Re: [CFRG] ML-KEM for HPKE
Karthik Bhargavan <karthik.bhargavan@gmail.com> Fri, 05 April 2024 14:23 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDA7EC15152D for <cfrg@ietfa.amsl.com>; Fri, 5 Apr 2024 07:23:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l_jlOT0mVrXQ for <cfrg@ietfa.amsl.com>; Fri, 5 Apr 2024 07:23:02 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C19EC15108D for <cfrg@irtf.org>; Fri, 5 Apr 2024 07:23:02 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id 5614622812f47-3c5d9bec755so717208b6e.2 for <cfrg@irtf.org>; Fri, 05 Apr 2024 07:23:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712326981; x=1712931781; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8LTIjSKvJRkJtb8aYrMB4apBpTgVSm0/MZFNNlgm04o=; b=Ik8DbEQR+u/8i80+fuLev+1I+BKfiocVQeiriJFEtVcANhJLdhNzz/yGyWbdX4Vnkc pI/ZZULj/kLpQvR3PRHV4iIH0XeGxtyqadv25X5sjrgNcwZP+tcMlzdxnMw66P95DtZp kJBwyyWZabGkf4JL28U0RBXsWHq1vFe08Waac4uSKCXnfYiHYZEVLHjwIcrjXfg5IHb8 d/Fh2y7t+uhT38tczWjttFFLtIhjAQm/MlQbYgPr1mAFTRtP3ZrVrbCj8LSTN/d+IIO9 Om/xFchoo1nZBUdzktIAy0qqX9K06QAgU2Sy4b9FW0jFscpn//6/RmTTju8jYZGzFlmK 7PHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712326981; x=1712931781; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8LTIjSKvJRkJtb8aYrMB4apBpTgVSm0/MZFNNlgm04o=; b=wT70zb2HaeESM+/tyCfSdTW3efqq0RIlb0f8JKROHCUdP6tfAndj2E62xDAFHoS2x0 3JR7AQQyPUzWLRsibELhkRq8hYCLeABYKVs4+SHLLepuINvY/KgEpnJwmOO7AgYMe1oe G2HX1fgBPMljjdhgmejuNTJsiB6q3dOQOv9Dcj3A9LEf05eulRbS7nxuB/HzDq8Nffm7 ZJ2tImQms/tbhnVObUJK72unDCt5qQQ8jCfSTlgqNEPLGTKbUAMErE1YeTPnNPBPJtRO eM8ZWPe1R/0UTV2bx4/iFEaSRbtV+2MsfsQVSOP3ustkAt2DMkwFvhF9e5ep5RDFej65 aqXw==
X-Gm-Message-State: AOJu0YyNIgJ8ZsOeDnuQY2WIcQIA8Kc4Pz9FfBToGdVgECDbaG4+Jiv2 1eLIoCdyNbDpMaz/2Gih3KbhxpfiP5rN8RwUs+hQSMMKaLcRm2UMu1Qqh8Si68acfcn5C47Df+K jR9bSinly1AMy+eGuYZ7s0qYgMQk=
X-Google-Smtp-Source: AGHT+IETBi4QFiyadAQL945Vb0p9av8T+PXaQ3lX5ZCg+1MlSfbnt9FFZyDHxFxdT3/X88oMW8bsYOKNmBFzZQueR7Q=
X-Received: by 2002:a54:4587:0:b0:3c4:2f37:f158 with SMTP id z7-20020a544587000000b003c42f37f158mr1671870oib.30.1712326981109; Fri, 05 Apr 2024 07:23:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824x=_z1O=kqWWnt1wQ2X3A4BJ+BG4wK1fDfPtZCJij8yvw@mail.gmail.com> <CAN8C-_+kOw==h7JYLc2-n0akPnc-sYLmN5Tn1grM2GDpTL05fw@mail.gmail.com> <ZehuFmGuVpIHfCLU@LK-Perkele-VII2.locald> <CAFR824xwYn3dkGwLoTJMXMKWdGDVUpDu2hpUfXZ8umoq7F=j1Q@mail.gmail.com> <Ze3iAZ16tab7YnBt@LK-Perkele-VII2.locald>
In-Reply-To: <Ze3iAZ16tab7YnBt@LK-Perkele-VII2.locald>
From: Karthik Bhargavan <karthik.bhargavan@gmail.com>
Date: Fri, 05 Apr 2024 16:23:06 +0200
Message-ID: <CA+_8ft7OS5a2=mTFZubisXXdG6Q4jP32G8gjXWAzV_3ZGcC=CQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: CFRG <cfrg@irtf.org>, Bruno Blanchet <bruno.blanchet@inria.fr>, Benjamin Lipp <blipp@benjaminlipp.de>
Content-Type: multipart/alternative; boundary="00000000000072d0fe06155a319d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/G8Z3IdrR_KU8XZQRRb8NCC_HHYs>
Subject: Re: [CFRG] ML-KEM for HPKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 14:23:07 -0000
