Updated FAQ questions on hybrid modes
Dustin Moody
Q: Is it possible for a hybrid key-establishment mode to be performed in a FIPS 140 approved mode of operation?
A: A hybrid key establishment mode—sometimes referred to elsewhere by other names, such as a composite mode—is defined here to be a key-establishment scheme that is a combination of two or more components that are themselves cryptographic key-establishment schemes. The desired property is that keys derived by a hybrid key-establishment scheme remain secure if at least one of the component schemes is secure. The case of interest is when one of the components of the hybrid mode is NIST-approved - for example, a discrete-logarithm based scheme from NIST SP 800-56A or an integer-factorization scheme from SP 800-56B—and another component is a post-quantum cryptography scheme.
Current NIST standards, which were not necessarily designed to provide post-quantum security, can accommodate several hybrid key establishment constructions in “FIPS mode,” as defined in FIPS 140. For example, assume that the value Z is a shared secret that was generated within a NIST-approved cryptographic scheme, and that a value T is generated or distributed through other scheme(s), which could be the output of a key encapsulation method (KEM). The following are the different ways to incorporate the value T in the key derivation procedure to ahieve a hybrid mode which is permitted by current standards:
1) For any one-step key derivation method that is specified in SP 800-56C, an input defined as SuppPrivInfo can be included in an (optional) FixedInfo field, and T may be included in that field.
2) In any of the key derivation methods specified in SP 800-56C, whether one-step or extraction-then-expansion, the value T may be included in the salt field.
Additionally, NIST plans to incorporate a cleaner, and therefore preferable, hybrid key establishment construction in a future revision of SP 800-56C:
3) In any of the key derivation methods specified in SP 800 - 56C, the revision would permit a concatenation of Z and T, e.g., Z||T, to serve as the shared secret instead of Z. This would require the insertion of T into the coding for the scheme and the FIPS 140 validation code may need to be modified.
Q: Is it possible for dual signature generation or verification to be performed in a FIPS 140 approved mode of operation?
A: A dual signature consists of two (or more) signatures on a common message. It may also be known as a hybrid signature or composite signature. We will use the term dual signature below. The verification of the dual signature requires all of the component signatures to be successfully verified.
Assume that in a dual signature, one signature is generated with a NIST-approved signature scheme as specified in FIPS 186, while another signature(s) can be generated using different schemes, e.g., ones that are not currently specified in NIST standards. Like hybrid key establishment schemes, dual signatures can be accommodated by current standards in “FIPS mode,” as defined in FIPS 140, provided at least one of the component methods is a properly implemented, NIST-approved signature algorithm. For the purposes of FIPS 140 validation, any signature that is generated by a non-approved component scheme would not be considered a security function, since the NIST-approved component is regarded as assuring the validity of the dual signature. The format of a dual signature is out of scope for FIPS 140 validation. It is up to the application to specify how to parse signatures and verify them separately.
Q: Does NIST consider the hybrid key establishment modes and dual signatures to be long-term solutions?
A: NIST leaves the decision to each specific application as to whether it can afford the implementation cost, performance reduction, and engineering complexity (including proper and independent security review) of a hybrid mode for key establishment or the use of dual signatures. Future experience will help to decide on whether they can be a useful long-term solution. To assist external parties who desire such a mechanism, NIST will accommodate the use of a hybrid key-establishment mode and dual signatures in FIPS 140 validation when suitably combined with a NIST-approved scheme.