Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added appdx comparing with X-Wing and ETSI CatKDF. #101

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Added appdx comparing with X-Wing and ETSI CatKDF. #101

wants to merge 3 commits into from

Conversation

ounsworth
Copy link
Contributor

@ounsworth ounsworth commented Jan 6, 2025
edited
Loading

Closes #91

TODO before merging:

  • Review from Peter C, especially:
    • the new appendix comparing this specification with ETSI CatKDF
    • The intro is still a bit misleading about the endorsement from BSI, which Peter C correctly points out is to an earlier version of the composite draft, however we have Jan Klaußner as an author and close collaboration with Stavros Kousidis on the CFRG version, so BSI is a bull collaborator on developing this.
  • Review from Chris Wood / Deirdre / Bas, especially:
    • The new appendix comparing this specification with X-Wing
  • I was not previously aware of ETSI TS 103 744's CatKDF. We should have a discussion on the LAMPS list about whether we want to add the ML-KEM CT to the KDF in order to offer equivalent security properties as ETSI CatKDF.

bwesterb
bwesterb reviewed Jan 6, 2025
View reviewed changes
draft-ietf-lamps-pq-composite-kem.md Outdated

## X-Wing

Thit specification borrows extensively from the analysis and KEM combiner construction presented in [X-Wing]. In particular, X-Wing and id-MLKEM768-X25519 are largely interchangeable. The one difference is that X-Wing uses a combined KeyGen function to generate the two component private keys from the same seed, which gives some additional binding properies. However, using a derived value as the seed for ML-KEM.KeyGen_internal() is explicitely disallowed by [FIPS.203] which makes it impossible to create a FIPS-compliant implentation of X-Wing. For this reason, this specification keeps the key generatation for both components separate so that implementers are free to use an existing certified hardware or software module for one or both components.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Typo: Thit
  • "is explicitely disallowed". Presently.
  • "it impossible to create a FIPS-compliant" of X-Wing private key import.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed.

Yeah, if NIST eventually softens the prohibition on derived seeds, that would be fantastic and then X-Wing and Composite could fully collapse together, but NIST has not given any indication of when / how / if they are going to do that, so for now I think we need to proceed like this. Sigh.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fantastic indeed: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/lMTIIPu9yDY/m/38felspKBQAJ !

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given the stated plan, and the fact that there are no ML-KEM-768 modules yet, wouldn't it make sense for the long term to align id-MLKEM768-X25519 with X-Wing. Of course you would want to do something different for the P256 one.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I agree in principle, unfortunately a plan isn't enough. There are ML-KEM modules going through FIPS as we speak that do not even support SEED, let alone seed-from-kdf, and there are claims that seed-based private keys in general are not allowed in a CMVP-validated module. So unfortunately, I think Composites has to stay the way it is and support what is currently allowed in FIPS CMVP.

@ounsworth
Copy link
Contributor Author

I should do another pass at making the text clearer. "This specification" is unclear -- I should say "Composite KEM".
Should also describe more clearly that that paragraph is just highlighting that these are different constructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwesterb bwesterb bwesterb left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Composite KEM does not fully protect against implementation errors in ML-KEM
2 participants
@ounsworth @bwesterb