IIwPvTJoSHG/hI6bHYQ3ZTGFE31ehtPNE7oZhxpzE+dYi15IC5JMV4DSk2m93dN5sDLDUK6yUMcsbR6O/S8KTqGB/LZAtHFp8ctiBK1k5kfpryJlsBY25htJ5yeoZK+ishFhX2AUihDlBsDbDoaj6m60xOJXs+IV14C4PwE8/Z6k3Wv/39ruoFD2i48JUCQA/48EI8JTWilyF4L1DIQx7Ec0e+YXzjiPH15v9iwCCHDH3xF1ynsONQKXm13/J5nUBQypN//UOinO8TKGYmjNKmZunCnin9C9992P+hVsulWbXlW1uNAN1UgzHB/qFlqH7auci6rggtXX97IfNKmgeEo9IMeNmsAZp/lWaa79cSAQuK7KQjaO/uw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL3PR11MB5682.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(39860400002)(376002)(346002)(366004)(136003)(52536014)(66446008)(4326008)(76116006)(71200400001)(64756008)(66476007)(66556008)(66946007)(8676002)(86362001)(6506007)(8936002)(186003)(38070700005)(55016002)(316002)(9686003)(2906002)(478600001)(966005)(7696005)(122000001)(83380400001)(5660300002)(38100700002)(110136005)(26005)(33656002)(53546011); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?+awM41MzZmS79Pi1mePZTlN+q9XLIz1BnzuxEG5uxYUIJ2x0Ky5K8grWxGcM?= =?us-ascii?Q?8/d8r4OKP6aQdb3Y/Hg9Av0InK4IFcwKnKOSHsgxrSoEd8mGkWiMTjeX3+7s?= =?us-ascii?Q?cx3Rf/AhhqHPk+NB27NQFLYmYd3ZMwn8EAYlKJhKQeZ45swMBU59GjWkzhYh?= =?us-ascii?Q?OyC1meJCQKr31Hlo1mH29Sif8az4nODIdg0Fg85cjnPicpRwChNgPVC7jSXX?= =?us-ascii?Q?s6kFLT8NkRm+z1uk5fPGoGGlbVSa/EDuHnZoSZ8wViboRtSdf5klRTX4j0aS?= =?us-ascii?Q?z1vbjHDH6q13qRIkaSBrrUJA51SMDxkdWkUtGbbCoKp7zDtLlk1kdVEKDUgT?= =?us-ascii?Q?zLNrT4Yx3FNgBF62wz4GI+Kw3bdklMOh9v97jBpliYzRacTF7CJC04JhV79g?= =?us-ascii?Q?F5LO27jLqloepWRmOUvAJLIw49LrJgYROlIXufFmlGWk8+hqijy4XCzu1ogE?= =?us-ascii?Q?oZj4GmElLFh/3BWm3hIZIxUYOOetE6UjxYPlpmRP4h9kck24ioHQvlQVkp+a?= =?us-ascii?Q?TX8XoNIUUMLs/8prDTbXmMqIwfIdXNuRc3dBwV1ZeJMSEOnwynhkhSyx50jJ?= =?us-ascii?Q?cMke+BY6REtMJJwFmkMHvUBtdB5ekmu+xwfHFPnJWXmAdvx2wdtlABNoBlFn?= =?us-ascii?Q?cSv960sKvfcG89P3QNAfs7skGo2WnwF9Y+8Xe75LdwfYXL0F3Ew8VRmAHYo1?= =?us-ascii?Q?i2sQ1IcgdLGctypNMuasxhSyGkwRMl7fAPycqBtL7U3jFNH3sg8UifQx6pwp?= =?us-ascii?Q?w5hc1jjyKT4Pr4kAst0BJxQ7a9SVs4AFOno6PfPXQSmaSFwPR1ufsQ56RpBB?= =?us-ascii?Q?uKpqVC5+C3r9ERw2hSKMYr2gXBf25J4Zm9pylPrdS0jh/w8kj07m4dPHdYRd?= =?us-ascii?Q?b8XWGUjAg8Bv74uZ/GWOgJYOsRMFtyl0+sxVPtpUPCJBjk850oPoGvisfcBR?= =?us-ascii?Q?rCtzj3vSR2+ZcgkrQH+rxh9Mu2copNDi+nGh7jnrBZQVfqnv1gzlLm0IidCC?= =?us-ascii?Q?LHOrHFFZQkEnahgofRpOm2wJe0Pzhq4r98nurdtOrYj+9svu/bg09rDauYN/?= =?us-ascii?Q?uNLnJAFOWffCd9518d97cmmxLZlPLBWMoxIxLl9EuGUK7iXn5Uk/buwFd0Na?= =?us-ascii?Q?GNrO7nkznzL1YnBMI9oyizb/fVinhHYi3Npkv6Hy5IjMsbyEy4vh+v2ahYZx?= =?us-ascii?Q?RBX7/ObWlBu04IZK9vDeSFO4jJsbdN22rQkKeumkwsgGJoWvRBn1j5d0Bvh9?= =?us-ascii?Q?L8o+q/BsR9KGbqpKcglJy/WNCFF9r7LNFhToGcTyfWEvCCdQD6cereC9o9pA?= =?us-ascii?Q?dXq7s+md15Wk2KC4Yyz63UwZ?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5682.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 189aa303-125d-475a-c460-08d979ddd03d
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2021 13:19:43.6365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EMiQDbZtcmlJkgKcIZlGJrxkpgocK1sNGJaRroZO6WcAdyyIlCq0hAXLPzyZk9MWu785jO++2Es+1m5Wr13gDQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3236
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xbe-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/4ykdcX19eSL67zL9ao_-gqcfx5I>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2021 13:19:55 -0000

I'm sorry, I missed the context; I was responding to Ilari's comments.

