[TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Stephan Müller
Hi, Post-quantum computing cryptographic algorithms are designed and available for use. Considering that the Kyber algorithm is going to be mandated by US authorities in the future as a complete replacement for asymmetric key exchange and agreement, a proposal integrating Kyber into TLS is spec

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Bas Westerbaan
Hi Stephan, >From your e-mail it's unclear which attack you worry about, but in the attached document, you describe the problem unique to the implementation of Kyber in TLS as: If the random number generated > for the encryption operation is weak, an attacker may sniff the pk sent > over the wire

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Stephan Mueller
Am Montag, 19. Juni 2023, 12:53:32 CEST schrieb Bas Westerbaan: Hi Bas, > Hi Stephan, > > From your e-mail it's unclear which attack you worry about, but in the > attached document, you describe the problem unique to the implementation of > Kyber in TLS as: > > If the random number generated >

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Scott Fluhrer (sfluhrer)
I do not believe that Müller is correct - we do not intend use the Kyber CPA public key encryption interface, but instead the Kyber CCA KEM interface. And, with that interface, the server does contribute to the shared secret: The shared secret that Kyber KEM (round 3) generates on success is:

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Stephan Mueller
Am Montag, 19. Juni 2023, 15:56:57 CEST schrieb Scott Fluhrer (sfluhrer): Hi Scott, > I do not believe that Müller is correct - we do not intend use the Kyber CPA > public key encryption interface, but instead the Kyber CCA KEM interface. > And, with that interface, the server does contribute to

[TLS] FW: New Version Notification for draft-rsalz-tls-tls12-frozen-01.txt

2023-06-19 Thread Salz, Rich
We'd like time on the agenda to present and ask for adoption. This is the document I agreed to write at IETF 117 and am I pleased to say that Nimrom Aviram is a co-author. On 6/19/23, 10:55 AM, "internet-dra...@ietf.org " mailto:internet-dra...@ietf.org>> wrote

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Thom Wiggers
Hi all, The attack that is described by Stephan is something that we considered while we were initially designing KEMTLS (in the papers, we also covered the ephemeral key exchange). I'll quickly write what we were thinking of and why we did not choose to do anything similar to what Stephan propose

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Bas Westerbaan
I do have to add to Thom's remarks that KEMTLS (a.k.a. AuthKEM) offers an advantage here. If the private key of the leaf cert is not compromised (for instance when it was generated elsewhere), then the attacker Stephan describes cannot learn the shared secret. On Mon, Jun 19, 2023 at 5:02 PM Thom

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Thom Wiggers
Hi, Op ma 19 jun 2023 om 17:41 schreef Bas Westerbaan : > I do have to add to Thom's remarks that KEMTLS (a.k.a. AuthKEM) offers an > advantage here. If the private key of the leaf cert is not compromised (for > instance when it was generated elsewhere), then the attacker Stephan > describes canno

Re: [TLS] CRYSTALS Kyber and TLS

2023-06-19 Thread Dennis Jackson
If you have access to an uncompromised signing key, you can fix a compromised CSRNG generically without having to change the protocol. [1] Best, Dennis [1] https://datatracker.ietf.org/doc/html/rfc8937 On 19/06/2023 16:41, Bas Westerbaan wrote: I do have to add to Thom's remarks that KEMTLS (a