[lamps] New Version Notification for draft-ounsworth-pq-composite-kem-00

Mike Ounsworth <Mike.Ounsworth@entrust.com> Tue, 19 July 2022 15:02 UTC

Return-Path: <Mike.Ounsworth@entrust.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D21DC13C50F for <spasm@ietfa.amsl.com>; Tue, 19 Jul 2022 08:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=entrust.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lY454VOxafcJ for <spasm@ietfa.amsl.com>; Tue, 19 Jul 2022 08:02:47 -0700 (PDT)
Received: from mx07-0015a003.pphosted.com (mx07-0015a003.pphosted.com [185.132.183.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7FAEC188723 for <spasm@ietf.org>; Tue, 19 Jul 2022 08:02:46 -0700 (PDT)
Received: from pps.filterd (m0242864.ppops.net [127.0.0.1]) by mx08-0015a003.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 26J4fRpL029118 for <spasm@ietf.org>; Tue, 19 Jul 2022 10:02:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=entrust.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=mail1; bh=D/6LKuUvjJgHh0eWy5LLesnBlEXgFOX+49Z2AwGKrnY=; b=az0Nt6QMREo4SHRtF7ii5kUJzcMacO57nOlUpvfwDpawyXp0AUmuEr2IWkpe5V+l9u2v Ukmf84hDQ6Sx9pHQ2m8qslOV40elXiT1G6bgJ3Vte4Q5lRg7iMFLQWLKk72rESj+AWnk WOfIHiuEUvji5Nw0ekpwErpbJoTO2SX9pHUyb50ilvlQAzFSOANitAneav+yJ+EIzJIf nmdsGz3Pw8eiCsTA/zAxJJRz7xxqhUw8eRCtki1noGMZL4EDCtWGUX7HTPkcnjmktoki 2cAlw2hlBfDr4AxaI1RZohOX5Gc7+wZVm/xg6E6NPgXZ3ZiZkSYyuTXs5g//uDe7I7oU WA==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by mx08-0015a003.pphosted.com (PPS) with ESMTPS id 3hbt12he5s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <spasm@ietf.org>; Tue, 19 Jul 2022 10:02:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lM+POiJZFtmhZhYU8YXPILeHTrJKVHgXbH36EojyKZPJQmyzhFprck4gu7xKPn0RyZJQA1aW46Wkj59IPTd2rVhznVfG+ERPwR5DMjKMxRZ9CLzhkYEnApV4oRqCtkPhOHWshO+BvAk/boTFjLcbH6ZFOjOI9dA4Qo1M+pr+Ftih2oa1mKH1DbTm/3N3vgod7QhM3jMXigA9+ifto/igyl/KQduilgf72Uni1EPHsGVmcn2kCBFkZYNCaKMBKcQUP+6OrKh647jkE7Cd4cMhD0g/SfG/XxsIwsTcsIVtftXOTKZaS7cSoRdNx4akJAUkfPJ0CH9HiR5y6hCr8JPkbg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D/6LKuUvjJgHh0eWy5LLesnBlEXgFOX+49Z2AwGKrnY=; b=G0GxaQvjFSrNiSIZTXljXGw95feo1+uka3K8BdisV4MiCGPpS94l1xWlIfuVyy8LBWQAJd2KQmbtA9YDmC96zx5wNC7r78RGb3d2AgDhgyJ/tJkJo7rSOufAkGOvaB1ht+pzAlmAP8PBbSMqRMvvWUZofgr/2TLTlg6s6F6bh9ioL3OSWvkoMsMmyiyZW6XdJkAk1RQyZJX4aBW61CjBrnDQPT5bTZ3pe92PF5E+vGj2Xd2Z4bDLuIBciu8otfxeRX1A0dSMIG1ocQ1SOqafyZ16TGboKd0yfCUjDC4gt05Q+FW+qehbvy2zoyzaKz5rCN+9GTXGilM/j0vX3TUt3g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=entrust.com; dmarc=pass action=none header.from=entrust.com; dkim=pass header.d=entrust.com; arc=none
