Re: [lamps] Which PQC KEMs can be used for composite encryption?

"Bruckert, Leonie" <> Thu, 16 September 2021 06:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 351E83A1993 for <>; Wed, 15 Sep 2021 23:12:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3Np7xeU1re8e for <>; Wed, 15 Sep 2021 23:12:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 818B23A1992 for <>; Wed, 15 Sep 2021 23:12:30 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2A46F201D3; Thu, 16 Sep 2021 08:12:24 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9mj4OTuBV136; Thu, 16 Sep 2021 08:12:22 +0200 (CEST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5645F2057B; Thu, 16 Sep 2021 08:12:22 +0200 (CEST)
Received: from (unknown []) by (Postfix) with ESMTP id 5097380004A; Thu, 16 Sep 2021 08:12:22 +0200 (CEST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.14; Thu, 16 Sep 2021 08:12:22 +0200
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.14; Thu, 16 Sep 2021 08:12:21 +0200
Received: from ([fe80::1522:bd4f:78cd:ce75]) by ([fe80::1522:bd4f:78cd:ce75%6]) with mapi id 15.01.2176.014; Thu, 16 Sep 2021 08:12:19 +0200
From: "Bruckert, Leonie" <>
To: Mike Ounsworth <>, "" <>
Thread-Topic: Which PQC KEMs can be used for composite encryption?
Thread-Index: AdeqG5+virMmP+tFQ5WeytN7CFzMdAAUNpvgABLwvFA=
Date: Thu, 16 Sep 2021 06:12:19 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: de-DE, en-US
Content-Language: de-DE
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 16 Sep 2021 06:12:38 -0000

Hi Mike,

Comments inline.

> Hi Leonie, thanks for starting this discussion.
> I guess the Too Long; Didn't Read here is: Can we assume a KDF is always
> included in a KEM encaps(), or do we need to do one explicitly as part of
> composite-encryption?
> I think (but could be wrong) that CCA security is orthogonal to whether the
> KEM output (ie shared secret) can be used directly as a symmetric key, or if it
> needs to be run through a KDF first. For example, I could imagine a KEM that
> outputs an IND-CCA shared secret prefixed with a fixed version byte; you
> can't use that directly as a one-time-pad key because of the fixed version
> byte.

I am not an expert in KEM constructions either, but this sounds plausible.

> That security consideration text is there because we've been struggling to
> understand whether, with the KEM specifications that will be standardized
> by NIST, the KEM would be expected to output a shared secret that can be
> used directly as a one-time-pad (i.e. the bits of the shared secret are a
> random key). If I'm reading your email properly, you're advocating that a
> KEM's output should be hashed together with some protocol-level
> contextual values before it's used?

That is not what I was trying to say. I rather observed that a KDF or hash function is incorporated in the NIST KEMs. I try to explain my thoughts in the next paragraph.

> As an example of a PQC KEM that should work, Kyber (as per the Round 3
> submission docs) has a KDF as the last step of the CCAKEM algorithm:
> K := KDF(K||H(c))
> So, it should be ok to be used directly in our scheme.

Okay, let's take Kyber as an example, but you could easily think of another PQC KEM.
The 'K's in the formula above are actually not the same, so I added a '*' for clarification.

K := KDF(K* || H(c)) 
K is the final key that is returned by Kyber. It may be used directly for encryption. K* is a random value that is chosen by Alice. K* is encapsulated by Alice resulting in a ciphertext. This ciphertext is transmitted to Bob. Bob runs the decapsulation and gets K*. Both Alice and Bob use the KDF to derive the key K.

Now consider a composite encryption scenario where Alice wants to send a message to Bob. 
Bob owns a composite public key consisting of two component keys. Let's assume that the first component key can be used with e.g. Kyber. 

According to the draft, the content encryption key is split into two shares: CEK = S1 XOR S2. This is achieved by generating a random S1 and calculating the second share as S2 = CEK XOR S1.
While writing this, I just noticed that I overlooked the case distinction in the encryption process described in the draft. So, I think I do not have a problem here anymore. In case of KEMs the share is not randomly chosen, but output of the encapsulation (S1 =  K).

Then I am totally fine. Sorry for causing confusion. I misleadingly assumed S1 = K* which is of course nonsense. 


