Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Bas Westerbaan writes: > At the moment the choice of hybrid is left to the application/protocol. > This has led to many different proposals for hybrids, which wastes a lot of > engineering, standardisation and security review time. I think it's better > if hybridisation is done at the level of

Re: [TLS] X-Wing: the go-to PQ/T hybrid KEM?

On Wed, Jan 10, 2024 at 12:14 PM Bas Westerbaan wrote: > > Dear tls and cfrg working groups, > > With ML-KEM (née Kyber) expected to be finalized this year, it’s time to > revisit the question of which PQ/T hybrid KEMs to standardize, and which to > recommend. My preference would be that we

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

On Thu, Jan 11, 2024 at 10:48 PM Martin Thomson wrote: > > > On Thu, Jan 11, 2024, at 07:13, Bas Westerbaan wrote: > > X-Wing aims for 128-bit security, and for that combines the time-tested > > X25519 with ML-KEM-768 [8]. X-Wing uses the combiner > > > > SHA3-256( xwing-label || ss_ML-KEM ||

Re: [TLS] X-Wing: the go-to PQ/T hybrid KEM?

On Thu, Jan 11, 2024, at 07:13, Bas Westerbaan wrote: > X-Wing aims for 128-bit security, and for that combines the time-tested > X25519 with ML-KEM-768 [8]. X-Wing uses the combiner > > SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 ) At least for TLS, I'm not

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

I can’t say I agree with this argument. If we have a combiner with a proof that “if either of the primitives we have meet security property A, then the output of the combiner meets security property B”, and we have proofs that both our primitives meet security property A”, then doesn’t that

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Hybrids by their very nature are the explosion. If there will only ever be X-Wing, I think it's fine to not make it generic (since we admit that it is a special case, not an instance of a generic). However, if B-Wing (brainpool + kyber) and P-Wing (p curve + kyber) also end up getting made, we

Re: [TLS] [EXT] Re: [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

-- V/R, Uri There are two ways to design a system. One is to make it so simple there are obviously no deficiencies. The other is to make it so complex there are no obvious deficiencies.

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

I very much appreciate having a concrete hybrid scheme that is intentionally not generic. This avoids the explosion of ciphertext suites that would otherwise occur, and allows for better compatibility of libraries. Fixing the key sizes to ML-KEM 768 and X25519 is aligned with our preferred choices

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

I'm going to echo Bas to highlight that X-Wing is not generic to any IND-CCA KEM, it is a particular primitive construction based on the internal construction of ML-KEM in particular: I don’t think it’s our place to try to shoe-horn everything into one construct. Particularly when we are in

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

I'm going to echo Bas to highlight that X-Wing is not generic to any IND-CCA KEM, it is a particular primitive construction based on the internal construction of ML-KEM in particular: > Note that it doesn’t hash in the ML-KEM ciphertext. For a generic KEM one cannot leave out the ciphertext, but

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

+1 on making X-Wing a generic construction and stir in the KEM ciphertext. In the ML-KEM case, the SHAKE256 cost of an additional 1-1.5KB ciphertext c2 will be miniscule compared to the other operations. And this will be similar for other KEMs are well. For example, from

Re: [TLS] X-Wing: the go-to PQ/T hybrid KEM?

This is excellent, especially the explicit decision to make concrete primitive choices, which allow the scheme to be both secure and efficient. I have an implementation at filippo.io/mlkem768/xwing which passes the test vectors in

Re: [TLS] [CFRG] [EXTERNAL] X-Wing: the go-to PQ/T hybrid KEM?

Hi Peter. Yeah, I get that; this is an optimization of the generic around the properties of ML-KEM. My thinking-out-loud here is twofold: 1. Let’s avoid the situation where we have both X-Wing and generic-combiner-mlkem-x25519 floating around IETF protocols. I’m basically suggesting

Re: [TLS] [CFRG] [EXTERNAL] X-Wing: the go-to PQ/T hybrid KEM?

