Re: [lamps] Which PQC KEMs can be used for composite encryption?

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 15 September 2021 21:33 UTC

Return-Path: <prvs=5892dec94a=uri@ll.mit.edu>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62ED43A13C3; Wed, 15 Sep 2021 14:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PDS_BTC_ID=0.499, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVypcBmApS8M; Wed, 15 Sep 2021 14:32:59 -0700 (PDT)
Received: from MX2.LL.MIT.EDU (mx2.ll.mit.edu [129.55.12.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A016C3A13C2; Wed, 15 Sep 2021 14:32:55 -0700 (PDT)
Received: from LLE2K16-HYBRD02.mitll.ad.local (lle2k16-hybrd02.llan.ll.mit.edu [172.25.5.146]) by MX2.LL.MIT.EDU (8.16.1.2/8.16.1.2) with ESMTPS id 18FLWrEA098950 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 15 Sep 2021 14:32:53 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=CCnsT9Y0fAuPadFLJlBS0ih6hFANAmbHKX7s8GDc1d+616IVTKnZS4j6a2Lm/Zdmbi8xSpInvGTDnGgiEiYQTgggvMNsMefcDOlCw1jgch0xmvT7Y+F9owQYLSRrPeuKqJb37Fvjm9x68mdlIVBtnX6vM6ommwt2cy2MeR7YJvsZsgGEj+fO4xqlBMNnMN6yYztHjenTEoE1ETYm9Quq35tC65B34QHj/5f3Bd1NszzYtX7UVcFgVS/cdmGL9b+XKLlwtpeSemRDPfj4z1yO8OhcXK7adfrvFsb3bbApSFqAaKfiwAesDk4U6jz2R61h9QRMu1ReZ2HGVAj4x/MXtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fC5ay9Rlxdfc8SsSD3RE2k1PtDrCn2GJM9nfsedOo4U=; b=qGMmIXshONGrHJ1F/79kgITuu2dc+ZAUKNuHToi6FUDaMoVYh7b/2IvEE6IOgOmYsKcC+VG7KAXIE8mginbxoLPj+ArTNIIhrngTh2fltFJcm4JpfI9kL+kAuCruH7VHShqr9sTko2OXamCsHkr2FYrKgD2uc6fK/xqHDb+06WPBxqGXCci5VvysCm4GNp5lo9e0+gKAYbXAs1yjqEN//4UKh7/hK70m/LwIIPWL4kpt/Eyo+6E9XiHYo2WpX59Nobxq34ZHirC4oY08l5mBZ++RL/uO4wiySnv7kJq49HvmOghJIIWL+su7+opk7HP5IKMmifrTATcNOA2OJWNOVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ll.mit.edu; dmarc=pass action=none header.from=ll.mit.edu; dkim=pass header.d=ll.mit.edu; arc=none
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Which PQC KEMs can be used for composite encryption?
Thread-Index: AQHXqnk6irMmP+tFQ5WeytN7CFzMdA==
Date: Wed, 15 Sep 2021 21:32:48 +0000
Message-ID: <D410F55B-4706-45D7-9C2E-341CDD5DCD35@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.52.21080801
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ll.mit.edu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b0ea2ccc-8d97-4420-01fc-08d978905d4d
x-ms-traffictypediagnostic: BN1P110MB0065:
x-microsoft-antispam-prvs: <BN1P110MB0065361ECA3A98F888DFB80B90DB9@BN1P110MB0065.