Re: [lamps] Which PQC KEMs can be used for composite encryption?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 16 September 2021 14:48 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29CE93A2BC8 for <spasm@ietfa.amsl.com>; Thu, 16 Sep 2021 07:48:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=T5OCDeFZ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=LLMvTRoC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDPRBtC81lJW for <spasm@ietfa.amsl.com>; Thu, 16 Sep 2021 07:48:42 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45A473A2BC7 for <spasm@ietf.org>; Thu, 16 Sep 2021 07:48:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3644; q=dns/txt; s=iport; t=1631803722; x=1633013322; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/MH5PCTAIrGjrdbnWppXU/WBqY2/XlOMquU3ICX2amI=; b=T5OCDeFZly08UrG9x8LabSRQGLNQrBuam6W70CsIfvXSn7c7RO4w65WM xTYaE3E+m+iapsB19Xpe6JJt1B3OBpKLuXb687Eod3ciLRnjXYQiBviZK 7E5lob5tpaO7fsPHLUrR/TtUI3/V/UnSLpany914BtMs2okeogf+0Howw Q=;
X-IPAS-Result: =?us-ascii?q?A0CgAABfWENhl4YNJK1aGwEBAQEBAQEBBQEBARIBAQEDA?= =?us-ascii?q?wEBAUCBWYFTUYFYNzGIDwOFOYgIA5pcglMDVAsBAQENAQFBBAEBhH0CgkcCJ?= =?us-ascii?q?TgTAQIEAQEBAQMCAwEBAQEFAQEFAQEBAgEGBBQBAQEBAQEBAYEIhWgNhkIBA?= =?us-ascii?q?QEBAgESKAYBATcBBAcEAgEIEQQBAR8QMh0IAQEEDgUIGoJPglYDDiEBpX8Bg?= =?us-ascii?q?ToCih94gTOBAYIIAQEGBASFChiCNAmBOoJ/hweBUIItBwEfHIFJRIEVQ4I3M?= =?us-ascii?q?D6ERgWDRoIuhzgQUBEVGTodVngtBgIRUwEBChEpvVIKgyuefBSnBZYcpS8CB?= =?us-ascii?q?AIEBQIOAQEGgXgigVtwFTuCaVEZD44gCw4Jg1CKXnQ4AgYLAQEDCY95AQE?=
IronPort-PHdr: A9a23:jryQBBMBHDqd2HKLcRsl6ncZWUAX0o4cdiYK554njPRFdaHwt5jhP UmK4/JrgReJWIjA8PtLhqLQtLyoQm0P55uN8RVgOJxBXhMIk4MaygonBsPWFkD/LPmsZCs/T 4xOUVZ/9CS9Nk5YUM/1e1zVpCi06jgfUhXyPAZ4PKL7AInX2s+2zOu1vZbUZlYguQ==
IronPort-Data: A9a23:drP7OqLjL9PI6xVXFE+R1ZUlxSXFcZb7ZxGr2PjKsXjdYENS3jFSy 2NOUTqFPv2PMWH2Kt5wOYmyoUwOuMXXnNRlS1Ed+CA2RRqmiyZq6fd1j6vUF3nPRiEWZBs/t 63yUjRDRSwNZie0Si2FatANllEhk/HVLlbAILScYHkpFFY6EH1JZS9LwobVvKY52bBVPCvV0 T/Ci5W31IiNgmMc3so8sspvmTs31BjAkGpwUm8WOZiniGTje0w9V/rzE00ew0zQGeG4FsbiL wrKISrQEmnxp3/BAfv9+lr3n9FjrrP6ZWCzZnRqt6eKvx9++S5t+YYBD9lMQ0QLpjSKgfVJ1 4AY3XCwYV9B0qzkkeAZVVxTFDtzePQcvrTGOnO498eUyiUqcVO1nK4oVx9wZNZeo70raY1N3 aRwxDQldR6HmuKszaiTQeh3jcNlJ87uVG8aki49kGiBXal3EfgvRY3O35xF0RgPnflqMtbYR JsYMCpoVBnPNkgn1lA/UcJiw7jAamPEWyZAoUmQjas6/2aVyxZ+uJDJPd3Te9HMb99IlUWVv H7u5GnyHxcXKJqUzj/t2nOoj/XOmSLmQ5wbHaex3uFnhF2UgGcUDXUruUCTqP29jAu1XMhSb hVOvCEvtqM1skesS7ERQiFUvla5uSJDWYV7M9cBy1Gnyfb54gWHI1AbG2sphMMdiCMmedA7/ gbXxIq0VGMw7uP9pWG1rezM/GniUcQBBSpTO3FYEFdtD8zL/dlbs/7Zcjp0/EdZZPXcHTX9x VhmRwBh2u1L16bnO0hHlG0rbhqlopzPCwUy/AiSBzjNAuJFiGyNOtfABbvztKsowGOlor+p5 yBsdy+2t7tmMH11vHbRKNjh5Znwjxp/DNE5vbKJN8d5n9hK0yD4Fb28HBklTKuUGp9eIGSwM BO7Vf15u8EDVJdVUUOHS9vhV5t1pUQRPf/kTfvTJuFfeYR8cRTvwc2dTR/Jgzy8wSARfVUEE c7DK66EVC9CYYw+lWbeb7pNgNcDm3FlrUuOFM+T50r8i9K2OiXKIYrpxXPTN4jVGovf+16Lm zueXuPXoyhivBrWOXWOqt9PcglRdBDWx/ne8qRqSwJKGSI+cElJNhMb6epJl1BN90iNqtr1w w==
