Re: [lamps] Which PQC KEMs can be used for composite encryption?

"Blumenthal, Uri - 0553 - MITLL" <> Wed, 15 September 2021 21:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 62ED43A13C3; Wed, 15 Sep 2021 14:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dVypcBmApS8M; Wed, 15 Sep 2021 14:32:59 -0700 (PDT)
Received: from MX2.LL.MIT.EDU ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A016C3A13C2; Wed, 15 Sep 2021 14:32:55 -0700 (PDT)
Received: from ( []) by MX2.LL.MIT.EDU ( with ESMTPS id 18FLWrEA098950 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 15 Sep 2021 14:32:53 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401;; cv=none; b=CCnsT9Y0fAuPadFLJlBS0ih6hFANAmbHKX7s8GDc1d+616IVTKnZS4j6a2Lm/Zdmbi8xSpInvGTDnGgiEiYQTgggvMNsMefcDOlCw1jgch0xmvT7Y+F9owQYLSRrPeuKqJb37Fvjm9x68mdlIVBtnX6vM6ommwt2cy2MeR7YJvsZsgGEj+fO4xqlBMNnMN6yYztHjenTEoE1ETYm9Quq35tC65B34QHj/5f3Bd1NszzYtX7UVcFgVS/cdmGL9b+XKLlwtpeSemRDPfj4z1yO8OhcXK7adfrvFsb3bbApSFqAaKfiwAesDk4U6jz2R61h9QRMu1ReZ2HGVAj4x/MXtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fC5ay9Rlxdfc8SsSD3RE2k1PtDrCn2GJM9nfsedOo4U=; b=qGMmIXshONGrHJ1F/79kgITuu2dc+ZAUKNuHToi6FUDaMoVYh7b/2IvEE6IOgOmYsKcC+VG7KAXIE8mginbxoLPj+ArTNIIhrngTh2fltFJcm4JpfI9kL+kAuCruH7VHShqr9sTko2OXamCsHkr2FYrKgD2uc6fK/xqHDb+06WPBxqGXCci5VvysCm4GNp5lo9e0+gKAYbXAs1yjqEN//4UKh7/hK70m/LwIIPWL4kpt/Eyo+6E9XiHYo2WpX59Nobxq34ZHirC4oY08l5mBZ++RL/uO4wiySnv7kJq49HvmOghJIIWL+su7+opk7HP5IKMmifrTATcNOA2OJWNOVw==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Mike Ounsworth <>, "" <>
Thread-Topic: [lamps] Which PQC KEMs can be used for composite encryption?
Thread-Index: AQHXqnk6irMmP+tFQ5WeytN7CFzMdA==
Date: Wed, 15 Sep 2021 21:32:48 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/16.52.21080801
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b0ea2ccc-8d97-4420-01fc-08d978905d4d
x-ms-traffictypediagnostic: BN1P110MB0065:
x-microsoft-antispam-prvs: <BN1P110MB0065361ECA3A98F888DFB80B90DB9@BN1P110MB0065.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: F8mgJYde2D5McaoeIlWWQYArNiYJcbxdzTEjA49IXVZqEGHa7YHBCOe0rVCfh8j1YbLUPfyXQMyVRbqy+XetX+457PEQJoyenjoLJKggBgOiklbuTddQxsftd8mBz4MWO6tfiL6z802l9mx7qrCOHUEXjTbhfE8zX+u5ea/H6z7jx/1rC/pNCgs2/gsE1Gqwf9adhvK8wItMhcK10hIIiw2IW85r2S6F2xX5Cv7Z72m+0MfakTLkphoq2d6AoFx8J0dnlolhgteiMh/2GEOCkNJi0zq0bHPUJPf1l8jTgnzdDOGITUSv//dNKaZSYB28ETcNwk1XUW2OLhbeQm7W4iBzl7CWbHItR22VfW29YCbPOCPQ/W6YPR0+vfoXd7AHMa0ZBGP1wSgz3tDU34z7R1mPow5ZPniHaanWNp1RJwBOztnMlwVJyteePFdLyJUi6ZTFwSt4pwm/rAfnyY7v8+nXuwwqTd7rssg+uRYBm+jZyauKZ0Aaid3zN9CtPOQ64G2sCG5oH4jvu6S4hSCBu0KNsPKsAJI544H/s/cybzrWdrd2Y5PTlnEJgI8kMmOsRJ1Vhziirkay8kjJh+lXNETs4HNWAPFDPCnmnAt3Yp5u8dMmORJwrRLybxwCn/KCeIlBBkqfrHU13IdPaeN7JUu/pM/eCpXYGio3lM4xv1envJsEy1+ZoECQusPQahwpg6skFZjtevc24enRyXsagTP37SnvdbkzQ/DF+7QHcOfGU6V5MOWaHZ6kc0eNLADV
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(39850400004)(366004)(136003)(346002)(396003)(8936002)(186003)(5660300002)(38070700005)(8676002)(76116006)(6486002)(966005)(122000001)(316002)(38100700002)(110136005)(86362001)(33656002)(6512007)(2616005)(99936003)(75432002)(64756008)(66556008)(71200400001)(6506007)(66946007)(2906002)(66616009)(478600001)(66446008)(66476007)(53546011)(83380400001)(26005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yvrzh6OSZGseY4WjRVUXJu93mMADcO8KCgm3VlMm/I+oh0bc+uNHOvDon1/QhNB6RgLX0rgrHhNzWjjpFHn/GGmkE1db49f5Lqpl481hKY6H6mNZtMcVIWG5o8bEAKX+axg3PvnIMy/l5UDcHxAdGfkmMCoOKY4ZedxNxT0XmA9Vec8nxrQPrcJS8EsUtMBbx8ZmYAXaq7thenHfMwIjNw7ARCKURmhUdMFmIRQ/6vNOwiODY1hHM/jPQx0G93PY3WM7+GOC93gAs2iBrILXzTGcP52YNn+P7PYJSh760JHs+ZkFfzduLBYfdzWgvZN8os6+KUdJy2zMskY2nDYTzcdBLfSXkNEOnlfSdjplP8KR2MyNKTklnhW9KZXycUNuTeN/oCp15FWEGywh5z4Q6pdzaU2zG6seD6xD3VRSJEoUpHqPWibB0PirgS0hItEEgYENnCVO4jRjqw+n62MEtp+H10XhV2Nlvgt9Y2LzjKspxXmW/VEgGo+LjREVD5MJfbSXIjc3pbTsvuflqc6/fh73jSQ7n/oswMWGAZSEWWZIVArBujPV0SgLwoW6joVz9nxO4b/rnMUqrQZVVIS2o5Y3FkUnkJnik2yxvon1UN680J8tmVkcpb/BxwG0WgguGfX0s29Zxk3ByVUP7JXV1ulqjlu01D1qoC4TlJKE5GJ2Aqa6cpK6JSkPPQMIOV8D0BVeeQsfwKgmXt8eSydj0g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3714571962_2120783617"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b0ea2ccc-8d97-4420-01fc-08d978905d4d
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2021 21:32:48.3598 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0065
X-Proofpoint-ORIG-GUID: I4fabt47PSAVdM_qbHOveY4EbDXhQLzT
X-Proofpoint-GUID: I4fabt47PSAVdM_qbHOveY4EbDXhQLzT
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-09-15_06:2021-09-15, 2021-09-15 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 phishscore=0 spamscore=0 adultscore=0 suspectscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109150123
Archived-At: <>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Sep 2021 21:33:04 -0000

