Skip to content

draft-ietf-lamps-pq-composite-kem-05

Latest
Latest
Compare
Choose a tag to compare
@johngray-dev johngray-dev released this 21 Oct 20:43
· 20 commits to main since this release
draft-ietf-lamps-pq-composite-kem-05
de2d8de
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Interop-affecting changes:

  • Fixed a bug in the definition of the Encaps() functions: KEMs, according to both RFC9180 and FIPS 203 should always return (ss, ct), but we had (ct, ss).
  • Interoperable composite private key format requires component public keys (because public keys are required for decapsulation).
  • Specified that the tradCT and tradPK inputs to the KEM combiner must be the raw values without the OCTET STRING wrapper.
  • Adjusted RSA-OAEP section to follow RFC8017 instead of RFC3560. Does not use the RSA-OAEP label.
  • Aligning algorithm list with LAMPS WG on-list discussions and draft-openpgp-pqc
  • Specified some options to use HKDF-SHA2, and some to use SHA3 / KMAC to facilitate implementations that do not have easy access to SHA3 outside the ML-KEM module.
  • All levels now use 256-bit KDFs, to match ML-KEM's 256-bit shared secret key.
  • Tweaks to combiner function, thanks to Quynh and authors of draft-ietf-openpgp-PQC:
    • Removed the counter.
    • Un-twisted tradSS || mlkemSS to mlkemSS || tradSS as you would expect (thanks Quynh for pointing that this is allowed).
    • Simplified to use 256-bit hashes at all security levels (HKDF-SHA256, SHA3-256, KMAC256), which matches ML-KEM's 256 bit shared secret key at all levels.
  • Updated prototype OIDs and domain separators to reflect that this version is not compatible with previous version.

Editorial changes:

  • Added an Implementation Consideration section explaining why private keys need to contain the public keys.
  • Added a security consideration about key reuse.
  • Added security considerations about SHA3-vs-HKDF-SHA2 and a warning against generifying this construction to other combinations of ciphers.
  • Enhanced the section about how to get this FIPS-certified.
  • ASN.1 module fixes (thanks Russ and Carl).
    • Renamed the module from Composite-KEM-2023 -> Composite-MLKEM-2024
    • Simplified the ASN.1 module to make it more compiler-friendly (thanks Carl!) -- should not affect wire encodings.
Assets 2
Loading