IronPort-HdrOrdr: A9a23:TAgWgahRyFYGf5PLpk/bzmkXVXBQX4J23DAbv31ZSRFFG/FwyP rOoB1L73HJYWgqN03IwerwR5VpQRvnhPlICPoqTMmftW7dySuVxeBZnMrfKljbexEWmdQtrp uIH5IObeEYSGIK8foSgzPIUOrIouP3ipxA7N22pxwGIG0aCNAD0+46MHfnLqQcfnghOXNNLu vl2iMxnUvYRZ14VLXeOlA1G8z44/HbnpPvZhALQzQ97hOVsD+u4LnmVzCFwxY3SVp0sPUf2F mAtza8yrSosvm9xBOZ/XTU9Y5qlNzozcYGLNCQi/ISNi7nhm+TFcFcsvy5zXQISdOUmRAXee r30k4d1gNImivsl1SO0FzQMs/boW0TAjHZuAWlaDDY0L3ErXoBerp8bMRiA0bkA45KhqAi7E qNtFjp66a/RCmw7xjV9pzGUQpnmVGzpmdnmekPj2ZHWY9bc7NJq5cDlXklXavoMRiKo7zPKt MeRv00JcwmBm+yfjTcpC1i0dasVnM8ElOPRVUDoNWc13xTkGpix0UVycQDljNYnahNBKVs9q DBKOBlhbtORsgZYeZ0A/oAW9K+DijITQjXOGyfLFz7HOUMOm7LqZTw/LIpjdvaNKAg3d83gt DMQVlYvWk9dwbnDtCPxoRC9lTXTGC0TV3Wu4ljDlhCy/TBrZ/QQGO+oXwV4r6dSsQkc7vmsq yISeBr6tfYXB/TJbo=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.85,298,1624320000"; d="scan'208";a="755108798"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Sep 2021 14:48:41 +0000
Received: from mail.cisco.com (xbe-aln-006.cisco.com [173.36.7.21]) by alln-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 18GEmeTn013138 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 16 Sep 2021 14:48:40 GMT
Received: from xfe-aln-004.cisco.com (173.37.135.124) by xbe-aln-006.cisco.com (173.36.7.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 16 Sep 2021 09:48:40 -0500
Received: from xfe-rtp-005.cisco.com (64.101.210.235) by xfe-aln-004.cisco.com (173.37.135.124) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Thu, 16 Sep 2021 09:48:40 -0500
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-005.cisco.com (64.101.210.235) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Thu, 16 Sep 2021 10:48:39 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TRaRm5nqi0fAIrLr4y/3WagYSWSIc98WLKOhHdqd6rjPCBsJsRrffBW/3TAaAjyIjk9UQNTxaUfrHn3SlX62SVtF6o2Eb0rku2T5RcBRtyxTAv+2bYUbFjRWArY/Y5kGMeEfXhK6w/Pfk8C23KarpmLTbaA0ajK1bvo+RxI/Hcr2eOVLMoCGqmhMq4ByWxyX2zBX5uytWROiXVInX95iPTiSTxJCQ3GRuTz3Ul26gluj07ieJsCy+mHAvDww97bBmWTHOfKXRPbhht7ZZp1sL8ehNNB0BiklKwzcFbkAfEu1QMCa7bq8eK4AEv/ndiQaqlw18lfu2KGWs2nP0Yshvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/oDEr3CDa4GljTEfxXWhj03gawYMDOZe3UtlhMB2uxE=; b=e/T/QAJbsgc5onukO2Au5ZZKgi4lhpdopcQkxlhysr4dQfVx1se6DIXJ90AhN5g9BkTuFBdBRo6VvezxtoWjDzcG7zfanw9ZjuUzVHmqexEGw/rEaz47r8C+GzkBZZsq2FIcfy+USnWFFwi/IkRNnYM9o2FIKb6mJPBj59HijeskAuJIgBgJefXeTIvZtTYyAEav7rmwAw5VS0evoJ+qJrG7Pzf6Xmorkw53zlSoUu5I6ow2sndKFpnisU/Di+OZHmq0BGb/jUH0ZiyGeon0IAUgTs/TeDaRrevwlgS6RIm4C+3K5kiyHZ1IIqA14cBXRMYiNitaukiL+bT8h+djvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/oDEr3CDa4GljTEfxXWhj03gawYMDOZe3UtlhMB2uxE=; b=LLMvTRoCYOsA1Vu5YvDFlAIXR6ZGDc+gw+sKKSC/pV5iQUGUqSHEgwhITzcsfu/GtZB/IJCUidpqVbO+uEpBoqxg+Rm/gZLTdH72B+Lguhjsiyke/V9X7MsweWlEXtKqENumi3eoIF/nnLHp6wO7HWLAkMHwErjzRV0d/PeKBSw=
