Re: [TLS] WGLC for draft-ietf-tls-hybrid-design

Mon, 22 Aug 2022 10:24:20 -0700 

Dear, all,


On 22/08/2022 14:24, Bas Westerbaan wrote:
Here they're speaking about adding non-FIPS PQ to a non-PQ FIPS kex,[2] but the other way around is also ok — what am I missing? 

Let's assume Kyber is FIPS-approved. Indeed, you'll be able to have
a FIPS library with Z generated by Kyber and T generated by X25519
(but not other way around).
As X25519 is not FIPS-approved, the lab won't be able to test it,
hence you can't declare any security on that scheme. This will be
reflected in the security policy (as a "non-approved algorithm, with
no security claimed"). In theory, X25519 may produce wrong results
and your product still gets FIPS certificate as the algorithm is
security irrelevant. It is similar situation as we have today, but
with Z generated by P-256 and T by Kyber.

What, I think, is more valuable for those who need FIPS, is to be
able to have hybrid construction in which both algorithms are properly
tested and certified by the FIPS lab.

Also, in that case, Z can be generated by either PQ or non-PQ as
both are FIPS-approved.



I support this. I definetly support adding P256+Kyber512 (or any of the 
NIST curves + Kyber). For actual FedRAMP purposes, the most valuable 
thing, as Kris says, is to have them both being FIPS approved (and using 
a FIPS-certified implementation or sumitting it all for FIPS 
certification). Even if Kyber becaomes FIPS-approved, one will have to 
used a FIPS-certified implementation of it in other to be able to claim 
the FIPS-approved hybrid approach (and even then it depends how/where it 
is used). As far as I know, only the NIST curves are both FIPS approved 
and some of their implementations have a certification.


Thank you,

--
Sofía Celi
@claucece
Cryptographic research and implementation at many places, specially Brave.
Chair of hprc at IRTF and anti-fraud at W3C.
Reach me out at: cheren...@riseup.net
Website: https://sofiaceli.com/
3D0B D6E9 4D51 FBC2 CEF7  F004 C835 5EB9 42BF A1D6

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls























					Reply via email to