[CFRG] Re: DHKEM binding properties

Peter C <Peter.C@ncsc.gov.uk> Mon, 29 July 2024 13:50 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 777CBC15108F for <cfrg@ietfa.amsl.com>; Mon, 29 Jul 2024 06:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.707
X-Spam-Level:
X-Spam-Status: No, score=-7.707 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybTuFjvyM5CF for <cfrg@ietfa.amsl.com>; Mon, 29 Jul 2024 06:50:07 -0700 (PDT)
Received: from GBR01-LO4-obe.outbound.protection.outlook.com (mail-lo4gbr01on20600.outbound.protection.outlook.com [IPv6:2a01:111:f403:261a::600]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA127C14F5F4 for <cfrg@irtf.org>; Mon, 29 Jul 2024 06:50:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ihXywv8vqZRu8rPw42CgQOpNXzJrXKOpm8yLQIicmilLiBg6H87jMEuYKQ5oopm0OQIy8g6mvOgeg6+nvi/ADS9JgqELJefYUPiJK6Zz6BCndv4YpkR7KRim6oQtpqDCpBDEI5vfQXFfwPHl5bDjkE5nFGJY4TECa061TElafjI5AyVI9uoV/2gn5zifLhnB7rab0PzWMd3uu7svPLCsOGWevHKD0RUpuopkbyohnXXzOqh5nwtrW11V7C3FVf11K8BdSBXWSe+90JDjtLK+lknpJi+2yPTRQnrfMNovGdcjAlQz/lzQsOADNOTdSIqkxnRMm+UA2IVmcLmI2sIfOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8ddd0Q5ceMFBuHo96Yaoqimb4Pq24EJFXn5v/ptc6XY=; b=ZjbEKd/wGhV0XTF5trThBy0L3lMIhTqICHTWPt73FVGN8ka8OHUf9Tg8xiVsHL7vuStkl175zQ5KKZex/0eR5uIUr6vkndmLo8HLe9mEQfhzD9vsauwZk3EhilIHxr2VeQ2g1C1IOqr33vzA8VuuYrwjOOxJuR9yicW96LaA65vcSI1mfxMmeiMkkSMv/lAun4e5ODLpEExGN4CshiSwpKL5m0jti8TO74ID6U+4eX294fT21kDEDFemUl556MMAF3ojpq3hKY2kKoEPFSQcuLGGdgnQSGYHHlBIifRS4YnIv33WAZ2qnvl4oDnCsfXcJb61T+DqQU5b8jDCGuatdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8ddd0Q5ceMFBuHo96Yaoqimb4Pq24EJFXn5v/ptc6XY=; b=jTPM28qOZ6QuwAs3o4RCg4GqFFe6iIlxk7scpK5uh/aFjQu+qeZfwrUAUMpLEh7Zjv9J9wGKQgs89bC+hYMYfkPqSHQ29/0ERruGnhXhif8/ZV6HWuf72vqiYR1J2goxslzhrYJ3dphjLkRhVnxZc1UW1MTxRh7E3sg3rZtsWQepFiXMEHgpx8eRr48JKpBIRNmBxFv/TDRFmXZ9LDYJ1+JyQQeesE1am/06Kf6dUBYH10dQS2Dkza5CHweGZ5XhA6mzKzNVlvb9Zq4iSj7nHRmLyei9l8+lkyOotvDxbvQ1Exu3GQesI7DTYei1D0dFYdhXBmadx1r0/ZLoE2PB3Q==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by LNXP123MB3755.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:133::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.28; Mon, 29 Jul 2024 11:15:09 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%4]) with mapi id 15.20.7807.026; Mon, 29 Jul 2024 11:15:09 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Thread-Topic: DHKEM binding properties
