Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "Millions of dollars of hashing")

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 23 February 2024 07:51 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F41AAC14F602 for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2024 23:51:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLVeiRD5RShO for <cfrg@ietfa.amsl.com>; Thu, 22 Feb 2024 23:51:47 -0800 (PST)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71977C14F5FC for <cfrg@irtf.org>; Thu, 22 Feb 2024 23:51:46 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id CE7E91B2B7 for <cfrg@irtf.org>; Fri, 23 Feb 2024 09:51:43 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id mA1tOvBAElTq for <cfrg@irtf.org>; Fri, 23 Feb 2024 09:51:43 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 8B7067A for <cfrg@irtf.org>; Fri, 23 Feb 2024 09:51:42 +0200 (EET)
Date: Fri, 23 Feb 2024 09:51:42 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Message-ID: <ZdhOjgNWPoBTfqml@LK-Perkele-VII2.locald>
References: <CAEEbLAbRHjJGm-3CQipzW=n40B-b23D6ZxmHN-f3PtVikj5=Cw@mail.gmail.com> <20240222152700.929016.qmail@cr.yp.to> <CAMjbhoUpK7F-H3vqXZbHYpr0S6a_fZrUeoL2SDB6QLp9URL4GA@mail.gmail.com> <CAEEbLAbcJfLwXusFuPN+yaAbSA+ANd_vjhVzSOF5EP4gh2y+3A@mail.gmail.com> <CH0PR11MB5739F5E7010B2A99CF2BD9B09F562@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB57393F6B973FCD8A95E3964E9F562@CH0PR11MB5739.namprd11.prod.outlook.com> <CH0PR11MB5444982518563A35D2AF3A9AC1562@CH0PR11MB5444.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CH0PR11MB5444982518563A35D2AF3A9AC1562@CH0PR11MB5444.namprd11.prod.outlook.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2NMSXNGEM1qLQ7wDnWW4IavrY9c>
Subject: Re: [CFRG] Proposed CFRG hybrid KEM scope (was: "Millions of dollars of hashing")
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Feb 2024 07:51:53 -0000

On Thu, Feb 22, 2024 at 11:01:05PM +0000, Scott Fluhrer (sfluhrer) wrote:
> Here is a thought that occurred to me.
> 
> Suppose we had an existing protocol that used a key exchange (either
> DH or KEM) to generate keys.
> 
> In particular, this protocol performs a DH or KEM operation to
> generate a shared secret S, computed A := I(S) (where I is the
> identity function – why I call that out will be obvious) and then took
> A and used that somehow in its key derivation protocol.  We will also
> assume that this unmodified protocol meets some unspecified security
> goals.
> 
> Now, we take this protocol and make it hybrid; we perform two DH/KEM
> operations which generate two shared secrets S, T, and then we compute
> A := Hash(S, T) (where Hash is a secure hash function), and then took
> A, and used it in the exact same way in its key derivation protocol.
> 
> We will further assume that one of the DH/KEM operations turns out to
> be weak (and to the extent that the attacker can freely control its
> output)
> 
> The obvious question is: does this updated protocol still meet the
> unspecified security requirements?  That is, can replacing the
> identity function I with a hash of the secret along with attacker
> controlled material add a vulnerability to the protocol that wasn’t
> already there?

It can introduce weaknesses that were not already there.

The standard security notion used for this is IND-CCA2:
indistinguishability under adaptive chosen ciphertext attack.

If S and T are outputs of two KEMs that meet IND-CCA2, then Hash(S, T)
still might not meet IND-CCA2.

Turns out there is exactly one way this can happen: If attacker can come
up with another ciphertext for either KEM that still decapsulates to the
same shared secret, then IND-CCA2 security breaks down.

The way to fix this is to add ciphertext for DH and KEMs where such
thing is possible.

Fortunately, turns out that for ML-KEM (FIPS-to-be 203), finding such
ciphertext is equivalent difficulty to 2nd preimage attack against
SHA3-256. Any practical attack complexity would totally destroy SHA-3.

So if ML-KEM is paired with some DH, then only the DH part (which is
very small) of the ciphertext needs to be hashed. If this does not
cause more hash blocks to be needed, this is very cheap thing to do.

Another question is if this failure mode can introduce practical
vulnerability. The answer in most cases seems to be no: Finding another
ciphertext that decapsulates to the same shared secret does not seem to
be anything helpful for an attacker. And in fact, many protocols let
the attacker to trivially do just that.

This is in contrast to single KEMs that fail IND-CCA2. Those failure
modes are usually something very nasty. E.g., being completely broken
or processing malformed ciphertexts leaking the private key.

However, crypto libraries are important consideration. One wants as few
combinations as possible, and more importantly, there not to be
variants. Thus one wants to make the construct to be IND-CCA2 secure.
Frequently this is extremely cheap to do.


Protocols that do very exotic things beyond IND-CCA2 require separate
analyis. The property might turn out to be something that is ruined
by one component not having it. Or it might not propagate through
combiner even if all components have it.

Furthermore, it is much more difficult to find information about
properties of various KEMs beyond IND-CCA2. And such properties can turn
out to be flawed. Recently that happened with signature security
property called NR, turns out there is no way to meet it.




-Ilari