Received: from CH0PR11MB5739.namprd11.prod.outlook.com (2603:10b6:610:100::20) by DS0PR11MB6397.namprd11.prod.outlook.com (2603:10b6:8:ca::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.24; Tue, 19 Jul 2022 15:02:41 +0000
Received: from CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::28d0:f946:27df:f27a]) by CH0PR11MB5739.namprd11.prod.outlook.com ([fe80::28d0:f946:27df:f27a%7]) with mapi id 15.20.5438.023; Tue, 19 Jul 2022 15:02:41 +0000
From: Mike Ounsworth <Mike.Ounsworth@entrust.com>
To: 'LAMPS' <spasm@ietf.org>
Thread-Topic: New Version Notification for draft-ounsworth-pq-composite-kem-00
Thread-Index: AdibgIgy+z0OEwErQFCylnzAqSCNaA==
Date: Tue, 19 Jul 2022 15:02:41 +0000
Message-ID: <CH0PR11MB5739DFD33D1982C8A1D355869F8F9@CH0PR11MB5739.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a5165a75-919a-4c67-c309-08da6997ba7e
x-ms-traffictypediagnostic: DS0PR11MB6397:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 24gqBaKbPAVNWin1jYENKEKGJvC2iPF+Lmc0JnK3/EGJhvIV4ELG/yM3ibHAW1bUHokmm3K5Wn47y7uZ0iLea4546b8E5+YiXmMfFL2TEwi8kUg0qHz7avyblAt8q/tCGmRKtrffl0OlNndJM8fo7ImYyYeuMck21aOPJgN01/Ns6rW6KerrRO/lE2LTiQUHMGnhxBDD+9AAUs6tUBI3st97YQP+w+1LQ4s0KJ5vKAJ+XU7wWKFI1yhdYwwB3QVmc5zA3+Enp3i+GYZ84QkQ0QdLHXqJ1cDe8qyRewHnqtfpJGmW1XuF06krsO5jU0ugyDjdGm45qw9pFMdHrUU8M4RlSA8x5A5Cmw1P00l3w0mA1VfAehJNAhub02k24aLNwnjZ/FpDlaeWpzuwRg2Qg2WjfIxR8KeGgum1RGwC+LeoFVWpE29B3ujKI6OORowFGo5DMYAj5fk2rP+d/uCxR5jYMocMwtN0410QdxFGYeTaFWNk1a0SBrsVpXvQX25CBDWfVR9or++aL3G0l8dt1oef+iISe64XEhhnhl4ewdSK8oZDmGvga7z8qwkCZKLVECiUk0GulFp64uLJ+vbmXCIg+eYLFi1dPlI4p1GrMdn1sO4o1EL7lBVf06lcSNHPoyEx8Bojr41aD8OG0XY2qVyB3m38M9/EH7wp6frPpjMpYvTAuSCNDv1ceF0JMC2QF89ODWCs2r+dGjmdJ+daCi5gp36SU19ZiADGSf2sYTnViYHRDSV2xCWveVM0mM2KgS9FUr9m6tGSIEQiS01GX81tcDmQ6WolMwewQP9BH9X1Q+Ud2D/bi/OJiNJJUJ5lQkxfJmMLIKAGDfruJM/mwDxdRLd+JchKNHwYTATjEaA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5739.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(346002)(39850400004)(136003)(396003)(366004)(376002)(76116006)(41300700001)(71200400001)(26005)(9686003)(316002)(7696005)(8676002)(64756008)(66446008)(6506007)(186003)(66574015)(6916009)(33656002)(5660300002)(8936002)(66946007)(52536014)(66476007)(53546011)(86362001)(66556008)(2906002)(55016003)(15650500001)(83380400001)(38100700002)(478600001)(966005)(122000001)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: h2ZxL/yCAViuKHhxxRYOxmSyqrdJousxvxDNzT8E6xPA1/V+b1zrVeINsV3NxLkaaHRjo1fPa4MJh5/mA042Jhpeu0FAdU804dNfD2wNyRosrrA7c0NM71SC0BQC2PIsqGTtCAjRN+RDxiATVE1AcfOrTtvEm8dNlCnRNMsp3gjXamxIJsOJN0ywcOPsvTbrhXNguws3aGAKxn57G45PYwhnvt7ZjgK8OT70vRYAg0x7+VSMbHbFHclJQykOYPGSE47Ep0YAFfYRQz4vRwRyjC6D6HHE4J3hyuiI43SHh/r90TRSRyhKp9WRA7jW60YleigqlJPNFhz01uUXYEnTwVOPGJz6g4aGJVjobdk26sKn6Mc+AChNmS+f3qz/bsOOK5BMrhROnoOgn1FcpgRu+FPLuF0Z4JGLmZ6kEmp1dMKdOoatdC20kZduKEc5OmGn8a33WOKpYn5razTFBZi+kgT6Ol6RlfBcreJNejzyhFupPDmVCD4DWX6JZSrpDfaCMp4mZWIlolw3V7zSmwRVUf+2Xg5yFbr7HCDiQ/cAGu+ywn+Sr4LR3UojqSQiWWvw6WWIJRObk5DcI+x3L2N+F5dGpKUAAMzF9WL1RHhAfwJ1ApwpGO8iAJZw//yDmsPoskvYa5MygaPDYCkjm3ICjrlmQwNrf0V6IUcZRQmi08DFrd3hVlcHygAovyqSwpOXmLvuve9Fcaa64KbYPEmowufZgLx1bzNYVLNKzlhPevA7iqzzE9KRtAw/r1gqvzjSsmf8m1e4E/xHPq/xkzUJJYBeyaOfk/VxIbUlLufpG48CvlN/NZvnBKEtYe43XubUELmsBOCFziC4r0tbYL+qNXvnLBjLwv0iGH+BJL4sBb14r+yuMRLIgsG0beHW5EnS1LO7vQixl11+p7K1NxZUxUaAkqt6ZTZPjR4EH010ycwE2+a5aNIeIl69nDris1nruz52KNPrPcGqBVnZeas4gTSjgrceZozfv3Fpmoj7RrPMDfUcV7JCA/yeU9zwaqo60AmeVgBgiXYXz1hQSr+L5fYRAgqAjElMU1DNGqedsX8MP6pPbszIqaF0UQvQ0dhOeY78yeISSV7uwK7d5ldI94M+6wxpVWU2pLTQsCplx1lzSzQ2TTRiVpnaQQnbDeKOqnoPQkAslBlJtRIeP77oZDFJ2fMuopreTGwYN429GYyG8MhCsto7R8bXxfbdQswVCpp/d0fXWbSO4cSvtodpEMaspVrzy6C20ZutbcIYKRgqHK91xgPGwjvU1ybur5OdBIa49MFmFh+8DtIxoH5Wy6VrMLe4A3LS+B22fiSK4C7vMo8gZ78TbrAVsb8aPKaE5OHpPjKT2w4uINbHoKn0GLvmKuamfuSGMAnu6DqOp+qTX3lriJ3TPPTh/zFa7aGG06DudPF+kNYMuvj0I7Z30cBkBGOhdBQb0c+ke1JdaqOr2bdck0APvCOG+qQgTXF/A0ytqGPHLb38K+p47dOaqEPGNFxhRSzhfe7ig1gmw2Eaq4SoJ6uzK9iEuPaLxpbs2bBPPT3NIg3bG4VngDbKXw64YGAUs/tWtaMkv+9w8vrePxaK0fb+GiItLdrdPfWk3331GAJZJ7jbJmwkuuTPjQ==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: entrust.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5739.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5165a75-919a-4c67-c309-08da6997ba7e
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2022 15:02:41.5881 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f46cf439-27ef-4acf-a800-15072bb7ddc1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6zMHLxUXKc4S3FSVbxtZ5HxTTSAjKdkMkel2LuHIqXhr0FBDpAHpgWOUoMW2N3s5ZbguJRuMZ402hFeDUckAoZGxVJTKOu6+Hznj7duTAn0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR11MB6397
X-Proofpoint-ORIG-GUID: sR7YCgrpM5xBJ6it-PaXbZbc9eXgTh8s
X-Proofpoint-GUID: sR7YCgrpM5xBJ6it-PaXbZbc9eXgTh8s
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-19_03,2022-07-19_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 suspectscore=0 phishscore=0 adultscore=0 spamscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1011 priorityscore=1501 mlxlogscore=999 malwarescore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207190062
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Y4_Rx26wlAc0wcnvlL2iwxydewY>
Subject: [lamps] New Version Notification for draft-ounsworth-pq-composite-kem-00
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 15:02:51 -0000