Mike, X-Wing is not a profile of the generic construction. Dropping the ML-KEM ciphertext changes the security assumptions you need to make. If X25519 is secure then, in the generic construction, ML-KEM doesn’t need to satisfy any security properties at all for the hybrid to be secure. In

Re: [TLS] [EXTERNAL] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

On Thu, Jan 11, 2024 at 3:56 PM Mike Ounsworth wrote: > Right. I’m just thinking out loud here. > > > > If the Generic is > > > > KDF(counter || KEM1_ct || KEM1_ss || KEM2_ct || KEM2_ss || fixedInfo) > > > > And X-Wing is: > > > > SHA3-256( “\.//^\” || ML-KEM_ss || X25519_ss || X25519_ct ||

Re: [TLS] [EXTERNAL] Re: [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

> Because for embedded devices that don’t have enough memory to hold all > of those objects in simultaneously, this is likely the order in which it > would have those things available to stream into SHA3. > That will not make a difference: the SHA3-256 rate is 136 bytes. > Another thing to

Re: [TLS] [EXTERNAL] Re: [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Bas Westerbaan writes: > SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 > ) One critique: I would consider changing the order of the X25519 params to SHA3-256( xwing-label || ss_ML-KEM || pk_X25519 || ct_X25519 || ss_X25519 ) Because for embedded

Re: [TLS] [EXTERNAL] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Right. I’m just thinking out loud here. If the Generic is KDF(counter || KEM1_ct || KEM1_ss || KEM2_ct || KEM2_ss || fixedInfo) And X-Wing is: SHA3-256( “\.//^\” || ML-KEM_ss || X25519_ss || X25519_ct || X25519_pk ) It looks pretty close to me; you’ve dropped the ML-KEM CT,

Re: [TLS] Marvin reference to draft-ietf-tls-deprecate-obsolete-kex

> I don't know if you want to change the I-D in last call, but the > Marvin Attack paper is now officially published: I think this can be handled after LC and during AUTH48. > Given that we have 17 CVEs and counting on top of ROBOT, I think that it's > a good reference for disallowing RSA kex in

[TLS] Marvin reference to draft-ietf-tls-deprecate-obsolete-kex

Hi, I don't know if you want to change the I-D in last call, but the Marvin Attack paper is now officially published: https://doi.org/10.1007/978-3-031-51479-1_13 Given that we have 17 CVEs and counting on top of ROBOT, I think that it's a good reference for disallowing RSA kex in TLS. --

Re: [TLS] [EXTERNAL] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

> Speaking for myself (not for my co-authors), this feels like friendly, > complementary work to draft-ounsworth-cfrg-kem-combiners; > I agree. > We could consider adding a section with concrete instantiations, and the > first one would be X-Wing  (followed by ML-KEM + P-256, Brainpool, and >

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Hi Dan, Thanks for your detailed comments. Bas Westerbaan writes: > > SHA3-256( xwing-label || ss_ML-KEM || ss_X25519 || ct_X25519 || pk_X25519 > > ) > > 1. I'd include the post-quantum ciphertext (or a hash of it). Rationale: > This makes the construction more generic, This construction is

Re: [TLS] [CFRG] X-Wing: the go-to PQ/T hybrid KEM?

Do we have a survey of hybrid patents? To be clear, for security reasons I recommend a straightforward policy of always using hybrids (https://blog.cr.yp.to/20240102-hybrid.html). NIST reportedly bought out some hybrid patents; I'm not aware of hybrid patents that predate the clear prior art; and

Re: [TLS] 0RTT freshness test does not work well when delays are in minutes

On Thu, Jan 11, 2024, at 18:38, Christian Huitema wrote: > If an implementation does not want to deal with the extra complexity, > then having a way to plug in some extra code for a specific scenario > makes sense... My point was that the handling does not need to be complex, only the tolerance