>    I guess the Too Long; Didn't Read here is: Can we assume
>    a KDF is always included in a KEM encaps(), or do we need
>    to do one explicitly as part of composite-encryption?

I feel dense today, so take this with a grain of salt - but it's my understanding that all the NIST PQC KEM finalists "have KDF inside". And their proofs depend on it.

>    The consensus at the LAMPS interim was to bring
>    these discussions back to RSA-KEM (5990). The KEM
>    shared secret Z is not itself IID, so they run it
>    through a KDF (by itself) in Step 3 to be able to use it as a KEK.
>        KEK = KDF (Z, kekLen)
>        WK = Wrap (KEK, K)

Did not look at RFC 5990, so can't comment. 

In case of PQC KEMs, they take care of this issue "under the hood", and provide both peers with the "sanitized" shared secret. Doing the "internal KDF" is necessary for the proofs to hold, and to foil some attacks...

>    .  .  .  whether this is actually how KEM outputs are intended to be used,
>    or if you need to hash them with protocol context values first.

Good question! IMHO, it depends on what you consider "protocol context".

>    We believed, from looking at the Kyber and SIKE construction that
>    an extra KDF step (and parameter) was unnecessary, but we're happy
>    to add it if it improves security or makes this mode more generally
>    applicable to more KEM primitives.

IMHO, it might be a good idea to add the complete protocol (not KEM!) context (similar to what TLS is doing for Key Confirmation) to the KDF that intakes the KEM output. In many cases it is unnecessary, but it does not hurt, and doesn't take a whole lot of CPU cycles.

    -----Original Message-----
    From: Spasm <> On Behalf Of Bruckert, Leonie
    Sent: September 15, 2021 5:23 AM
    Subject: [EXTERNAL] [lamps] Which PQC KEMs can be used for composite encryption?

    WARNING: This email originated outside of Entrust.
    DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

    Hash: SHA256


    I recently looked into the composite encryption described in draft-ounsworth-pq-composite-encryption, in particular option 2 (encryption and KEMs).

    If I understood correctly, the data encryption key is split into at least two shares, each being encrypted/encapsulated under the respective component public key.

    I was wondering which PQC KEMs can be used with this mode. A requirement mentioned in the draft is that

    "all component KEMs MUST produce a shared secret whose bits are independent and uniformly distributed (aka "uniformly IID"
    or "uniformly random" or "full entropy") and therefore the shared secret is safe to use directly as a symmetric key."

    As far as I know, the NIST candidates are IND-CCA secure KEMs where the value being encapsulated is not directly used as shared secret. Instead it is fed into a hash function together with some other values (e.g. the public key) in order to receive the shared secret. Thus, I would conclude that these KEMs are not qualified.

    So my question is: Do we know any PQC KEM that can be used with this mode?

    If I use KEMs in a composite encryption mode, I certainly want them to be CCA secure so I can use the public key multiple times. Otherwise it won't make sense to put them in a certificate.

    Please clarify if I am wrong with my thoughts.

    Comment: Using gpg4o v6.0.124.9651 -
    Charset: utf-8

    -----END PGP SIGNATURE-----
    Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
    Spasm mailing list