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: F8mgJYde2D5McaoeIlWWQYArNiYJcbxdzTEjA49IXVZqEGHa7YHBCOe0rVCfh8j1YbLUPfyXQMyVRbqy+XetX+457PEQJoyenjoLJKggBgOiklbuTddQxsftd8mBz4MWO6tfiL6z802l9mx7qrCOHUEXjTbhfE8zX+u5ea/H6z7jx/1rC/pNCgs2/gsE1Gqwf9adhvK8wItMhcK10hIIiw2IW85r2S6F2xX5Cv7Z72m+0MfakTLkphoq2d6AoFx8J0dnlolhgteiMh/2GEOCkNJi0zq0bHPUJPf1l8jTgnzdDOGITUSv//dNKaZSYB28ETcNwk1XUW2OLhbeQm7W4iBzl7CWbHItR22VfW29YCbPOCPQ/W6YPR0+vfoXd7AHMa0ZBGP1wSgz3tDU34z7R1mPow5ZPniHaanWNp1RJwBOztnMlwVJyteePFdLyJUi6ZTFwSt4pwm/rAfnyY7v8+nXuwwqTd7rssg+uRYBm+jZyauKZ0Aaid3zN9CtPOQ64G2sCG5oH4jvu6S4hSCBu0KNsPKsAJI544H/s/cybzrWdrd2Y5PTlnEJgI8kMmOsRJ1Vhziirkay8kjJh+lXNETs4HNWAPFDPCnmnAt3Yp5u8dMmORJwrRLybxwCn/KCeIlBBkqfrHU13IdPaeN7JUu/pM/eCpXYGio3lM4xv1envJsEy1+ZoECQusPQahwpg6skFZjtevc24enRyXsagTP37SnvdbkzQ/DF+7QHcOfGU6V5MOWaHZ6kc0eNLADV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(39850400004)(366004)(136003)(346002)(396003)(8936002)(186003)(5660300002)(38070700005)(8676002)(76116006)(6486002)(966005)(122000001)(316002)(38100700002)(110136005)(86362001)(33656002)(6512007)(2616005)(99936003)(75432002)(64756008)(66556008)(71200400001)(6506007)(66946007)(2906002)(66616009)(478600001)(66446008)(66476007)(53546011)(83380400001)(26005)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: yvrzh6OSZGseY4WjRVUXJu93mMADcO8KCgm3VlMm/I+oh0bc+uNHOvDon1/QhNB6RgLX0rgrHhNzWjjpFHn/GGmkE1db49f5Lqpl481hKY6H6mNZtMcVIWG5o8bEAKX+axg3PvnIMy/l5UDcHxAdGfkmMCoOKY4ZedxNxT0XmA9Vec8nxrQPrcJS8EsUtMBbx8ZmYAXaq7thenHfMwIjNw7ARCKURmhUdMFmIRQ/6vNOwiODY1hHM/jPQx0G93PY3WM7+GOC93gAs2iBrILXzTGcP52YNn+P7PYJSh760JHs+ZkFfzduLBYfdzWgvZN8os6+KUdJy2zMskY2nDYTzcdBLfSXkNEOnlfSdjplP8KR2MyNKTklnhW9KZXycUNuTeN/oCp15FWEGywh5z4Q6pdzaU2zG6seD6xD3VRSJEoUpHqPWibB0PirgS0hItEEgYENnCVO4jRjqw+n62MEtp+H10XhV2Nlvgt9Y2LzjKspxXmW/VEgGo+LjREVD5MJfbSXIjc3pbTsvuflqc6/fh73jSQ7n/oswMWGAZSEWWZIVArBujPV0SgLwoW6joVz9nxO4b/rnMUqrQZVVIS2o5Y3FkUnkJnik2yxvon1UN680J8tmVkcpb/BxwG0WgguGfX0s29Zxk3ByVUP7JXV1ulqjlu01D1qoC4TlJKE5GJ2Aqa6cpK6JSkPPQMIOV8D0BVeeQsfwKgmXt8eSydj0g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3714571962_2120783617"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN1P110MB0706.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b0ea2ccc-8d97-4420-01fc-08d978905d4d
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2021 21:32:48.3598 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 83d1efe3-698e-4819-911b-0a8fbe79d01c
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1P110MB0065
X-OriginatorOrg: ll.mit.edu
X-Proofpoint-ORIG-GUID: I4fabt47PSAVdM_qbHOveY4EbDXhQLzT
X-Proofpoint-GUID: I4fabt47PSAVdM_qbHOveY4EbDXhQLzT
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-09-15_06:2021-09-15, 2021-09-15 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 bulkscore=0 phishscore=0 spamscore=0 adultscore=0 suspectscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109150123
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/h5S5Kyv7g2WZFI4moOpUG22fhTA>
Subject: Re: [lamps] Which PQC KEMs can be used for composite encryption?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 21:33:04 -0000

