Re: [lamps] Which PQC KEMs can be used for composite encryption?

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 15 September 2021 18:59 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA943A03F7 for <spasm@ietfa.amsl.com>; Wed, 15 Sep 2021 11:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QeCkatQHpftU for <spasm@ietfa.amsl.com>; Wed, 15 Sep 2021 11:59:03 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D28473A03F5 for <spasm@ietf.org>; Wed, 15 Sep 2021 11:59:02 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id EE24267E5D; Wed, 15 Sep 2021 21:58:59 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id KQvu2IF3d0l1; Wed, 15 Sep 2021 21:58:59 +0300 (EEST)
Received: from LK-Perkele-VII2 (87-92-216-160.rev.dnainternet.fi [87.92.216.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 56DCB72; Wed, 15 Sep 2021 21:53:07 +0300 (EEST)
Date: Wed, 15 Sep 2021 21:53:06 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Bruckert, Leonie" <Leonie.Bruckert@secunet.com>
Cc: "spasm@ietf.org" <spasm@ietf.org>
Message-ID: <YUJBEi0mupUbcyvA@LK-Perkele-VII2.locald>
References: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Rae0IL-oxVmnd61CFzkUFi9BqdM>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 18:59:08 -0000

On Wed, Sep 15, 2021 at 10:23:06AM +0000, Bruckert, Leonie wrote:
> 
> I recently looked into the composite encryption described in
> draft-ounsworth-pq-composite-encryption, in particular option 2
> (encryption and KEMs).
> 
> If I understood correctly, the data encryption key is split into at
> least two shares, each being encrypted/encapsulated under the
> respective component public key.
> 
> I was wondering which PQC KEMs can be used with this mode. A
> requirement mentioned in the draft is that
> 
> "all component KEMs MUST produce a shared secret whose bits
> are independent and uniformly distributed (aka "uniformly IID"
> or "uniformly random" or "full entropy") and therefore the shared
> secret is safe to use directly as a symmetric key."
> 
> As far as I know, the NIST candidates are IND-CCA secure KEMs where
> the value being encapsulated is not directly used as shared secret.
> Instead it is fed into a hash function together with some other values
> (e.g. the public key) in order to receive the shared secret. Thus, I
> would conclude that these KEMs are not qualified.
> 
> So my question is: Do we know any PQC KEM that can be used with this
> mode?

There are some other problems with this:

- Some KEMs produce shared secrets that are not the usual 256 bits.
  E.g., NISTPQC altenates FrodoKEM and SIKE can produce 128- or 192-bit
  shared secrets. And even if KEM drives its shared secret output
  directly off a XOF (e.g., NISTPQC finalist Kyber), allowing any output
  length, most implementations will not support that.

  And it is not just PQ KEMs, it is also what classical KEMs produce
  (I think at least some of those drive output from some hash function
  or XOF). And I do not have a handy list of classical KEMs.

- Some encryption modes are not safe with deterministic nonces (e.g.,
  GCM mode, especially with 128-bit keys). Which means either stuffing
  randomly generated nonce into the encrypted message, or coping with odd
  key lengths no KEM is going to be able to produce in practice.




-Ilari