Received: from BL3PR11MB5682.namprd11.prod.outlook.com (2603:10b6:208:33d::18) by MN2PR11MB4173.namprd11.prod.outlook.com (2603:10b6:208:137::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Thu, 16 Sep 2021 14:48:37 +0000
Received: from BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::489e:fc66:a924:b5e]) by BL3PR11MB5682.namprd11.prod.outlook.com ([fe80::489e:fc66:a924:b5e%3]) with mapi id 15.20.4523.016; Thu, 16 Sep 2021 14:48:37 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, "Bruckert, Leonie" <Leonie.Bruckert@secunet.com>
CC: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Which PQC KEMs can be used for composite encryption?
Thread-Index: AdeqG5+virMmP+tFQ5WeytN7CFzMdAAR0uAAACc3HDAAAcZPEA==
Date: Thu, 16 Sep 2021 14:48:37 +0000
Message-ID: <BL3PR11MB5682199421CF9736F9E19ED9C1DC9@BL3PR11MB5682.namprd11.prod.outlook.com>
References: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com> <YUJBEi0mupUbcyvA@LK-Perkele-VII2.locald> <BL3PR11MB56822BD25C6CD932BC13CB14C1DC9@BL3PR11MB5682.namprd11.prod.outlook.com>
In-Reply-To: <BL3PR11MB56822BD25C6CD932BC13CB14C1DC9@BL3PR11MB5682.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: welho.com; dkim=none (message not signed) header.d=none;welho.com; dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6a3e44b4-256f-46ba-190c-08d979211127
x-ms-traffictypediagnostic: MN2PR11MB4173:
x-microsoft-antispam-prvs: <MN2PR11MB4173227F26B9B05DF4172E21C1DC9@MN2PR11MB4173.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: O9asbp6A4cet9zTiU7Y/zfcgnFve3DE9aVY9vN3kMSoZbGMpU9uYufcDjtuImjKbOMDamDRrNYJAHjh1XZZ/MZ3wKXd0ROBS81Wd2Q7hc4nzmpYufsGWtPL6g/alVPfevwllr23VqbQQh1Q4e9+p6qrDHBswt05j/yn11GqCVMUjx1KbfE0jdii0q3PIY/b6pVOCB/Ri6HEf83m+6ssymLYs6t7fvvpIbDCJHrVDfKORJWebUEs6i+zY7YZk6V25isHm9arnJeDCjtT2yOImCCVbePMnMh4y13FxxzUmRizr6sVKc6/+uLdY5LHRx1klbdMEWfTQ/jmGbNV+Iy4BT5H2uS7XRIs6IBa4YigD6ZbsrSWKzJs2Spyqkq4ePgh1QzzxVFsaTdOV6ibcR0/1T835EFxKUhuvgM6Rn+neBSxB+Kl+3DGGSfGnSPRDUNIU+8KBbKjzCKfyNm/iHdH4YXtBJArJyVx6cX9/QXoMRi7Tl2/fHKrP3mFzT/hlfm+9jt/7yNL9a+kmx+2JywH7mnUji6qL45dwSmWiHlN47IdCAikZ1ftuU49cK6SGYDqRH+v5NbB4vZ5luJfCLrbMqUQUKeEd6QgdzeZNs9zrUMNEwBw7DnYbRlVMBgSolodCQnAFnNN1bI6MJ4IARpuwFmmYCj0omWRfYWL8mPByWLLs5qs8n0mitt73QzyoJ7M5nM2an2gHLH8uTVnVV+7yZw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL3PR11MB5682.