>    I guess the Too Long; Didn't Read here is: Can we assume
>    a KDF is always included in a KEM encaps(), or do we need
>    to do one explicitly as part of composite-encryption?

I feel dense today, so take this with a grain of salt - but it's my understanding that all the NIST PQC KEM finalists "have KDF inside". And their proofs depend on it.


>    The consensus at the LAMPS interim was to bring
>    these discussions back to RSA-KEM (5990). The KEM
>    shared secret Z is not itself IID, so they run it
>    through a KDF (by itself) in Step 3 to be able to use it as a KEK.
>        KEK = KDF (Z, kekLen)
>        WK = Wrap (KEK, K)

Did not look at RFC 5990, so can't comment. 

In case of PQC KEMs, they take care of this issue "under the hood", and provide both peers with the "sanitized" shared secret. Doing the "internal KDF" is necessary for the proofs to hold, and to foil some attacks...

>    .  .  .  whether this is actually how KEM outputs are intended to be used,
>    or if you need to hash them with protocol context values first.

Good question! IMHO, it depends on what you consider "protocol context".

>    We believed, from looking at the Kyber and SIKE construction that
>    an extra KDF step (and parameter) was unnecessary, but we're happy
>    to add it if it improves security or makes this mode more generally
>    applicable to more KEM primitives.

IMHO, it might be a good idea to add the complete protocol (not KEM!) context (similar to what TLS is doing for Key Confirmation) to the KDF that intakes the KEM output. In many cases it is unnecessary, but it does not hurt, and doesn't take a whole lot of CPU cycles.




    -----Original Message-----
    From: Spasm <spasm-bounces@ietf.org> On Behalf Of Bruckert, Leonie
    Sent: September 15, 2021 5:23 AM
    To: spasm@ietf.org
    Subject: [EXTERNAL] [lamps] Which PQC KEMs can be used for composite encryption?

    WARNING: This email originated outside of Entrust.
    DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

    ______________________________________________________________________
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Hi,

    I recently looked into the composite encryption described in draft-ounsworth-pq-composite-encryption, in particular option 2 (encryption and KEMs).

    If I understood correctly, the data encryption key is split into at least two shares, each being encrypted/encapsulated under the respective component public key.

    I was wondering which PQC KEMs can be used with this mode. A requirement mentioned in the draft is that

    "all component KEMs MUST produce a shared secret whose bits are independent and uniformly distributed (aka "uniformly IID"
    or "uniformly random" or "full entropy") and therefore the shared secret is safe to use directly as a symmetric key."

    As far as I know, the NIST candidates are IND-CCA secure KEMs where the value being encapsulated is not directly used as shared secret. Instead it is fed into a hash function together with some other values (e.g. the public key) in order to receive the shared secret. Thus, I would conclude that these KEMs are not qualified.

    So my question is: Do we know any PQC KEM that can be used with this mode?

    If I use KEMs in a composite encryption mode, I certainly want them to be CCA secure so I can use the public key multiple times. Otherwise it won't make sense to put them in a certificate.

    Please clarify if I am wrong with my thoughts.

    Regards,
    Leonie
    -----BEGIN PGP SIGNATURE-----
    Comment: Using gpg4o v6.0.124.9651 - https://www.gpg4o.de/
    Charset: utf-8

    iQIzBAEBCAAdFiEE3zFKr4OUJ0GHtLDCQlNDNDsJayMFAmFByYgACgkQQlNDNDsJ
    ayNu1w//W3mJD9LJ43KxEVv0t9etwv1Rw21ztRmb0biWskF1JJkxZIUmXBdb7MS9
    Sct7czMb/oNL/jrFqbiAHREwI2M5CVQ88v2YIGvA7T562amU3NBH/HbHZSwReByB
    nQlV+JmEEovHM75pasOEUGAYBVLG3smbRSNl0rQqk0hvCUPpWfuXxyVuxCYzaGu7
    XxvhfU0RSCE/e76xzf90WQQn1IylH8tCKrXST5+x+pxk2W2MkyNVzOqTBg7sycdg
    YJLLyK4aHm7emrlh6xOxSCVKVqsxKzGNV8/TRo/lvd3zhjTj6Ij5pLctBIgSHeA4
    rGSjqviKrMmFErnX3OeXgkPDNebQpxL0nrO7+vyJspzJ1C4SM2XQzvewjUSCa0gS
    163eQI+ufvbEBp48BqGNcnrYPgjs+CIKvbcK4a5ETbtCT9HG+chED4v62x261YKw
    q6c6/1kEbd1hS3raaWKFEmhned2JP5WTGTu5/PARvA4hTqEaxnujBEF8qja3jz4Q
    NIwXSjtuOQGe+XVpNDGIYSCXDMWNSCdaDTXCuWuiWwYUvb5jad+qSpQCpnEe9AKB
    pQPgEV2Z0eIUB5FRBQwy27/ZWHzmL/VnJwb5MtuNg2cBNw+TBYCdaNo8KV1uTeRP
    ASCIAvecw7809QAx4okUChvIBR/25qBJkGthNOLXnA9mqzINdGw=
    =Bqt8
    -----END PGP SIGNATURE-----
    Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
    _______________________________________________
    Spasm mailing list
    Spasm@ietf.org
    https://www.ietf.org/mailman/listinfo/spasm