On 23/08/2022 01:39, Martin Thomson wrote:
On Tue, Aug 23, 2022, at 00:11, Kris Kwiatkowski wrote:
As X25519 is not FIPS-approved, the lab won't be able to test it,
OK, hypothetical question, but maybe an important one.
Why would a certification lab care? We compose secrets with non-secrets all
the time, so even if X25519 were replaced with a public value, as long as Kyber
is approved, can they not proceed to certify on the basis of the strength of
the Kyber algorithm and its implementation?
FIPS lab won't care, as I've mentioned Kyber+x25519 can be certified when Kyber
is FIPS-approved. The customers may
care. As FIPS developer, I would like to be able to provide hybrid construction
in which both algorithms are FIPS
approved, so that in case Kyber gets broken, the key exchange is still is safe
(as per FIPS standards), rather then
Kyber gets broken and now you are not FIPS compliant.
Makes sense?
Or, more realistically, maybe the composition method can be approved, just as composing a
secret with "chickenchickenchicken" can be rendered safe. That way, composing
with an arbitrary primitive might be considered safe if the composition method is
approved.
Composition method is an approved technique, see SP800-56Cr2 (point 2).
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
