Ounsworth KEM Combiner

randombit · Jun 13, 2024 · 846bc3d · 846bc3d
1 parent 97b9ea2
commit 846bc3d
Show file tree

Hide file tree

Showing 16 changed files with 2,120 additions and 2 deletions.
diff --git a/doc/api_ref/pubkey.rst b/doc/api_ref/pubkey.rst
@@ -188,6 +188,27 @@ A set of signature schemes based on elliptic curves. All are national standards
 in their respective countries (Germany, South Korea, China, and Russia, resp),
 and are completely obscure and unused outside of that context.
 
+KEM Combiner
+------------
+
+A KEM Combiner is a key encapsulation mechanism (KEM) that combines multiple
+KEMs into a single KEM. The resulting KEM is secure if at least one combined
+KEM is secure. Usually, the KEM Combiner combines a classical KEM with a
+post-quantum secure KEM. Note that every key exchange algorithm can also be
+described as a KEM.
+
+Ounsworth KEM Combiner
+~~~~~~~~~~~~~~~~~~~~~~
+
+This combiner is based on
+`draft-ounsworth-cfrg-kem-combiners-05 <https://github.com/EntrustCorporation/draft-ounsworth-cfrg-kem-combiners/blob/475ff53eb8fb7213f6e5ab26dd23e5dc3203f7fa/draft-ounsworth-cfrg-kem-combiners.txt>`_
+(Feb 2024). It is a generic combiner that achieves IND-CCA security if at least
+one combined KEM is. Every KEM that implements Botan's private and public key
+interfaces can be an ingredient of this combiner. However, some KEMs are
+predefined for easier usage. The predefined KEMs are Kyber (Round 3) and
+FrodoKEM for post-quantum security and X25519, X448, and ECDH (with various
+named curves) as classical key exchange algorithms formulated as KEMs.
+
 .. _creating_new_private_keys:
 
 Creating New Private Keys

diff --git a/doc/dev_ref/oids.rst b/doc/dev_ref/oids.rst
@@ -43,6 +43,19 @@ Values currently assigned are::
  kyber-768-90s OBJECT IDENTIFIER ::= { kyber-90s 2 }
  kyber-1024-90s OBJECT IDENTIFIER ::= { kyber-90s 3 }
 
+ ounsworth-kem-combiner OBJECT IDENTIFIER ::= { publicKey 20 }
+
+ ounsworth-kem-combiner-kyber-768-r3-x25519-kmac-256 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 1 }
+ ounsworth-kem-combiner-kyber-1024-r3-x448-kmac-256 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 2 }
+
+ ounsworth-kem-combiner-kyber-512-r3-ecdh-secp256r1-kmac-128 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 3 }
+ ounsworth-kem-combiner-kyber-768-r3-ecdh-secp384r1-kmac-256 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 4 }
+ ounsworth-kem-combiner-kyber-1024-r3-ecdh-secp512r1-kmac-256 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 5 }
+
+ ounsworth-kem-combiner-frodokem-640-shake-ecdh-brainpool256r1-kmac-128 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 6 }
+ ounsworth-kem-combiner-frodokem-976-shake-ecdh-brainpool384r1-kmac-256 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 7 }
+ ounsworth-kem-combiner-frodokem-1344-shake-ecdh-brainpool512r1-kmac-256 OBJECT IDENTIFIER ::= { ounsworth-kem-combiner 8 }
+
  xmss OBJECT IDENTIFIER ::= { publicKey 8 }
 
  -- The current dilithium implementation is compatible with the reference

diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
@@ -39,6 +39,19 @@
 1.3.6.1.4.1.25258.1.11.2 = Kyber-768-90s-r3
 1.3.6.1.4.1.25258.1.11.3 = Kyber-1024-90s-r3
 
+# Ounsworth KEM Combiner Draft (Feb 2024)
+# https://github.com/EntrustCorporation/draft-ounsworth-cfrg-kem-combiners/blob/475ff53eb8fb7213f6e5ab26dd23e5dc3203f7fa/draft-ounsworth-cfrg-kem-combiners.txt
+1.3.6.1.4.1.25258.1.20.1 = OunsworthKEMCombiner/Kyber-768-r3/X25519/KMAC-256
+1.3.6.1.4.1.25258.1.20.2 = OunsworthKEMCombiner/Kyber-1024-r3/X448/KMAC-256
+
+1.3.6.1.4.1.25258.1.20.3 = OunsworthKEMCombiner/Kyber-512-r3/ECDH-secp256r1/KMAC-128
+1.3.6.1.4.1.25258.1.20.4 = OunsworthKEMCombiner/Kyber-768-r3/ECDH-secp384r1/KMAC-256
+1.3.6.1.4.1.25258.1.20.5 = OunsworthKEMCombiner/Kyber-1024-r3/ECDH-secp521r1/KMAC-256
+
+1.3.6.1.4.1.25258.1.20.6 = OunsworthKEMCombiner/FrodoKEM-640-SHAKE/ECDH-brainpool256r1/KMAC-128
+1.3.6.1.4.1.25258.1.20.7 = OunsworthKEMCombiner/FrodoKEM-976-SHAKE/ECDH-brainpool384r1/KMAC-256
+1.3.6.1.4.1.25258.1.20.8 = OunsworthKEMCombiner/FrodoKEM-1344-SHAKE/ECDH-brainpool512r1/KMAC-256
+
 # Dilithium OIDs are currently in Botan's private arc
 1.3.6.1.4.1.25258.1.9.1 = Dilithium-4x4-r3
 1.3.6.1.4.1.25258.1.9.2 = Dilithium-6x5-r3

diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
@@ -1,7 +1,7 @@
 /*
 * OID maps
 *
-* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2024-04-12
+* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2024-06-12
 *
 * All manual edits to this file will be lost. Edit the script
 * then regenerate this source file.
@@ -178,6 +178,14 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
  {"1.3.6.1.4.1.25258.1.17.1", "eFrodoKEM-640-AES"},
  {"1.3.6.1.4.1.25258.1.17.2", "eFrodoKEM-976-AES"},
  {"1.3.6.1.4.1.25258.1.17.3", "eFrodoKEM-1344-AES"},
+ {"1.3.6.1.4.1.25258.1.20.1", "OunsworthKEMCombiner/Kyber-768-r3/X25519/KMAC-256"},
+ {"1.3.6.1.4.1.25258.1.20.2", "OunsworthKEMCombiner/Kyber-1024-r3/X448/KMAC-256"},
+ {"1.3.6.1.4.1.25258.1.20.3", "OunsworthKEMCombiner/Kyber-512-r3/ECDH-secp256r1/KMAC-128"},
+ {"1.3.6.1.4.1.25258.1.20.4", "OunsworthKEMCombiner/Kyber-768-r3/ECDH-secp384r1/KMAC-256"},
+ {"1.3.6.1.4.1.25258.1.20.5", "OunsworthKEMCombiner/Kyber-1024-r3/ECDH-secp521r1/KMAC-256"},
+ {"1.3.6.1.4.1.25258.1.20.6", "OunsworthKEMCombiner/FrodoKEM-640-SHAKE/ECDH-brainpool256r1/KMAC-128"},
+ {"1.3.6.1.4.1.25258.1.20.7", "OunsworthKEMCombiner/FrodoKEM-976-SHAKE/ECDH-brainpool384r1/KMAC-256"},
+ {"1.3.6.1.4.1.25258.1.20.8", "OunsworthKEMCombiner/FrodoKEM-1344-SHAKE/ECDH-brainpool512r1/KMAC-256"},
  {"1.3.6.1.4.1.25258.1.3", "McEliece"},
  {"1.3.6.1.4.1.25258.1.5", "XMSS-draft6"},
  {"1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/SHA-256"},
@@ -427,6 +435,17 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
  {"Microsoft UPN", OID({1, 3, 6, 1, 4, 1, 311, 20, 2, 3})},
  {"OpenPGP.Curve25519", OID({1, 3, 6, 1, 4, 1, 3029, 1, 5, 1})},
  {"OpenPGP.Ed25519", OID({1, 3, 6, 1, 4, 1, 11591, 15, 1})},
+ {"OunsworthKEMCombiner/FrodoKEM-1344-SHAKE/ECDH-brainpool512r1/KMAC-256",
+ OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 8})},
+ {"OunsworthKEMCombiner/FrodoKEM-640-SHAKE/ECDH-brainpool256r1/KMAC-128",
+ OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 6})},
+ {"OunsworthKEMCombiner/FrodoKEM-976-SHAKE/ECDH-brainpool384r1/KMAC-256",
+ OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 7})},
+ {"OunsworthKEMCombiner/Kyber-1024-r3/ECDH-secp521r1/KMAC-256", OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 5})},
+ {"OunsworthKEMCombiner/Kyber-1024-r3/X448/KMAC-256", OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 2})},
+ {"OunsworthKEMCombiner/Kyber-512-r3/ECDH-secp256r1/KMAC-128", OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 3})},
+ {"OunsworthKEMCombiner/Kyber-768-r3/ECDH-secp384r1/KMAC-256", OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 4})},
+ {"OunsworthKEMCombiner/Kyber-768-r3/X25519/KMAC-256", OID({1, 3, 6, 1, 4, 1, 25258, 1, 20, 1})},
  {"PBE-PKCS5v20", OID({1, 2, 840, 113549, 1, 5, 13})},
  {"PBES2", OID({1, 2, 840, 113549, 1, 5, 13})},
  {"PKCS5.PBKDF2", OID({1, 2, 840, 113549, 1, 5, 12})},

diff --git a/src/lib/pubkey/ounsworth_kem_combiner/info.txt b/src/lib/pubkey/ounsworth_kem_combiner/info.txt
@@ -0,0 +1,23 @@
+<defines>
+OUNSWORTH -> 20240528
+</defines>
+
+<module_info>
+name -> "Ounsworth"
+</module_info>
+
+<header:public>
+ounsworth.h
+ounsworth_mode.h
+</header:public>
+
+<header:internal>
+sp800_56c_helper.h
+</header:internal>
+
+<requires>
+hybrid_kem
+kex_to_kem_adapter
+kmac
+sha3
+</requires>