Hi LAMPS,

We have published draft-ounsworth-pq-composite-kem-00 which allows for multi-algorithm key exchanges anywhere that PKIX allows a KEM -- notably in CMS EnvelopedData (well, it doesn't allow a KEM yet, but draft-perret-prat-lamps-cms-pq-kem will fix that!).


The composite KEM draft contains two non-trivial mechanisms which will require cryptographic review:

1. Transformations KeyTrans -> KEM, and KeyAgree -> KEM so that arbitrary combinations of {KeyTrans, KeyAgree, KEM} can be combined as if they were all KEMs.

2. Combiners to combine multiple component shared secrets into a single shared secret. We originally thought we would be good with SS = KDF(SS1 || SS2) as per NIST SP 800-56Cr2, but we have since discovered that this is a hot area of academic research [Aviram2021], [Aviram2022], [Giacon2018], so we probably need something more sophisticated. We've also added a crypto-agile way of specifying the combiner so that alternates can be added in the future.



[Aviram2021]: https://github.com/nimia/kdf_public
[Aviram2022]: https://eprint.iacr.org/2022/065
[Giacon2018]: https://eprint.iacr.org/2018/024.pdf


PS -- it's an --00. I think it's currently more lines of TODO and EDNOTE than actual text. Our goal at this point is to start the discussion and to firm up the document over several versions.

---
Mike Ounsworth
Software Security Architect, Entrust

-----Original Message-----
From: internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: July 11, 2022 4:50 PM
To: John Gray <John.Gray@entrust.com>; Mike Ounsworth <Mike.Ounsworth@entrust.com>
Subject: [EXTERNAL] New Version Notification for draft-ounsworth-pq-composite-kem-00.txt

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

______________________________________________________________________

A new version of I-D, draft-ounsworth-pq-composite-kem-00.txt
has been successfully submitted by Mike Ounsworth and posted to the IETF repository.

Name:           draft-ounsworth-pq-composite-kem
Revision:       00
Title:          Composite KEM For Use In Internet PKI
Document date:  2022-07-11
Group:          Individual Submission
Pages:          24
URL:            https://urldefense.com/v3/__https://www.ietf.org/archive/id/draft-ounsworth-pq-composite-kem-00.txt__;!!FJ-Y8qCqXTj2!epQBEDwlXF5Hp-QTdUggipQT0WEULocnrOwooDAeCOfZssGzH3ReI7voPzi6X2neL37UVixX9SPSuP5QVFf8HHUmvRNK_A$
Status:         https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ounsworth-pq-composite-kem/__;!!FJ-Y8qCqXTj2!epQBEDwlXF5Hp-QTdUggipQT0WEULocnrOwooDAeCOfZssGzH3ReI7voPzi6X2neL37UVixX9SPSuP5QVFf8HHUZYZszFg$
Htmlized:       https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ounsworth-pq-composite-kem__;!!FJ-Y8qCqXTj2!epQBEDwlXF5Hp-QTdUggipQT0WEULocnrOwooDAeCOfZssGzH3ReI7voPzi6X2neL37UVixX9SPSuP5QVFf8HHUDHx3HVQ$


Abstract:
   The migration to post-quantum cryptography is unique in the history
   of modern digital cryptography in that neither the old outgoing nor
   the new incoming algorithms are fully trusted to protect data for the
   required data lifetimes.  The outgoing algorithms, such as RSA and
   elliptic curve, may fall to quantum cryptanalysis, while the incoming
   post-quantum algorithms face uncertainty about both the underlying
   mathematics as well as hardware and software implementations that
   have not had sufficient maturing time to rule out classical
   cryptanalytic attacks and implementation bugs.

   Cautious Implementers may wish to layer cryptographic algorithms such
   that an attacker would need to break all of them in order to
   compromise the data being protected.  For digital signatures, this is
   referred to as "dual", and for encryption key establishment this as
   referred to as "hybrid".  This document, and its companions, defines
   a specific instantiation of the dual and hybrid paradigm called
   "composite" where multiple cryptographic algorithms are combined to
   form a single key, signature, or key encapsulation mechanism (KEM)
   such that they can be treated as a single atomic object at the
   protocol level.

   EDNOTE: the terms "dual" and "hybrid" are currently in flux.  We
   anticipate an Informational draft to normalize terminology, and will
   update this draft accordingly.

   This document defines a Composite key encapsulation mechanism (KEM)
   procedure, for use with Composite keys which consist of combinations
   of Encryption or KEM algorithms for each composite component
   algorithm.  This document also introduces the idea of assigning an
   Object Identifier (OID) to a shared secret combiner so that stronger
   combiners can be implemented in the future without needing to re-
   issue this specification.

   This document is intended to be coupled with the composite keys
   structure define in [I-D.ounsworth-pq-composite-keys] and the CMS
   KEM-TRANS mechanism in [I-D.perret-prat-lamps-cms-pq-kem].




The IETF Secretariat


Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.