[Cryptography] Kyber PQC Key Exchange

Phillip Hallam-Baker phill at hallambaker.com
Fri Aug 5 13:59:14 EDT 2022 

On Fri, Aug 5, 2022 at 1:04 PM Viktor Dukhovni <cryptography at dukhovni.org>
wrote:

> On Fri, Aug 05, 2022 at 02:31:39AM -0400, Phillip Hallam-Baker wrote:
>
> > > Do you really want to open the black box, or are you looking for a
> > > better description of the knobs on the front panel?  My guess is mostly
> > > the latter...
> > >
> >
> > Actually, I am trying to understand what I now believe was
> misunderstanding
> > on the part of the cryptographers supposedly providing an explanation.
> >
> > The NIST competition has a very specific interface which is indeed a
> > black box that can slot into the same hole that is already in my code.
>
> Right, we have a *layered* black box, and some of the knobs are hidden
> on the inside.  It may be too early to speculate about which operating
> modes will be available when the standards are finalised.  So some
> confusion is perhaps to be expected at this time?
>

I think part of the problem here is that the cryptographers don't actually
understand how we build protocols.

Take the SHA-2 compressor function used in the Merkel-Damgard construction.
That is indisputably a solid cryptographic module which if I was a
cryptographer, I might well make use of in a design in the same fashion as
SHAKE-256 is used. I understand the cryptographic properties and would have
absolutely no problem applying them in an algorithm proposal. But there is
absolutely no way that I would propose a protocol specification that
attempted to make use of that module as a standards based component because
it isn't.

So what we have right now is a NIST competition that has selected KYBER but
has not yet specified what the operations modes will be. And they are
looking at the inner modules and building protocols from those which is
perfectly acceptable in the academic cryptography world but is utterly
verboten in the standards based protocol design world.

And in the process they are creating a mass of confusion with a series of
categorical statements about the limitations of Kyber which are simply not
true and they really need to stop.

As far as I am concerned, the only algorithm NIST has actually endorsed at
this point is the algorithm that was actually tested, an 'encryption'
function which is given a public key and returns a shared secret and an
encrypted blob that returns the shared secret when decrypted with the
private key.

If we trust the NIST competition, we should trust that construction, but
that is all we can trust.


> 0-RTT unilateral key wrap may not yet have been in scope.  We'll have to
> wait and see what other operating modes are standardised (perhaps I
> missed publication of Kyber-based proposed standard constructions of
> this type).
>

I don't think 0-RTT is really a thing. No really. The way that we achieve
0-RTT is to push parts of the interaction into a different infrastructure
so we don't count them in the protocol we are selling at the time.

The PQC interface selected by NIST allows me to implement OpenPGP and
S/MIME without any difficulty. Thats 0-RTT as far as I am concerned. It is
also the only non-interactive pattern that interests me.

The TLS folk have problems. But they don't require major modification to
their protocol approach. A much bigger problem for them is likely to be the
fact that they use signature in their key exchange which is and always was
stupid for a start. Even worse when they don't have a signature algorithm
choice.



> > So yes I do actually need to understand more than just the black box
> > because there are actually two boxes at issue here. There is an outer
> > box which is the one that NIST selected and there is an inner box.
>
> Indeed, and yes the published expository material is still often
> confusingly incomplete.
>

And I rather suspect that a lot of other people were as confused as I was
but were unwilling to say so.

My college tutor was Tony Hoare and one of his famous computing parables
was the emperor's old clothes. I have always been wary of the emperor's new
clothes effect where people are afraid to ask questions for fear of looking
stupid and the result is we end up doing stupid things.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220805/b0726df1/attachment.htm>

More information about the cryptography mailing list