That said, I would have to reiterate that your "Composite Key Transport using Encryption and KEM primitives" does have issues; it makes some assumptions on the KEMs, and while some KEMs will meet those assumptions, others won't.

Again, if you are doing a general construction, it would make more sense to go with a composite method that makes minimal assumptions on the primitives it relies on; the "composite key exchange" you have in section 4 comes considerably closer to that.

And, if you find the need to do key transport (or public key encryption in general) with the method of section 4, you can always use the "Integrated Encryption System" method - you have your composite key exchange generate a shared key, which you use as the key for a symmetric cipher to encrypt the message you're sending.  Yes, that does mean negotiating yet another primitive; however (IMHO) the conservative nature of the approach warrants it.

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Mike Ounsworth
Sent: Thursday, September 16, 2021 5:01 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org>rg>; Ilari Liusvaara <ilariliusvaara@welho.com>om>; Bruckert, Leonie <Leonie.Bruckert@secunet.com>
Cc: spasm@ietf.org
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?

Hi Scott,

Just to take a step back here for context; to start this discussion, we submitted three different composite key establishment modes:
1. Only encryptions
2. One or more encryptions + zero or more KEMs 3. Any combination of encryptions, KEMs, KeyExs. This mode runs everything through a KDF as per SP 800-56Cr2.

The differences between 2 and 3 is that Mode 2:
* Allows you to input a pre-existing CEK rather than have one derived, and
* Does not need to specify a KDF in composite-encryption params.

If you're suggesting to engineer out both of these benefits, then maybe it's better to just use mode 3? :)



Consider the CMS use-case where you have a message. You envelope it with AES. Now you have an AES key that you need to encrypt a copy of for each of the recipients. Modes 1 and 2 are intended to implement CMS KeyTransRecipientInfo using only the asymmetric primitives in the recipient's composite public key, and XOR, and an RNG. No KDF needed; no block / stream cipher needed. Can add them if necessary, but let's make sure they're necessary.

Mode 3 does not implement KeyTransRecipientInfo because the CEK falls out of doing all the separate key establishments and hashing them all together.

There was good debate at the interim about what interfaces a PQ CMS actually needs to implement .. KeyTransRecipientInfo? KeyAgreeRecipientInfo? Or should we define a new KEMRecipientInfo and just implement that, in which case we could shorten this draft down to only Mode 3.
If we decide to implement Mode 3 as a KeyTransRecipientInfo or KeyAgreeRecipientInfo, then we would need to include a block / stream cipher inside the composite-encryption primitive. If we define a new KEMRecipientInfo then we could decide to include that block / stream cipher at the CMS layer.
Let's start by deciding what interfaces we're trying to implement.



PS. From Kris and Marku's messages it sounds like the "KEM MUST produce IID shared secret" is fulfilled by all PQC KEMs and not actually a problem in practice. If we're bashing at the restrictions on Mode 2, I would like to bash at the requirement to have at least one encryption, and engineer a way to make it work with only KEMs.

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Scott Fluhrer (sfluhrer)
Sent: September 16, 2021 8:58 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>om>; Bruckert, Leonie <Leonie.Bruckert@secunet.com>
Cc: spasm@ietf.org
Subject: [EXTERNAL] Re: [lamps] Which PQC KEMs can be used for composite encryption?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
> So my question is: Do we know any PQC KEM that can be used with this 
> mode?

I think we agree that we want something that can be used with any reasonable encryption or KEM primitive (even ones that haven't been invented yet), hence the requirement that this draft places on KEMs is too restrictive (even ignoring the valid points that Leonie brings up).

One obvious modification we could place on the draft is to send the output of any KEMs through a KDF.  Actually, sending everything through a KEM would mean that, even if only public key encryption algorithms are used, neither side could set the CEK to an arbitrary value.  The implicit API in the Generation Procedure doesn't support that (it assumes the CEK comes from the caller, that is, someone selects the value) - would it be an issue to change that?

Of course, the problem with specifying a KEM (apart from the added complexity) is that both sides need to agree on it.  One approach would be to have the public key contain a list of KDFs that the decryptor supports, and have the ciphertext include the KDF that the encryptor used.

Would this be a reasonable (if somewhat radical) change to the draft?

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/spasm__;!!FJ-Y8qCqXTj2!OB1peWGTjZaKFG0egYfcDknGBu2DIY1jRjK6AapXVE6XyM0urCN6I0a9AdeW3kTHPlPyBqiHyg$
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm