IETF Logo Mail Archive

Re: [lamps] Which PQC KEMs can be used for composite encryption?

Mike Ounsworth <Mike.Ounsworth@entrust.com> Wed, 15 September 2021 20:02 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCC283A0E2C for <spasm@ietfa.amsl.com>; Wed, 15 Sep 2021 13:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.6
X-Spam-Level:
X-Spam-Status: No, score=-1.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xOtyss9dG_kc for <spasm@ietfa.amsl.com>; Wed, 15 Sep 2021 13:02:29 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 005363A0E26 for <spasm@ietf.org>; Wed, 15 Sep 2021 13:02:28 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18FIDjsi018371; Wed, 15 Sep 2021 15:02:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=mail1; bh=LwblqjGwXQcxNZkiDi/mUbz9QcaPz1o1W7BHLjwY4XE=; b=L335aL8bzrCGn5sKBIFkEx48oo+iULysuaW0eUU8LjhaHdidXizzM51R8RCIu/MBHQ/g kWNesnZslBXOQG1qNJV7pG0lqbMEd1fbXK6vJO9HlApHaES5+z+ZDMtHw451gxojVko/ uwIq4hX+eud5gFLI2XHeSJV1AKXoY639u3vLyW0LC0JZwDHwIoLNo/NmaAXLRI5QnoO5 At5U51CZnX3cwoB5FoHouQTNSbQIVNXUjz8SYMv1x8b6VwQk10/RIcoh2jYZq+uEvkrO F2fJZ9j0IF2py9Z3xh10R00Ril4J6B9gWMbF4KO+DeUsT174bWAYqeMA+IZFTSxkgALT xQ==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2171.outbound.protection.outlook.com [104.47.59.171]) by mx08-0015a003.pphosted.com with ESMTP id 3b3b87tcgq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Sep 2021 15:02:25 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n4kFcLfpIvuhCkA1CHRLYkTXhW5mhcIz8qTltC4YGUyz4+Kqcf2rYKBGZcXwMW/1kM8czs4cg29P3J20EzRM23e+3iW0Bh6pae+kx2+LLXqfV4ZpxDWJTOWx2UzoFPVhrapgZWKju4rIB1jRbs6UIJJNSMjQoUIaUwcPTT3yHfGysifKJv4JvA7z1Aw0qhmfuKFWRfl0q6Fu4WKsfLOV2F/dz7T5vJP+NCJfVWmB58BvROz5H4rZV2vfyKf2dZmeDYddyqQD0hg/xqDjzIKM5Rt0bu3kDjq9afq6glKsr0FeISCx1F7OHY+GoRXknQy94s8kZHrCpr4ZbkZb+sYrYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LwblqjGwXQcxNZkiDi/mUbz9QcaPz1o1W7BHLjwY4XE=; b=ZmFN05gsma3GGPawZoHpJPDkCZBO+5NfDrOwmF0mV2+vfDIwXIpaSSoT0Lho58K5VacaORm8RHu2ZBWOIuUJTCEo/3qxe3FUWJUqLgncoUrFGc70HZV66vazEkxgWBAmFktn439rfaR+9Agpcu6cGDoDHmz1L71s1M6yFAOb384c1Pb0TkQ2SEVbdt5bdcb7kNLQ67ofm5TcUeCcVEB1Rxt//J3WukvK12Z2Sk1V7cf2gUxK9rlsfSpWJauke6fRqX3s9lXEUO4LJf1HMUG/IXENfpncKtkRQKSzEphHOi8FscABqO8CyGjz15WZtDufqgGL7yskz8Y8rNmpH3cY7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by CH0PR11MB5395.namprd11.prod.outlook.com (2603:10b6:610:ba::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4523.14; Wed, 15 Sep 2021 20:02:22 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bcf2:571f:eb41:1737]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::bcf2:571f:eb41:1737%2]) with mapi id 15.20.4523.014; Wed, 15 Sep 2021 20:02:22 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: "Bruckert, Leonie" <Leonie.Bruckert@secunet.