[lamps] Which PQC KEMs can be used for composite encryption?
"Bruckert, Leonie" <Leonie.Bruckert@secunet.com> Wed, 15 September 2021 10:23 UTC
Return-Path: <Leonie.Bruckert@secunet.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C70573A10D9 for <spasm@ietfa.amsl.com>; Wed, 15 Sep 2021 03:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, T_OBFU_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPA0bJE-3cXA for <spasm@ietfa.amsl.com>; Wed, 15 Sep 2021 03:23:14 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8543A10D7 for <spasm@ietf.org>; Wed, 15 Sep 2021 03:23:12 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id A23382057B for <spasm@ietf.org>; Wed, 15 Sep 2021 12:23:08 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EC4KYz9UBLhl for <spasm@ietf.org>; Wed, 15 Sep 2021 12:23:07 +0200 (CEST)
Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id CE9A92019D for <spasm@ietf.org>; Wed, 15 Sep 2021 12:23:07 +0200 (CEST)
Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout1.secunet.com (Postfix) with ESMTP id C929680004A for <spasm@ietf.org>; Wed, 15 Sep 2021 12:23:07 +0200 (CEST)
Received: from mbx-dresden-01.secunet.de (10.53.40.199) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.14; Wed, 15 Sep 2021 12:23:07 +0200
Received: from mbx-essen-01.secunet.de (10.53.40.197) by mbx-dresden-01.secunet.de (10.53.40.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.14; Wed, 15 Sep 2021 12:23:06 +0200
Received: from mbx-essen-01.secunet.de ([fe80::1522:bd4f:78cd:ce75]) by mbx-essen-01.secunet.de ([fe80::1522:bd4f:78cd:ce75%6]) with mapi id 15.01.2176.014; Wed, 15 Sep 2021 12:23:06 +0200
From: "Bruckert, Leonie" <Leonie.Bruckert@secunet.com>
To: "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: Which PQC KEMs can be used for composite encryption?
Thread-Index: AdeqG5+virMmP+tFQ5WeytN7CFzMdA==
Date: Wed, 15 Sep 2021 10:23:06 +0000
Message-ID: <e281b09a816e46d9a36a388c1e5ff6fa@secunet.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Content-Type: multipart/mixed; boundary="_003_e281b09a816e46d9a36a388c1e5ff6fasecunetcom_"
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/flvWuA6yBMPentE2i_MkIF61_js>
Subject: [lamps] Which PQC KEMs can be used for composite encryption?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 10:23:19 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I recently looked into the composite encryption described in draft-ounsworth-pq-composite-encryption, in particular option 2 (encryption and KEMs). If I understood correctly, the data encryption key is split into at least two shares, each being encrypted/encapsulated under the respective component public key. I was wondering which PQC KEMs can be used with this mode. A requirement mentioned in the draft is that "all component KEMs MUST produce a shared secret whose bits are independent and uniformly distributed (aka "uniformly IID" or "uniformly random" or "full entropy") and therefore the shared secret is safe to use directly as a symmetric key." As far as I know, the NIST candidates are IND-CCA secure KEMs where the value being encapsulated is not directly used as shared secret. Instead it is fed into a hash function together with some other values (e.g. the public key) in order to receive the shared secret. Thus, I would conclude that these KEMs are not qualified. So my question is: Do we know any PQC KEM that can be used with this mode? If I use KEMs in a composite encryption mode, I certainly want them to be CCA secure so I can use the public key multiple times. Otherwise it won't make sense to put them in a certificate. Please clarify if I am wrong with my thoughts. Regards, Leonie -----BEGIN PGP SIGNATURE----- Comment: Using gpg4o v6.0.124.9651 - https://www.gpg4o.de/ Charset: utf-8 iQIzBAEBCAAdFiEE3zFKr4OUJ0GHtLDCQlNDNDsJayMFAmFByYgACgkQQlNDNDsJ ayNu1w//W3mJD9LJ43KxEVv0t9etwv1Rw21ztRmb0biWskF1JJkxZIUmXBdb7MS9 Sct7czMb/oNL/jrFqbiAHREwI2M5CVQ88v2YIGvA7T562amU3NBH/HbHZSwReByB nQlV+JmEEovHM75pasOEUGAYBVLG3smbRSNl0rQqk0hvCUPpWfuXxyVuxCYzaGu7 XxvhfU0RSCE/e76xzf90WQQn1IylH8tCKrXST5+x+pxk2W2MkyNVzOqTBg7sycdg YJLLyK4aHm7emrlh6xOxSCVKVqsxKzGNV8/TRo/lvd3zhjTj6Ij5pLctBIgSHeA4 rGSjqviKrMmFErnX3OeXgkPDNebQpxL0nrO7+vyJspzJ1C4SM2XQzvewjUSCa0gS 163eQI+ufvbEBp48BqGNcnrYPgjs+CIKvbcK4a5ETbtCT9HG+chED4v62x261YKw q6c6/1kEbd1hS3raaWKFEmhned2JP5WTGTu5/PARvA4hTqEaxnujBEF8qja3jz4Q NIwXSjtuOQGe+XVpNDGIYSCXDMWNSCdaDTXCuWuiWwYUvb5jad+qSpQCpnEe9AKB pQPgEV2Z0eIUB5FRBQwy27/ZWHzmL/VnJwb5MtuNg2cBNw+TBYCdaNo8KV1uTeRP ASCIAvecw7809QAx4okUChvIBR/25qBJkGthNOLXnA9mqzINdGw= =Bqt8 -----END PGP SIGNATURE-----
- [lamps] Which PQC KEMs can be used for composite … Bruckert, Leonie
- Re: [lamps] Which PQC KEMs can be used for compos… Ilari Liusvaara
- Re: [lamps] Which PQC KEMs can be used for compos… Mike Ounsworth
- Re: [lamps] Which PQC KEMs can be used for compos… Blumenthal, Uri - 0553 - MITLL
- Re: [lamps] Which PQC KEMs can be used for compos… Bruckert, Leonie
- Re: [lamps] Which PQC KEMs can be used for compos… Markku-Juhani O. Saarinen
- Re: [lamps] Which PQC KEMs can be used for compos… Kris Kwiatkowski
- Re: [lamps] Which PQC KEMs can be used for compos… Scott Fluhrer (sfluhrer)
- Re: [lamps] Which PQC KEMs can be used for compos… Mike Ounsworth
- Re: [lamps] Which PQC KEMs can be used for compos… Scott Fluhrer (sfluhrer)
- Re: [lamps] Which PQC KEMs can be used for compos… Mike Ounsworth
- Re: [lamps] Which PQC KEMs can be used for compos… Scott Fluhrer (sfluhrer)