[jose] Re: [EXTERNAL] Fwd: [CFRG] Fwd: [pqc-forum] Recommendations for Key-Encapsulation Mechanisms | Draft SP 800-227 is Available for Comment

[Mike Ounsworth]

[I cross-posted this to the NIST pqc-forum]

 

 

I may have skimmed too quickly, but I don’t believe that 800-277 gives any 
clarification on whether the seeds passed into ML-KEM.KeyGen_internal may come 
from a KDF, or are they are leaving in place FIPS 203’s requirement that the 
seed come directly from an approved DRBG.

 

In particular, this impacts the IETF’s X-Wing proposal [1] which has the 
following KeyGen:

 

def expandDecapsulationKey(sk):

  expanded = SHAKE256(sk, 96)

  (pk_M, sk_M) = ML-KEM-768.KeyGen_internal(expanded[0:32], expanded[32:64])

  sk_X = expanded[64:96]

  pk_X = X25519(sk_X, X25519_BASE)

  return (sk_M, sk_X, pk_M, pk_X)

 

 

To my understanding, expanding a seed with SHAKE256 prior to invoking 
ML-KEM.KeyGen_internal is currently explicitly FIPS-disallowed, and will remain 
so under SP 800-227.

 

 

IE X-Wing’s KeyGen CAN NOT BE IMPLEMENTED IN A FIPS-COMPLIANT WAY. I am just 
pointing this out because I’m sure there are some people who care about 
FIPS-certified HPKE implementations, and X-Wing is currently the front-runner 
for a hybrid KEM in HPKE.

 

---

Mike Ounsworth

 

From: Orie Steele <orie@transmute.industries> 
Sent: Tuesday, January 7, 2025 10:26 AM
To: JOSE WG <jose@ietf.org>; cose <c...@ietf.org>
Subject: [EXTERNAL] [jose] Fwd: [CFRG] Fwd: [pqc-forum] Recommendations for 
Key-Encapsulation Mechanisms | Draft SP 800-227 is Available for Comment

 

Some comments from NIST on HPKE, and relevant to the COSE and JOSE drafts that 
support 2 layer encryption, this sentence in particular: ``` 1252 This same 
procedure can also be used to perform key transport by choosing m uniformly 
1253 at random. 



Some comments from NIST on HPKE, and relevant to the COSE and JOSE drafts that 
support 2 layer encryption, this sentence in particular:

```
1252 This same procedure can also be used to perform key transport by choosing 
m uniformly
1253 at random.
```

---------- Forwarded message ---------
From: Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org 
<mailto:40cloudflare....@dmarc.ietf.org> >
Date: Tue, Jan 7, 2025 at 9:43 AM
Subject: [CFRG] Fwd: [pqc-forum] Recommendations for Key-Encapsulation 
Mechanisms | Draft SP 800-227 is Available for Comment
To: IRTF CFRG <c...@irtf.org <mailto:c...@irtf.org> >, LAMPS <sp...@ietf.org 
<mailto:sp...@ietf.org> >, <t...@ietf.org <mailto:t...@ietf.org> > 
<t...@ietf.org <mailto:t...@ietf.org> >

 

This might be of interest to some.

---------- Forwarded message ---------
From: 'Moody, Dustin (Fed)' via pqc-forum <pqc-fo...@list.nist.gov 
<mailto:pqc-fo...@list.nist.gov> >
Date: Tue, Jan 7, 2025 at 4:15 PM
Subject: [pqc-forum] Recommendations for Key-Encapsulation Mechanisms | Draft 
SP 800-227 is Available for Comment
To: pqc-forum <pqc-fo...@list.nist.gov <mailto:pqc-fo...@list.nist.gov> >

 

The initial public draft of NIST Special Publication (SP) 800-227,  
<https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fcsrc.nist.gov*2Fpubs*2Fsp*2F800*2F227*2Fipd/1/010001943d1c9678-b32b0c0b-3f47-4373-b4ba-7cc20f849525-000000/rAMROuvjdAzNjb0pPVFAeFgix1YhMHSeth8omH5IeNE=386__;JSUlJSUlJQ!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dimFGbP9pA$>
 Recommendations for Key-Encapsulation Mechanisms, is now available for public 
comment.