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Which PQC KEMs can be used for composite encryption?
Thread-Index: AdeqG5+virMmP+tFQ5WeytN7CFzMdAAUNpvg
Date: Wed, 15 Sep 2021 20:02:21 +0000
Message-ID: <CH0PR11MB57391CF716326E327E03D3569FDB9@CH0PR11MB5739.namprd11.prod.outlook.com>
References: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com>
In-Reply-To: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: secunet.com; dkim=none (message not signed) header.d=none;secunet.com; dmarc=none action=none header.from=entrust.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fb812c9f-01ae-470d-50f3-08d97883bada
x-ms-traffictypediagnostic: CH0PR11MB5395:
x-microsoft-antispam-prvs: <CH0PR11MB5395E7F0D095FDDB5312269A9FDB9@CH0PR11MB5395.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3rofc6J/Kdmf13sfw3DbYqi2gj4Fm/oANQN16yQWt7uFBIPPIc44OZfoU1IzhqbxKwvINOzA1IozDdbUneiUIMTE8hgSR0hGueceiTRgjA1421ucOfURz7jmLxa7AKPWSDvjMeGO+xYbVvSOdVmpiF9QCm8y1NXRP0T+6+TqNfXAV9/I9/xJZPSSK6r/wTbfUjVyaJcNICcq1xmI7C8i8FkRbx32yZkInmuQUSZbcmKuF4X1X/ZGmsaXEyV3dRPo/c1q0py9a02HZLzIUSsHcD/LgYVn+BjYmCtPgmu3YPLeXtp98KANEecwBnezWHkxtmvJ5bASI3gbwmUtCiNhlq7ArCi1VOg/I6/clZRqCSCszlVfVnZ+RnDQ0pYkUAD4TDGUxLjPnfQVwnpG/4JKcmuLnjGck2kia1lY3Vk0L0OqD/Q+5cfg+R1+xzZ1zJiKTLJ/ZN4I0odmfR6TrRJwkuBMyypyUrf9ItRrXUONo7OJudV77c/bAql58F3UQN1Mouhbb0Hb4FrI9Mqr2Sv2csa0BvDUnEKIVCZq4k5fq4ksi2Qm66qaVOUUvPTZQ5hBgyjhbi3u2GfFm3WKrMkFjyqa7lx3c5TamgAstPf50Kzwgdpn4OjhFkIy89+tVWZPx7d+RyOfKlMuVNm0dUPpySujwWzjJS5zkq/ZhecVEtUtZSuzn3SHXhchboRr96cptLSzqhtPssSmc5nYr0jXcIv+1fm5+FE1jPBLOrZeSKKtfca/p6+ZTBXQsJuyxD6KFegVhS1YL3c09REvn2GB27/G4QcsxHRM+WnZbmaW+M0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(396003)(376002)(39860400002)(136003)(2906002)(316002)(71200400001)(966005)(52536014)(478600001)(26005)(38100700002)(8936002)(5660300002)(76116006)(186003)(122000001)(8676002)(7696005)(83380400001)(9686003)(53546011)(86362001)(33656002)(6506007)(66446008)(66946007)(110136005)(55016002)(66476007)(64756008)(66556008)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +Sfctrek6l6B0Uhx7T70iXexGlr6RA/Fiqs+AeBYdFy3TEobM4UfPRAGDwuItk2kRy00gJAPVJ5OUgyP/VkJTJ8EgZmZIFpDd7Q5CxBnA2S1LcaYSa0XBsC26TKOZHLB2NOR3FJSy6fITM4H2LPpV/Z+UPSL/6wKgeiSvOU2eWvDth9eeYLFnG9hjpB96zS7CaPssaiFvc3ZV8C/ZAqDIqV4pl8tZzKNgg7oofkpw+R+JalwHieZlFti7Ecf1k1wE8iwVk0wxpYN61bq7zPTEvuSWwoAiPeYjUAFglDj75TqbrnBjDDtRPa4XFxrnWpQ/YjRcKkz56dw/YbAJVkLOUgmozuyRXtDoWSfQnmxdFa4HNFLum7QoTz1m71ShW7LN4PfRMP2DlMNOtS3p+czUavrIOwVZMQxh4njZMCVSxEAEpbeeiSvCgWj9KccbxaDWIpbRowmyfLiJDN7SBlrH00ATR3Fbxs2+ribc2q4Cd3fDqni/bABf3gAko/z+i5ATsq4ZZ1/BuUH9rr92+zDk/4+yhTBcmbpr+odB8WFKzLKaaW4jLaTim3FpQzk8Arn+2fVSMutwbhL4+LqPb5c4uR2YUidSRfGE/xXkNk4yxdNVNr7yuWEoqxQrv9rLHsT0XCF1OPhea5Sk4MdL8swccu4M03RvRTVbogU+TlTc8/svuX3XAnMWy7uu/6IvFeTyuf98gWmMCGXgX1qI/xO0zX88NncKB0LiOxVtNtZ9sN6TgbQHmI0heQltE6Nsd0i/2Gis8yciUBLR2bmR+XYwDufx7Q/wRBQAuqClFYkVefSfEaqtUhOAS/BywWt0fsTGnE1smAtPMIt350xAxS7b1qDBdi0Y5QIQqyFxfY8goL28JgprQCd69yOMvjM+dFnqwqntall6Tc1lyWXj8hvRaijqvjf9exv/VTXGnZyu8+LdmsVv2RvGU4W5fcwpQi1nI35lalS68lKV7/KA9zD95jMLZAd9w6XLh3NJE0TZyNVqVSpCl542MqWOT9mssmt4HHup/QwecDUKeJul25xlMZdPM4FRq3g2zhv0ARQHuN8Q2wLWDNpLVh/huLKkWu2xyINafbQE/MmTI0mffJfMd4/mPepa1RFGQ2wsAMv0mQR2uOYgqBAUy9E3zqPxi0cLb5EKuerUZSSiIAjYqh3aREW2hLYt7OmFtJi188aT3X2jLgPq1R7B/RwlYz2o7ETvHmDtspB5bhYAayinY9GDSzNeduBMLDz5kbH03w9qcNpQfMHBp++nnwTTtwQrEJnfMW/N6AvBk1LoH+OMmP50QuJOEa0EXzGOjp/La6FzJ/3Aiznuf1SL6MtavI4DHrB
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fb812c9f-01ae-470d-50f3-08d97883bada
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2021 20:02:21.9329 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xrY4s0yEXqV1GDjiSyoS0vJWVV58gZGCDiaWqhZD8lN3SETPJovsCEdSxZ52Fy/3PaexwXSGZ2aq8pFUaGZaC/fZNHHpkw3TjadhdfaWIqs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR11MB5395
X-Proofpoint-ORIG-GUID: av4DCv4aImpmO9T0oVfYPPh_cL_Gc-g5
X-Proofpoint-GUID: av4DCv4aImpmO9T0oVfYPPh_cL_Gc-g5
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.182.1,Aquarius:18.0.790,Hydra:6.0.391,FMLib:17.0.607.475 definitions=2021-09-15_06,2021-09-15_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 mlxlogscore=999 priorityscore=1501 suspectscore=0 phishscore=0 impostorscore=0 spamscore=0 adultscore=0 malwarescore=0 lowpriorityscore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109150114
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/bHIYKu1PlWvZ3eFbaG1k-xW8iBM>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 20:02:34 -0000

