From 2ca2b985614cdebf3f80919e9b780ca61b58ece5 Mon Sep 17 00:00:00 2001 From: Deirdre Connolly Date: Tue, 17 Sep 2024 10:18:19 -0400 Subject: [PATCH] Update draft-irtf-cfrg-hybrid-kems.md --- draft-irtf-cfrg-hybrid-kems.md | 45 ++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/draft-irtf-cfrg-hybrid-kems.md b/draft-irtf-cfrg-hybrid-kems.md index 78d466a..38ee16d 100644 --- a/draft-irtf-cfrg-hybrid-kems.md +++ b/draft-irtf-cfrg-hybrid-kems.md @@ -33,8 +33,9 @@ informative: --- abstract -TODO Abstract - +This memo defines the security properties and generic techniques to achive hybrid pq/t +key encapsulation mechanisms (KEMs) from post-quantum and traditional component algorithms. +Concrete instatiations of techniques are located in another document. --- middle @@ -42,6 +43,8 @@ TODO Abstract We propose "Hybrid PQ/T Key Encapsulation Mechanisms", which will cover the following. +## Design Goals + (A) Identify which KEM security properties are IETF-relevant, and provide a terse overview of those security properties (eg. IND-CCA, LEAK-BIND-K-PK, HON-BIND-K-CT, etc), as well as security properties unique to hybrid KEMs (component key material reuse between hybrid and non-hybrid uses or @@ -65,17 +68,49 @@ These hybrids should be accompanied by pseudocode and test vectors. This list includes two options at the ~128-bit security level (due to current implementation/deployment trends) and one at a higher level. + + + + + + +### Non-iteractive + +These KEMs are a non-interactive means to establish a shared secret. +Using KEMs in place of Diffie-Hellman key exchange can be done in some settings +but not all. + +### Not authenticated + +These KEMs are not _authenticated_. + +## Design Non-Goals + There is demand for other hybrid variants that either use different primitives (RSA, NTRU, Classic McEliece, FrodoKEM), parameters, or that -use a combiner optimized for a specific use case. The DT recommends the -work outlined in (C) is done in a first document, and other use cases -could be covered in subsequent documents. +use a combiner optimized for a specific use case. Other use cases +could be covered in subsequent documents and not included here. # Conventions and Definitions {::boilerplate bcp14-tagged} +# Hybrid KEM Security Properties + +Component KEMs MUST + +# Hybrid KEM Construction Techniques + +Kitchen Sink construction: +- KDF +- label +- + +# Hybrid KEM Instatiations + +See the other document. + # Security Considerations IND-CCA, LEAK-BIND-K-PK, etc, as well as security properties unique to hybrid KEMs (component key