Markdown Version | Session Recording

Session Date/Time: 20 Apr 2022 14:00

LAMPS

Summary

The LAMPS working group met to discuss three primary areas related to Post-Quantum Cryptography (PQC) integration: a proposed KEM-TRANS mechanism for CMS, updates to composite key and KEM drafts, and a framework for non-composite hybrid authentication.

The KEM-TRANS proposal aims to adapt PQC Key Encapsulation Mechanisms (KEMs) to the CMS context, where a fixed Content Encryption Key (CEK) needs to be transported, unlike the random shared secrets generated by typical KEMs. This sparked a technical debate on the necessity and components of the KEM-TRANS mechanism.

Updates to the composite keys and KEMs drafts focused on refining combiner modes and merging generic and explicit composite key approaches. A significant discussion point was whether policy decisions, such as k-of-n signing modes, should be embedded within the public key or left to the verifier's discretion.

Finally, an informational draft introduced a distinction between "composite" and "non-composite" hybrid solutions, with a companion technical draft proposing a PKI-level binding mechanism for non-composite hybrid certificates. This approach was generally well-received for its flexibility, though the complexity and necessity of the explicit binding mechanism drew discussion.

Key Discussion Points

• KEM-TRANS for CMS (Julia Pratt):

  • A draft proposing KEM-TRANS was presented to enable the use of PQC KEMs within CMS for transporting a fixed Content Encryption Key (CEK). The mechanism combines a KEM, KDF, and Wrap algorithm.
  • A participant suggested a simpler XOR-based key wrap (CEK = Shared_Secret ^ Ciphertext) as an alternative, prompting a technical discussion on the assumptions (e.g., shared secret whitening) and security implications of such a method versus a more general KDF/Wrap.
  • The need for a KDF was emphasized to align the size of the shared secret, as different KEMs may output varying lengths (e.g., 256 bits vs. 512 bits), making it independent of the symmetric algorithm used for encryption.
  • The fundamental challenge of KEMs producing unique random shared secrets versus the CMS requirement for a fixed CEK for multiple recipients was reiterated as the motivation for KEM-TRANS.

• CMS Algorithms for PQC KEMs (Sean Turner, presented by Mike Ounsworth):

  • A placeholder draft for defining OIDs and encoding schemes for NIST-selected PQC KEMs was discussed.
  • Concern was expressed by a participant regarding "opinionated decisions" on key usages within the draft, specifically the prohibition of signing keys, with a preference for keeping key agreement options open for future NIST developments.
  • A sense of those present indicated that it would be prudent to await NIST's final selections of PQC KEM algorithms before formal adoption of the draft.

• Composite Keys/KEMs (Mike Ounsworth):

  • Updates included the merging of "generic" and "explicit" composite key approaches into a single draft and the refinement of "combiner modes" (AND, OR, ANY, K-of-N, CUSTOM) to clarify their semantics.
  • A significant point of contention was whether policy, such as the k-of-n combiner mode (e.g., "use 3 out of 5 keys"), should be embedded within the public key.
    • For CMS encryption, this policy in the public key was seen as beneficial to inform encrypters about valid key usage modes for a given recipient.
    • For signatures, however, several participants argued that the verifier should ultimately decide the policy for acceptance, not the signer or the CA issuing the key.
    • The k-of-n mode's aim to provide PKI agility against potential PQC algorithm breaks was acknowledged, but questions about its added complexity, potential for implementation errors, and utility for verifier policy were raised.
  • The concept of using an algorithm parameter for combiner modes was presented, as k-of-n requires an integer value.

• Hybrid Authentication (Rebecca and Ali):

  • An informational draft formally introduced a framework for hybrid solutions, categorizing them as "composite" (modifying cryptographic structures) or "non-composite" (modifying protocol logic to send multiple, individually formatted certificates/signatures).
  • A companion technical draft proposed a PKI-level binding mechanism to link multiple certificates (e.g., a newly issued PQC cert with an existing traditional cert) for non-composite hybrid authentication.
  • The non-composite approach garnered support for its flexibility, allowing relying parties to process certificates together or separately based on local policy.
  • However, the explicit binding mechanism in the technical draft raised concerns about its necessity, the potential for "sharp edges" when binding disparate key types or policies, and whether such complexities should be handled at the PKI level or within specific protocols (e.g., IKEv2, TLS).
  • The discussion highlighted that using Extended Key Usage (EKU) in certificates is a common way to indicate protocol applicability.

Decisions and Action Items

• Jonathan volunteered to be the note-taker for the meeting.
• Action Item: Yuri to provide a sketch of his proposed XOR-based key wrap method to the mailing list for further discussion.
• Action Item: Participants are encouraged to continue the debate on the XOR-based key wrap versus the KDF/Wrap approach proposed in the KEM-TRANS draft on the mailing list.
• Action Item: Panos volunteered to initiate a mailing list discussion regarding whether combiner modes (AND/OR/K-of-N) should be encoded in the public key or if this should be solely a verifier's policy decision.
• Action Item: Rebecca and Ali will continue to incorporate feedback and comments received on their hybrid authentication drafts into a new version.
• Action Item: Florence D will lead an effort to address the terminology challenges surrounding "hybrid" and "dual" in PQC contexts, aiming for a consistent language within IETF documents.

Next Steps

• Discussions on the nuances of KEM-TRANS for CMS, including the choice of KDF and wrap algorithms, will continue on the mailing list.
• The "CMS Algorithms for PQC KEMs" draft will likely remain a placeholder until NIST makes its final selections for PQC KEM algorithms, after which it can be populated and moved forward.
• The outcome of the mailing list discussion on combiner modes in composite public keys will inform future revisions of the composite key and KEM drafts, potentially leading to adjustments in how these policies are conveyed or if they are removed from the public key altogether for certain use cases (e.g., signatures).
• Further development of the hybrid authentication drafts will focus on refining the proposed mechanisms, especially the binding mechanism, based on community feedback to address complexities and edge cases.
• The working group will await the outcome of Florence D's effort to standardize terminology for hybrid solutions.