Thread-Index: AdrfcxnSwc0Lh5NwSDSFLO2heNwQFgAz5suAAFZgxzA=
Date: Mon, 29 Jul 2024 11:15:09 +0000
Message-ID: <LO2P123MB7051EC6EB4D58E3228BAD5C2BCB72@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
References: <LO2P123MB7051522D421F4E6C05173615BCB42@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <CAFR824zPPm+p1L5zde5smAXuBBZxS+6Psa68povowW85+2PpWQ@mail.gmail.com>
In-Reply-To: <CAFR824zPPm+p1L5zde5smAXuBBZxS+6Psa68povowW85+2PpWQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|LNXP123MB3755:EE_
x-ms-office365-filtering-correlation-id: a575a81a-5aba-4239-eeab-08dcafbfb556
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|366016|1800799024|38070700018;
x-microsoft-antispam-message-info: Rxyd4SlIT8HTVjnBn+nlqJpKRRRg7sSmiBh3jyfiM/XprlXwYh6zJweN6kTxrKEgyaQgdl/gYP7FdF07jANhBvG6UckrEbeVIGjTWW/14/qpbSfM1q+Itk5UOu6VmZoR+OUFGdXrX9ilGibT+uN2uM/nlDsWgn7jwXk4icrm7RCZ/wiqBr04USeNeNC0xXGnadtoIio9V9q8PPOlmv6JVin3s6/UlRTDB2GLo7dLL6rhT1PYg93iNJcVsoUciX2+QdPuljv4SBY+nhEhYcGNlSQ8pT0whHDY0MPcaJa2GZgJWXTCfR0OjA0s+2iGngCgRtXrS8pCUOF+NPVDSW27GbNdxhj6mv04fMhs6Alv9VkYs80oOM1+Hc8OmGNBtqnLw5ZCqWRe03XljmBkeXHNEP9fxqDFwA6v/tDCy9xAAG7HKLoJCZf5VrVVErPLf4RYnkkELrfoSdtBe0rBiEMy5DFiHeGCASoAuUgI6mU4fVx5ZFklCmrE+Bemx3QnMomxfW9csfPIYa12rUuk0iGOT9ii47QJmk49ltCN4Ff3kMWISgPEsW2rZ9+UishIQjp6tMB2WWbpC+FB5cmlS8+fdqXlTDx1TKVuTzghFat78eD/ysPynJuRri93Xhr+jC2GBp7xKqnOpkLcKl1ciJN/i6kOZiTJ2P1kF7LH8z7jwD6XrPhxfqEJA3rf4ouHOzQaTUSpBN7yYGlTR4r2kiN2quwlr6h7SJ1qKSie3SHiv6sifzQHv5y6k3GunfH7Pq0/T8WqG9ZeRjBjt4IfIL8PmHt+lnc3A5I7t3hLT/ncVXmpOyhR7fNzIc+SD3Ynlscl6hiqBTzJWUN6Kem8rGx+3vO/AndlvWWJZIL//BakjSeV/PZ3n1SfDQRaeXgsM+M7f5FQ6+/xZufmcr5Owje7BZt9oa2vwPXEW7hpXgy7vD6TewcX9Z8fkXtXbHfFH8V+EmoByvHQm9q6J6MrNImoqKndCFQC6cJfiX52OO02pUNWIhczSrbLSiaASeHyywhCWu4m+xwzMO1TSxnApbo/76GiZm9k+aXU+Y9HK5lemdwtruN9BJVbalkkqvA9Nc3ZfzaNG2sff0a+0RuurFyS/ZPFWJIArpgiUstdmj/nmknkz0kt7o10AT0e9+iYuHPBnjqXOzFiOgtWt9tRmc0K7taNYesanC0rt5naoH7E7BWsle9IlHQwkql/RiIRxSXHaQXqzsHPYw0BfCMWaAIAlGhPXGrfSaeGnONJr8XbOMPWh31vtHhLM5uhzocmiJmcwg7oUcwENjE/ElqzFH1nPhXedIX4c299sT73jztS6+5LmGd1Be6f7l00HkMLighxrDFTOfIecmVC8FTK/DRcp/FQp7tcEGYJIbU23znBHnc=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: