-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add hybrid KEMTLS #68
Comments
"hybrid KEMTLS" is just KEMTLS with hybrid KEMs for the ephemeral and static (leaf cert) KEM, and and hybrid signature schemes in the signature chain. The security proof does not rely on fancy properties of the KEMs or signature schemes, so we don't need to make any protocol changes in that sense. We might need to pick some identifiers but that's not any different from what needs to be done for PQ-only KEMs. This is probably most easily implemented by treating the hybrid KEM as a completely independent algorithm from its constituent components. Treat "KyberX25519" is a "proper" algorithm and do not give it any special treatment on the wire compared to "X25519" or "Kyber". If that means duplicate X25519 public keys: so be it. So that means following the same strategy as is proposed for draft-ietf-tls-hybrid-design. This draft only covers the (ephemeral) key exchange, of course, so we need to adjust also for the static KEM key exchange: just slap two keys together in the certificate as well and do the same for the ciphertext sent back to the server/client. For certificates we can probably also do something similar: just slap two signatures together and verify both. |
So my previous post covers the specification more-or-less 😉 With regards to implementation changes that'd then be:
|
I agree with Thom. Circl already supports some hybrid KEMs (eg. We also need internal TLS identifiers, but we can just pick some in the reserved space. See |
yes! thanks you @thomwiggers @bwesterb
I'll check about this.
Perfect! I'll add this to our KEMTLS draft ;) |
On our next meeting, I'll like to talk about this questions, as taken from https://datatracker.ietf.org/doc/html/draft-ietf-tls-hybrid-design#section-4:
Putting it here for people to think about it prior to our meeting. Also, cc./ @chris-wood |
Failures aiui only occur in IND-CPA secure KEMs, but you need an IND-CCA secure KEM (src: KEMTLS paper). This means failures would be cryptographically negligible |
We need to add a version of a hybrid KEMTLS. This needs to:
Depends on #66
The text was updated successfully, but these errors were encountered: