Yay, patched up OpenSSH interoperates with oqs-openssh and a similarly patched up Golang ssh for ML-KEM768 + X25519 hybrid key exchange
https://github.com/djmdjm/openssh-portable-wip/pull/2
https://github.com/golang/crypto/compare/master...djmdjm:crypto:mlkem768x25519-sha256
OpenSSH using libcrux C extraction, oqs-openssh using reference impl, Golang using the mlkem768 package by @filippo
=> More informations about this toot | More toots from djm@cybervillains.com
@djm awesome! Nicola was just working on a prototype. Happy to land that as soon as you think the wire format is stable.
=> More informations about this toot | More toots from filippo@abyssdomain.expert
@filippo I think it's not likely to change but it's probably best to wait for IANA to assign the final code point for it
=> More informations about this toot | More toots from djm@cybervillains.com
@djm ๐ itโs a Expert Review registry so no need to wait for the RFC to be published, right?
=> More informations about this toot | More toots from filippo@abyssdomain.expert
@filippo yes, discussion is underway on the (hopefully) soon-to-be IETF SSH WG https://mailarchive.ietf.org/arch/msg/ssh/uwI6sSVOlRaRXUe4qAE-50AZkjQ/
=> More informations about this toot | More toots from djm@cybervillains.com
@djm Did you use X-Wing or another hybrid of the two?
=> More informations about this toot | More toots from kora@chaos.social
@kora no, just a hash combiner. SSH doesn't need any special binding properties from the combiner AFAIK
=> More informations about this toot | More toots from djm@cybervillains.com
@djm X-Wing is not about binding properties, X-Wing is about achieving IND-CCA security without mixing the ML-KEM ciphertext into the hash. Do you mix the x25519 ephemeral public key into the hash or do you leave it out?
=> More informations about this toot | More toots from kora@chaos.social
@kora that's a binding, isn't it?
Anyway, the SSH exchange hash which is used as the ultimate basis of key derivation and server->client auth already does include the public values (https://www.rfc-editor.org/rfc/rfc5656.html#page-8)
One of the other X-Wing authors agrees this construction is fine https://mailarchive.ietf.org/arch/msg/ssh/Or6lYRD2V5cVB-jEuv0Or-0OvGY/
=> More informations about this toot | More toots from djm@cybervillains.com
@djm
does include the public values
Including the KEM ciphertext?
=> More informations about this toot | More toots from kora@chaos.social
@kora yes, KEM ciphertext and ECDH public key
=> More informations about this toot | More toots from djm@cybervillains.com
@djm Then its probably fine-ish in practice. The point remains that the combiner you are building is not IND-CCA secure. The reason for this is a subtle quirk of the IND-CCA security game that requires ciphertext collision resistance on the ciphertext. x25519 does not provide that because there are multiple representations of the same EC curve point.
In X-Wing, we also took care to use just one sha3 block, so the performance impact from mixing the PKs should be minimal.
=> More informations about this toot | More toots from kora@chaos.social
@djm Not sure what methodology SSH uses to prove the security of its key exchanges, but if there are security analysis, the proofs probably do not cover whats happening here specifically.
=> More informations about this toot | More toots from kora@chaos.social
@djm I'll chat with Deirdre on our internal X-Wing authors channel.
=> More informations about this toot | More toots from kora@chaos.social
@djm @filippo You guys just made all of this up while being under the influence, I suspect.
The โmilkโem 768โ package. Right. ๐
=> More informations about this toot | More toots from icing@chaos.social This content has been proxied by September (ba2dc).Proxy Information
text/gemini