Subject: Re: [Pqc-forum] Key Establishment for PQC algorithms From: Markku-Juhani Olavi Saarinen Date: Fri, 28 Oct 2016 20:52:04 +0400 To: "Moody, Dustin (Fed)" CC: pqc-forum Message-ID: Hi, It would be disappointing if functionally Diffie-Hellman - type Post-Quantum key exchange algorithms are no longer be solicited for standardization by NIST. The proposed KEM is functionally equivalent to public key encryption in the eyes of cryptographic engineers such as myself anyway; using public key encryption for something other than to encrypt secret key material for symmetric encryption and/or authentication is not generally a good idea. Especially hybrid schemes incorporating ECDH and some Post-Quantum scheme offer a highly attractive and cost-effective way of ``future proofing'' current cryptographic communication systems against future attacks (i.e. an adversary intercepting and recording a session now and breaking it when quantum computers become available). Here session authentication may still be based on current PKI mechanisms as active attacks requiring quantum computation are not seen as a current threat. In [1] Craig Costello and Patrick Longa introduce the ``Open Quantum Safe'' project which has the goal of developing and testing such algorithms ( https://openquantumsafe.org/ ). Proposals like ``New Hope'' [2] have gained early traction, having already been incorporated by Google in their BoringSSL library and Chrome Canary browser. Also Microsoft has apparently made its this type of key exchange their initial priority, with a stream of publications focusing on Supersingular Isogeny Diffie-Hellman (SIDH) [3]. Cheers, - markku [1] Douglas Stebila and Michele Mosca, "Post-Quantum Key Exchange for the Internet and the Open Quantum Safe Project". From SAC 2016 Invited Talk. http://eprint.iacr.org/2016/1017.pdf [2] Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. "Post-quantum key exchange a new hope.". USENIX SECURITY 2016. https://eprint.iacr.org/2015/1092.pdf [3] Craig Costello, Patrick Longa, and Michael Naehrig, "Efficient algorithms for supersingular isogeny Diffie-Hellman." CRYPTO 2016. https://eprint.iacr.org/2016/413.pdf Dr. Markku-Juhani O. Saarinen On Fri, Oct 28, 2016 at 7:27 PM, Moody, Dustin (Fed) wrote: > NIST received several comments regarding our request for a key-exchange > algorithm. As a result, we are clarifying what exactly we are looking for. > In our revised call, instead of using the term key-exchange we will be > asking for Key Encapsulation Mechanisms (KEMs). While the term KEM has been > widely used in academic literature, previous NIST publications have tended > to describe KEMs using the term “key agreement” (also known as key > exchange). KEM schemes consist of algorithms for key generation, > encapsulation, and decapsulation. > > One important application is using public-key cryptography to securely > establish a key to be used for symmetric encryption. NIST intends to > standardize one or more schemes that enable semantically secure encryption > or key encapsulation with respect to adaptive chosen ciphertext attack > (IND-CCA2), for general use. This security definition is substantially > similar to what we had in our original draft Call. > > As a result of comments received, we are adding another option. While > chosen ciphertext security is necessary for many existing applications, it > is possible to implement a purely ephemeral key exchange protocol in such a > way that only passive security is required from the encryption or KEM > primitive. For these applications, NIST will consider standardizing an > encryption or KEM scheme which provides semantic security with respect to > chosen plaintext attack (IND-CPA). > > As the KEM and public key encryption functionalities can generally be > interconverted, unless the submitter specifies otherwise, NIST will apply > standard conversion techniques to convert between schemes if necessary. > > We would like your feedback. > > Does this approach seem sound? > > What (if any) changes would you suggest? > > > > Dustin Moody > > NIST > > > > > _______________________________________________ > pqc-forum mailing list > pqc-forum@nist.gov > (_internal_name)s > _______________________________________________ pqc-forum mailing list pqc-forum@nist.gov (_internal_name)s