vL7RxO4T9yDdH5J4ZQGpq8Y3W+ypGRLHlMeVoKLXkcelqvUt2MNNdp+3fHbUQTZqTwwqP9P9pa/Ja9t9FSNvrhYDBPd8/grc30ivmMcL+qINNu0TvWwf+whp/Pwo4+Ui7+GIt8ya3BgiRTLv1bcFQs2kv0LEab+eRORB4N2X1LnGqIRU8Jf6oa5vcK1nd7pIdLgCuCzow/W1HeLKae/FfYSEc6sFkqQNFp2uw3Lga5qlvkp0KGOSYpqng3cEEF5a9taSxX2pFgund0NA9QY0PpwmcNZzo/xDaU4tGTcoaiYEJOfszHn+R9guhrEPqWsjq2FqYXzVaKoJZWjxGuYHkxO3jyqXi8TY1TzJFWr++q7LlLLaug9DeL+5sSDhJKvcHd/pY6dkanSDABgs9M/oR0AjkyYY85lnm0XWohTKl4Vq2VTWKxptRxw9+NMa0EeSatR0mkPPizk+ZqHSQ7wRP3eXtaujsA5meNRz8Fg0NGqcohZZtTzmfe6WP+i53kU5IR3eo9TvEes0SrX21AU7msUbaRmDf6nD7Ghj37SLc5XswSJDG2ju3mhmUOVZZN4dchkIpfu4Je5nx+hOPha3tNZnGUA3Id2/Y5ccjFueG7Assn2JgbtOk1gUFIWBseLYejiVOYKDFMANK6wFOyKejea/ObtNt55ZimlyoDrv3Uwqfws2/SH2B+E8G2HUaV5i4vuk0eeEEP+XdXIyRen3PeJwnspjBVBeUOCZoGUsxgdeyl6FwLlltzDYaDj1JrZfsTKVCayH10wVjm+wVsZcVi8kLMl0WuEYLuhGtyt/qyw5TD/f+z5diYMvSexKtn843EuoiQvbRR68dFSU2x9NlR4MJKs65aWOfZzcEMOPegYpR6itsdwX9g6yqV0NWf6mzo3sMbcAET7X/vitWE/mADn2fy8CEWGyLPUWWKtp9ZiuksN8PTbJCamRh4+hDHamZ2Gx2wtbv2LV49pLDlDabc7oA2GXHqydA4t6EZUE2RHl5n7uZUgA2UA64hPa8s7ekP65i3M2dzDw9wKihZc81qblbluLVHlmCUit8GQpJwLYcxv3Rq26uDf3Fn9N5EhITkt5EeIEXQvpGM1FVhE3q8GcJ4sU6TP3DDpKA5G/HdGHm72qClvC4Fkyvglt+RiOTcGVDrFuRqylzZf5enmljTLkCs6EA++nQ1qp7N8ybHEiObHyRnMUG0s7ooiHFeInVn8R1YnLhIetK00Ya7WMMjYFqv+J9WpTTlPO5uOFxhA+Y9CmqZ7BPBnuDf91BYUrmJB+eFrdkXtCMxrG2N1oHRN7vzh3h0MrDayADIbyO4OevEAcF8shJxG1yVVDkr44zoWxlWwMH5zS4VA56QJPyxcB0YokbE/48ZPeZ13tQGkS7mj7Ycj8Hi1q9IC3DbbqVxdJzVLp/MQJtFp4XIShOaeJtDsDitMT3kg3mADZpy1CNxoqFk0Ox9MpORbzWcYghlVyfSXlNybi5IfT2OHmQBtL6FRQKUWTNu6Fu/yivl6ODsn6jO5vHquT1bNfUfuNlviDziKC762NiSXLhOlG6vlMfngCSyC20xirwm8XurznFkvhb5iPTKKLpIfoEHGL
Content-Type: multipart/alternative; boundary="_000_LO2P123MB7051EC6EB4D58E3228BAD5C2BCB72LO2P123MB7051GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: a575a81a-5aba-4239-eeab-08dcafbfb556
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2024 11:15:09.5356 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ibDNn+tzUV36RjEtzSq2vtu4gsZxPvrvi0fAVbFGyNRsImit8fYDnDXC2z3MJ0w+tHexYWs9SLw8JmIJ56Vg3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP123MB3755
Message-ID-Hash: W3Y2KP4LKCQWP2U47VGBGHLX2Y5JY6FU
X-Message-ID-Hash: W3Y2KP4LKCQWP2U47VGBGHLX2Y5JY6FU
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: DHKEM binding properties
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/BC1bjmlwOzRU_BBhxfyRgWITUdg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Deirdre,

