Re: [CFRG] [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 16 April 2024 08:54 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09461C14F60D for <cfrg@ietfa.amsl.com>; Tue, 16 Apr 2024 01:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2Kh0oD6Pd6J for <cfrg@ietfa.amsl.com>; Tue, 16 Apr 2024 01:54:29 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16586C14F609 for <cfrg@irtf.org>; Tue, 16 Apr 2024 01:54:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id B0EA6149AF; Tue, 16 Apr 2024 11:54:24 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id k75uax3LMlXp; Tue, 16 Apr 2024 11:54:24 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 306FD7A; Tue, 16 Apr 2024 11:54:21 +0300 (EEST)
Date: Tue, 16 Apr 2024 11:54:20 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: LAMPS <spasm@ietf.org>, pqc@ietf.org, CFRG <cfrg@irtf.org>
Message-ID: <Zh48vA0FsgalKGws@LK-Perkele-VII2.locald>
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com> <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com> <CAFR824ybzCDY-C1cXFHcUhgZ-m8wgqgw4eCNoCraX7sPNNxC6g@mail.gmail.com> <CAFpG3gfj8xp4UxsczBT953BE7yDEu3_GdQgR6z02qV8EVFUfNg@mail.gmail.com> <Zhk9kCZ0b_O-Rm7N@LK-Perkele-VII2.locald> <CAFR824wM4cNO2UuhRNbP=7poANzZci8niZn+-Efqx3UWUDbyFA@mail.gmail.com> <ZhlR0v3tajEJ0-a-@LK-Perkele-VII2.locald> <CAFR824xB4_Px1sbkRn+yaS2aN-xd1KeN9vxvQoHra4UD0v7ZwA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFR824xB4_Px1sbkRn+yaS2aN-xd1KeN9vxvQoHra4UD0v7ZwA@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6pYAgxSjAU3q0oNVGEGyofaA36E>
Subject: Re: [CFRG] [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 08:54:33 -0000
On Fri, Apr 12, 2024 at 11:49:47AM -0400, Deirdre Connolly wrote: > > And with regards to implicit key authentication in base mode, is it a > > problem if one can make a (enc, ct) pair that decrypts under any of > > private keys corresponding to some given set of multiple public keys? > > Set? HPKE encrypts to a single PK. And if you are encrypting to a > particular PK but your KEM ct (and thus the HPKE payload) is decryptable by > /any/ decaps key (which the IND-CCA KEM Classic McEliece allows), you have > lost implicit authentication. > > https://opensourcecryptowork.shop/2024/Going%20Post-Quantum.pdf > https://www.youtube.com/watch?v=FaC6OuLDMFE&pp=ygUJY2ZyZyBpZXRm The way I understand "implicit key authentication" is that if open call succeeds, then the private key used in call corresponds to the public key used in the seal call that produced the message. Alas, the KEM (jointly) being IND-CCA2, MAL-BIND-K-PK and MAL-BIND-K-CT does not imply this in HPKE. And HPKE is better-behaved than likes of CMS, JOSE and COSE (which are pretty much typical for the class). -Ilari
- Re: [CFRG] [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber… Ilari Liusvaara
- Re: [CFRG] [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber… Deirdre Connolly
- Re: [CFRG] [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber… Ilari Liusvaara