 

NIST recently published Federal Information Process Standard (FIPS) 203,  
<https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fcsrc.nist.gov*2Fpubs*2Ffips*2F203*2Ffinal/1/010001943d1c9678-b32b0c0b-3f47-4373-b4ba-7cc20f849525-000000/2dSqDG2gYWSZBah9BodQdynVrtxZt2DVR5xlKVl8qmI=386__;JSUlJSUl!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dim2mj8cc8$>
 Module-Lattice-Based Key-Encapsulation Mechanism Standard, to update its 
cryptographic standards with an algorithm designed to provide protection from 
quantum attacks. In addition, NIST will select one or two additional 
quantum-resistant key-encapsulation mechanisms (KEMs) for standardization. To 
provide guidance on using KEMs, NIST is introducing SP 800-227, Recommendations 
for Key-Encapsulation Mechanisms. This draft document describes the basic 
definitions, properties, and applications of KEMs. It also provides 
recommendations for implementing and using KEMs in a secure manner.

 

The public comment period is open through March 7, 2025. See the  
<https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fcsrc.nist.gov*2Fpubs*2Fsp*2F800*2F227*2Fipd/2/010001943d1c9678-b32b0c0b-3f47-4373-b4ba-7cc20f849525-000000/UtEg7JAQsB7py7LcEQCmEjVEVlrPkWMn7du-PIXzvp4=386__;JSUlJSUlJQ!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dimOVzv_aA$>
 publication details for a copy of the draft and instructions for submitting 
comments.

 

NIST will also hold a  
<https://urldefense.com/v3/__https:/links-1.govdelivery.com/CL0/https:*2F*2Fcsrc.nist.gov*2FEvents*2F2025*2Fworkshop-on-guidance-for-kems/1/010001943d1c9678-b32b0c0b-3f47-4373-b4ba-7cc20f849525-000000/efGeHHKAqCdLgoQXCV_d_M8F8jg1UOGh8dDe-cvzCJs=386__;JSUlJSU!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dimtzIWIr0$>
 virtual Workshop on Guidance for KEMs on February 25-26, 2025, to gather 
additional feedback on SP 800-227.

 

 

Dustin Moody

NIST PQC

-- 
You received this message because you are subscribed to the Google Groups 
"pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to pqc-forum+unsubscr...@list.nist.gov 
<mailto:pqc-forum+unsubscr...@list.nist.gov> .
To view this discussion visit 
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/PH0PR09MB8667B8EBCD77C12889F5CA65E5112%40PH0PR09MB8667.namprd09.prod.outlook.com
 
<https://urldefense.com/v3/__https:/groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/PH0PR09MB8667B8EBCD77C12889F5CA65E5112*40PH0PR09MB8667.namprd09.prod.outlook.com?utm_medium=email&utm_source=footer__;JQ!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dimqzhmCW0$>
 .

_______________________________________________
CFRG mailing list -- c...@irtf.org <mailto:c...@irtf.org> 
To unsubscribe send an email to cfrg-le...@irtf.org 
<mailto:cfrg-le...@irtf.org> 




 

-- 

 

ORIE STEELE
Chief Technology Officer
 
<https://urldefense.com/v3/__http:/www.transmute.industries__;!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dimf012HvE$>
 www.transmute.industries

 
<https://urldefense.com/v3/__https:/transmute.industries__;!!FJ-Y8qCqXTj2!dyk0jB1_44bV9qVTek0GN8Icuh7vUkUhiUYWC0DUF3UMQryR-FVG5kw3bsEoPXSxqySVJ1Me5WVkXAH82dimzhp2vRM$>
 

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
jose mailing list -- jose@ietf.org
To unsubscribe send an email to jose-le...@ietf.org