Hi Leonie, thanks for starting this discussion.

I guess the Too Long; Didn't Read here is: Can we assume a KDF is always included in a KEM encaps(), or do we need to do one explicitly as part of composite-encryption?

I think (but could be wrong) that CCA security is orthogonal to whether the KEM output (ie shared secret) can be used directly as a symmetric key, or if it needs to be run through a KDF first. For example, I could imagine a KEM that outputs an IND-CCA shared secret prefixed with a fixed version byte; you can't use that directly as a one-time-pad key because of the fixed version byte.

That security consideration text is there because we've been struggling to understand whether, with the KEM specifications that will be standardized by NIST, the KEM would be expected to output a shared secret that can be used directly as a one-time-pad (i.e. the bits of the shared secret are a random key). If I'm reading your email properly, you're advocating that a KEM's output should be hashed together with some protocol-level contextual values before it's used?


As an example of a PQC KEM that should work, Kyber (as per the Round 3 submission docs) has a KDF as the last step of the CCAKEM algorithm:
K := KDF(K||H(c))
So, it should be ok to be used directly in our scheme.

The same should be true of SIKE KEM (Round 3 SIKE spec 1.3.11 Algorithm 2 Encaps) as it also finishes by hashing everything.

The consensus at the LAMPS interim was to bring these discussions back to RSA-KEM (5990). The KEM shared secret Z is not itself IID, so they run it through a KDF (by itself) in Step 3 to be able to use it as a KEK.
KEK = KDF (Z, kekLen)
WK = Wrap (KEK, K)


So we have two examples of compatible KEMs, and one that isn't directly but could be made compatible. But we're not sufficiently expert in KEMs to know if this applies only to some PQC KEMs, to all PQC KEMs, or all KEMs present and future. Or, to your point, whether this is actually how KEM outputs are intended to be used, or if you need to hash them with protocol context values first. We believed, from looking at the Kyber and SIKE construction that an extra KDF step (and parameter) was unnecessary, but we're happy to add it if it improves security or makes this mode more generally applicable to more KEM primitives.

I am eager to hear from people more expert than myself in KEM constructions :)

---
Mike Ounsworth

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Bruckert, Leonie
Sent: September 15, 2021 5:23 AM
To: spasm@ietf.org
Subject: [EXTERNAL] [lamps] Which PQC KEMs can be used for composite encryption?

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I recently looked into the composite encryption described in draft-ounsworth-pq-composite-encryption, in particular option 2 (encryption and KEMs).

If I understood correctly, the data encryption key is split into at least two shares, each being encrypted/encapsulated under the respective component public key.

I was wondering which PQC KEMs can be used with this mode. A requirement mentioned in the draft is that

"all component KEMs MUST produce a shared secret whose bits are independent and uniformly distributed (aka "uniformly IID"
or "uniformly random" or "full entropy") and therefore the shared secret is safe to use directly as a symmetric key."

As far as I know, the NIST candidates are IND-CCA secure KEMs where the value being encapsulated is not directly used as shared secret. Instead it is fed into a hash function together with some other values (e.g. the public key) in order to receive the shared secret. Thus, I would conclude that these KEMs are not qualified.

So my question is: Do we know any PQC KEM that can be used with this mode?

If I use KEMs in a composite encryption mode, I certainly want them to be CCA secure so I can use the public key multiple times. Otherwise it won't make sense to put them in a certificate.

Please clarify if I am wrong with my thoughts.

Regards,
Leonie
-----BEGIN PGP SIGNATURE-----
Comment: Using gpg4o v6.0.124.9651 - https://www.gpg4o.de/
Charset: utf-8

iQIzBAEBCAAdFiEE3zFKr4OUJ0GHtLDCQlNDNDsJayMFAmFByYgACgkQQlNDNDsJ
ayNu1w//W3mJD9LJ43KxEVv0t9etwv1Rw21ztRmb0biWskF1JJkxZIUmXBdb7MS9
Sct7czMb/oNL/jrFqbiAHREwI2M5CVQ88v2YIGvA7T562amU3NBH/HbHZSwReByB
nQlV+JmEEovHM75pasOEUGAYBVLG3smbRSNl0rQqk0hvCUPpWfuXxyVuxCYzaGu7
XxvhfU0RSCE/e76xzf90WQQn1IylH8tCKrXST5+x+pxk2W2MkyNVzOqTBg7sycdg
YJLLyK4aHm7emrlh6xOxSCVKVqsxKzGNV8/TRo/lvd3zhjTj6Ij5pLctBIgSHeA4
rGSjqviKrMmFErnX3OeXgkPDNebQpxL0nrO7+vyJspzJ1C4SM2XQzvewjUSCa0gS
163eQI+ufvbEBp48BqGNcnrYPgjs+CIKvbcK4a5ETbtCT9HG+chED4v62x261YKw
q6c6/1kEbd1hS3raaWKFEmhned2JP5WTGTu5/PARvA4hTqEaxnujBEF8qja3jz4Q
NIwXSjtuOQGe+XVpNDGIYSCXDMWNSCdaDTXCuWuiWwYUvb5jad+qSpQCpnEe9AKB
pQPgEV2Z0eIUB5FRBQwy27/ZWHzmL/VnJwb5MtuNg2cBNw+TBYCdaNo8KV1uTeRP
ASCIAvecw7809QAx4okUChvIBR/25qBJkGthNOLXnA9mqzINdGw=
=Bqt8
-----END PGP SIGNATURE-----
Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

v2.23.0 | Report a Bug | By Email