> The same should be true of SIKE KEM (Round 3 SIKE spec 1.3.11 Algorithm 2
> Encaps) as it also finishes by hashing everything.
> The consensus at the LAMPS interim was to bring these discussions back to
> RSA-KEM (5990). The KEM shared secret Z is not itself IID, so they run it
> through a KDF (by itself) in Step 3 to be able to use it as a KEK.
> KEK = KDF (Z, kekLen)
> WK = Wrap (KEK, K)
> So we have two examples of compatible KEMs, and one that isn't directly but
> could be made compatible. But we're not sufficiently expert in KEMs to know
> if this applies only to some PQC KEMs, to all PQC KEMs, or all KEMs present
> and future. Or, to your point, whether this is actually how KEM outputs are
> intended to be used, or if you need to hash them with protocol context
> values first. We believed, from looking at the Kyber and SIKE construction
> that an extra KDF step (and parameter) was unnecessary, but we're happy to
> add it if it improves security or makes this mode more generally applicable to
> more KEM primitives.
> I am eager to hear from people more expert than myself in KEM
> constructions :)
> ---
> Mike Ounsworth
> -----Original Message-----
> From: Spasm <> On Behalf Of Bruckert, Leonie
> Sent: September 15, 2021 5:23 AM
> To:
> Subject: [EXTERNAL] [lamps] Which PQC KEMs can be used for composite
> encryption?
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know the
> content is safe.
> __________________________________________________________
> ____________
> Hash: SHA256
> Hi,
> I recently looked into the composite encryption described in draft-
> ounsworth-pq-composite-encryption, in particular option 2 (encryption and
> KEMs).
> If I understood correctly, the data encryption key is split into at least two
> shares, each being encrypted/encapsulated under the respective
> component public key.
> I was wondering which PQC KEMs can be used with this mode. A
> requirement mentioned in the draft is that
> "all component KEMs MUST produce a shared secret whose bits are
> independent and uniformly distributed (aka "uniformly IID"
> or "uniformly random" or "full entropy") and therefore the shared secret is
> safe to use directly as a symmetric key."
> As far as I know, the NIST candidates are IND-CCA secure KEMs where the
> value being encapsulated is not directly used as shared secret. Instead it is
> fed into a hash function together with some other values (e.g. the public
> key) in order to receive the shared secret. Thus, I would conclude that these
> KEMs are not qualified.
> So my question is: Do we know any PQC KEM that can be used with this
> mode?
> If I use KEMs in a composite encryption mode, I certainly want them to be
> CCA secure so I can use the public key multiple times. Otherwise it won't
> make sense to put them in a certificate.
> Please clarify if I am wrong with my thoughts.
> Regards,
> Leonie
> Comment: Using gpg4o v6.0.124.9651 -
> Charset: utf-8
> DsJ
> ayNu1w//W3mJD9LJ43KxEVv0t9etwv1Rw21ztRmb0biWskF1JJkxZIUmXBdb7
> MS9
> Sct7czMb/oNL/jrFqbiAHREwI2M5CVQ88v2YIGvA7T562amU3NBH/HbHZSwRe
> ByB
> nQlV+JmEEovHM75pasOEUGAYBVLG3smbRSNl0rQqk0hvCUPpWfuXxyVuxCY
> zaGu7
> XxvhfU0RSCE/e76xzf90WQQn1IylH8tCKrXST5+x+pxk2W2MkyNVzOqTBg7syc
> dg
> YJLLyK4aHm7emrlh6xOxSCVKVqsxKzGNV8/TRo/lvd3zhjTj6Ij5pLctBIgSHeA4
> rGSjqviKrMmFErnX3OeXgkPDNebQpxL0nrO7+vyJspzJ1C4SM2XQzvewjUSCa0
> gS
> 163eQI+ufvbEBp48BqGNcnrYPgjs+CIKvbcK4a5ETbtCT9HG+chED4v62x261YKw
> q6c6/1kEbd1hS3raaWKFEmhned2JP5WTGTu5/PARvA4hTqEaxnujBEF8qja3jz4
> Q
> nEe9AKB
> pQPgEV2Z0eIUB5FRBQwy27/ZWHzmL/VnJwb5MtuNg2cBNw+TBYCdaNo8KV
> 1uTeRP
> ASCIAvecw7809QAx4okUChvIBR/25qBJkGthNOLXnA9mqzINdGw=
> =Bqt8
> Any email and files/attachments transmitted with it are confidential and are
> intended solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must not copy,
> distribute or disclose of the information it contains. Please notify Entrust
> immediately and delete the message from your system.