> > DHKEM is MAL-BIND-K-CT and MAL-BIND-K-PK secure as analyzed
> > in the symbolic model” and cite Cremers et al (https://ia.cr/2023/1933)

> This was an error from previous slide decks, those properties are modelled
> in Tamarin and tested with several protocols to see if attacks showed up
> when the KEMs used in protocols such as Kyber-AKE have varying binding
> properties. The eprint version seems to be weird (all the previous versions
> are 404'ing?) so I've attached the version I have in my archive as it has lots
> more material, case studies, and short proofs for different KEMs about their
> binding properties (as written, vs as in practice, but still)

Thanks for the clarification and a copy of the earlier version.

> > As specified in RFC 9180, DHKEM is not MAL-BIND-K-PK secure because
> > DHKEM.Decaps recomputes the public key from the private key.  To achieve
> > MAL-BIND-K-PK, I think the public key needs to be provided as input to
> > DHKEM.Decaps and used in the KDF instead of the recomputed

> Fair enough. Either way, we get much stronger BIND properties from the
> default HPKE construction DH-KEM than swapping DH-KEM out for say
> Classic McEliece, which is IND-CCA secure but gets us zero binding to the
> PK, not even HON, and which earlier drafts of HPKE would have protected
> against, but no longer does.

Classic McEliece is not HON-BIND-CT-K or HON-BIND-CT-PK since it is
implicitly rejecting.  It is not HON -BIND-K-PK or HON -BIND-K, CT-PK by
Grubbs et al (https://ia.cr/2021/708)  For one of the parameter sets, it is
not even HON-BIND-K-CT or HON-BIND-K, PK-CT if the implementation
does not check the ciphertext padding bits (see “IND-CCA2 for encodings”
in https://classic.mceliece.org/mceliece-rationale-20221023.pdf)

> Relatedly, depending on how thing like Kyber/ML-KEM are implemented and
> used in practice, we may rarely get MAL-BIND security in practice if the encaps
> keys are only partially used in the interior KDF, or other shenanigans (see the
> 'Kemmy Schmidt' note for more fun: https://eprint.iacr.org/2024/523.pdf) We
> may cover ourselves by including everything in the higher protocol key schedule
> anyway (like TLS 1.3) but in HPKE we don't do that. LEAK-BIND may be sufficient
> and achievable in practice for general KEM usages but since HPKE is supposed
> to be a pretty bulletproof building block (and basically is for DH-KEM) it would be
> even nicer to change HPKE to be as bulletproof for other KEM cipher suites, or
> whatever action actually results in users getting security in deployments without
> having to do this bespoke analyst themselves every time.

Again, I think any MAL-BIND-P-Q claims need to be interpreted very carefully as
they can work in a very different way to their HON- or LEAK- counterparts.  For
example, Cremers et al dismiss X-BIND-PK, CT-K on the basis that “if Decaps is
deterministic, this is trivally true”, but that only holds for HON- and LEAK-.  An
implicitly rejecting KEM will not be MAL-BIND-PK, CT-K if malformed public keys
can be used to cause decapsulation failures.

Peter