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(376002)(136003)(346002)(396003)(186003)(8936002)(8676002)(9686003)(4326008)(83380400001)(66556008)(478600001)(316002)(6506007)(38070700005)(33656002)(5660300002)(71200400001)(53546011)(2906002)(110136005)(55016002)(122000001)(76116006)(66946007)(38100700002)(52536014)(66476007)(2940100002)(7696005)(86362001)(66446008)(26005)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?yYQ4J6G2aIpUrsI0ei0Tu1fnSDr++JW9gAFZsd+0PmNOsKpuosIr1/Q6T56N?= =?us-ascii?Q?jRP9s5165ZzqflXD0C8hcJpg6GSHchP8WIQgCJN849jtnOeeAm+CzN1G2Yav?= =?us-ascii?Q?rW+ObA3T4Vj56+P00HUWP7qN1DABfUZKjw9cHhPKlPT9E7jkP6gwfmhAd7IG?= =?us-ascii?Q?vje48dTf0BfW+0NE+HtbM5JLWmc7llM2ls5aB+PoIxD+9o6ZZK2A/H7nwNIJ?= =?us-ascii?Q?W0IGUhBXj++O6iOMZVFtPnl1WI7zR8Xdvc+WURavlhF3WaAOmLMLIXNwhVwq?= =?us-ascii?Q?kOGb2RyAj3RXOH5HFWadKGylqHGY9+n21KsG5F9seTaB4PrIkVPy+4NxXTsZ?= =?us-ascii?Q?pQJr7EOPygaMr+86/EGJSq5bYBNW91cjEgJjsQ7+S+86zYobbgbZ3ovvnurR?= =?us-ascii?Q?GHSCDvg8CsfbsSATrhwlP8S3wKKxGlJ6oOdxjhmsR4QMMXpBJfulUtblKscQ?= =?us-ascii?Q?1np2/XcA8zVb4qnBSTrB3jzXDA3DEeZxVdzunMCNRI5Dk8ygFyTdahbBOcCg?= =?us-ascii?Q?GBmZyBXMMJn/A6LDTtxAHn8UHIiaP7+TTo3k3TJgNNflykaJvpvpeIxjHz0d?= =?us-ascii?Q?R/ROAPGaIABM6IpljDJ6ZdnwYGLNbr2jrlWhYd5t7Iwh0Wy0b6/k+xBwbjP/?= =?us-ascii?Q?9zvYC/qUKRGakSy2+bgfnBycNPNcAOgiuHE1BVL1QGG1ayDuOFJg9eBI0KOo?= =?us-ascii?Q?hOYuNK89Se7cOJ5nVm1vnhmH+NISvLFwu8FGa7fBRsCEvgunzKf20Zk23kgD?= =?us-ascii?Q?0fTbFUsBIksmuvp+Vh00a/czVrJWmjJ3CHIovZNt+8YnIK0wwKHPMTa7Svol?= =?us-ascii?Q?mKpay4PyBwzXaLkobcSBiawCly2bu2qTATXTvZH8aLUkmcVnfTGEPZG/dllz?= =?us-ascii?Q?Wb1Z490YYrvSLn5nsE56Wj/TOv/AYwZerEXP8qaLyC4Y0EqLxjn+3DbgoJrC?= =?us-ascii?Q?RTdknQ34i4FRxRkl8DRV6K0FXLTrGjpCunsIQD93Q7MlCRAZBzgbyUfdP+CA?= =?us-ascii?Q?kg77YA2eeKkJp9S6aBDafKc9rRfaZ9sw+jxYSUjp6U3nmd868q3OErMl9b8h?= =?us-ascii?Q?DzZ3ZALn0eGuO+1gEv+TcF7mZIGz6gp3YoBm4Uin/RMA6kOCR5Sxt4g2GwoH?= =?us-ascii?Q?/8F0Lp7BUhPBq5/g+2nK0pjECbFDn9TiIl7VWP04wGFMCPq6fj7TsnElsZZ0?= =?us-ascii?Q?fTd3y8b/ZnBEZSNPScuHMtEyYM2eIewtAkP7kIq62tjDQpwy51vlI4At73v3?= =?us-ascii?Q?pfXrZ/7/HIs8Egz38ZDv1VViQM6vb0+3R5BppJROh1nSg4g6X5+OOO2BUwiU?= =?us-ascii?Q?GVzPwytTpaGQEcC0TPq3SRfW?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BL3PR11MB5682.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a3e44b4-256f-46ba-190c-08d979211127
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2021 14:48:37.3244 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: W1xI2vT11Qf7cVVpWpgITrLqUwpq8vhi31Q6TadGDMCidUj4eYQcWlm2fdsEOFdo7oG9er2Iy2KFCnwXauL2WQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4173
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.21, xbe-aln-006.cisco.com
X-Outbound-Node: alln-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_9wls1feRn8w0zDM7fLqNktHJTE>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Sep 2021 14:48:48 -0000

To flesh out the below idea, here is what the encryption/decryption procedure would look like:

Generation Procedure:

   1. If recipient public key is of type id-composite-or-key, determine the
      index of the last recipient public key to be encrypted for
        i_last := index of last Pi to be encrypted for
      Else,
        i_last = n
     Set K to a supported Key Derivation Function listed in the public key.  If no such Key Derivation Function in the list, return FAILURE

   2. To generate secret keys Sn, compute the following

      C := emptyOctetString
      for i := 1 to n

        a. If id-composite-or-key and Pi is to be skipped
          Ei := emptyOctetString
          continue to next i

        b. If Ai is a public key encryption scheme
            S := random_bits(SIZE)
            Ei = encrypt(S, Pi, Ai)
            C := C || S
          Else /* Ai is a key exchange method */,
            Ei, S := kem_generate(Pi, Ai)
            C := C || S

   3. Compute CEK := K( C, nonce )    /* The nonce is passed in by the caller */

   4. Output CEK and E1, E2, .., En

Decryption Procedure:
   1. C := emptyOctetString
       K := KDF selected in the ciphertext
        for i := 1 to n
          if Ei != emptyOctetString
            If Ai is a public key encryption scheme
              C := C || decrypt(Ei, SKi)
           Else
              C := C || kem_receive( Ei, Ski )

   3. Compute CEK := K( C, nonce )

   4. Output CEK

Obvious things to work out (assuming that you are willing to entertain such a change):

- I mention SIZE during the encryption process - what is that?

- I don't know if there is an existing IANA registry for KDFs that we could use - would we have to define it?

- I have heard of a complaint that if the KDF was based on a non-collision-resistant hash function, then (because we're using concatenation before the KDF) in some attack models, he could learn the initial byte or two of the next secret.  Is this an issue we should try to address?

-----Original Message-----
From: Scott Fluhrer (sfluhrer) 
Sent: Thursday, September 16, 2021 9:58 AM
To: Ilari Liusvaara <ilariliusvaara@welho.com>om>; Bruckert, Leonie <Leonie.Bruckert@secunet.com>
Cc: spasm@ietf.org
Subject: RE: [lamps] Which PQC KEMs can be used for composite encryption?

> So my question is: Do we know any PQC KEM that can be used with this 
> mode?

I think we agree that we want something that can be used with any reasonable encryption or KEM primitive (even ones that haven't been invented yet), hence the requirement that this draft places on KEMs is too restrictive (even ignoring the valid points that Leonie brings up).

One obvious modification we could place on the draft is to send the output of any KEMs through a KDF.  Actually, sending everything through a KEM would mean that, even if only public key encryption algorithms are used, neither side could set the CEK to an arbitrary value.  The implicit API in the Generation Procedure doesn't support that (it assumes the CEK comes from the caller, that is, someone selects the value) - would it be an issue to change that?

Of course, the problem with specifying a KEM (apart from the added complexity) is that both sides need to agree on it.  One approach would be to have the public key contain a list of KDFs that the decryptor supports, and have the ciphertext include the KDF that the encryptor used.

Would this be a reasonable (if somewhat radical) change to the draft?