Dear All, Bruno Blanchet recently did a new analysis [2] of the base mode of HPKE that updates Benjamin Lipp's original analysis in [1]. I am summarizing his results here. Recall that [1] proves the security of HPKE base mode when using DH-KEM, under the assumption that the underlying DH construction obeys GapDH. In the new proof, Bruno models the base mode of HPKE, single shot API in CryptoVerif, and showed that if the KEM is IND-CCA2, then so is HPKE. Since CryptoVerif is PQ-sound, that proves the security of the HPKE base mode, with the single shot API when the KEM is a post-quantum IND-CCA2 KEM. Bruno also shows that the DHKEM in non-authenticated mode is IND-CCA2, which, together with the previous result, proves the security of the HPKE base mode, with the single shot API and the DH-KEM. In summary, this proof shows that HPKE with ML-KEM (or any other IND-CCA2 KEM) does provide IND-CCA2 security. The question then becomes: what other properties would we like to have for HPKE when using these KEMs? Best, Karthik [1] https://eprint.iacr.org/2020/243 [2] https://gitlab.inria.fr/bblanche/CryptoVerif/-/blob/crypto-library-pq-version/examples/hpke/hpke.base.indcca2.ocv?ref_type=heads On Sun, Mar 10, 2024 at 5:38 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Wed, Mar 06, 2024 at 12:23:48PM -0500, Deirdre Connolly wrote: > > > > > > According to the HPKE RFC, it has been proven that if using DHKem > > > (over suitably strong group), then HPKE does satisfy its security > > > goals. > > > > > > However, according to HPKE RFC, it has not been shown that HPKE > > > satisfies its security goals for any non-DHKem. However: > > > > > > - Such proof might have appeared later. > > > - HPKE RFC conjunctures that it is sufficient for the KEM part to be > > > IND-CCA2 for HPKE to satisfy its security goals. And it would be very > > > surprising for this to be false. > > > > > > This is fair. ML-KEM and the wrapped variant I describe in the document > > (basically Kyber) fulfill the explicit requirements for IND-CCA2 security > > of the underlying HPKE KEMs. The binding properties > > <https://eprint.iacr.org/2023/1933.pdf> referenced had not been > formalized > > when HPKE was designed and analyzed - now that they have, and > > DHKEM analyzed to provide MAL-BIND-K-PK and MAL-BIND-K-CT security, the > > goal is to align with these implicit properties in a new FIPS-compatible > PQ > > ciphersuite so as not to downgrade from all the other HPKE ciphersuite > > binding properties 'accidentally'. If HPKE had committed to the KEM > > ciphertext and public key independent of the KEM actually being used, > then > > there would be nothing to do here, but it uses the raw shared secret from > > the ciphersuite KEM and knows nothing else about the KEM beyond that. > > The binding properties of KEMs are irrelevant for any HPKE user. What > matters is the properties HPKE gives. And not all KEM properties pass to > HPKE in any way. > > For instance, preventing messages from decrypting under two keys is only > possible if KEM is explicitly-rejecting. It is impossible for any > implicitly-rejecting KEM. And since HPKE already has implicitly- > rejecting KEMs, it can not be HPKE security property. > > Furthermore, it is extremely risky to rely on any HPKE properties beyond > the documented ones. > > I think that before any such property is treated as a goal (as opposed > to non-goal or even anti-goal), one would have to at least conjecture > (preferably prove) how such properties pass to HPKE as whole and update > the HPKE RFC. > > > > The goal is to align with existing instances of HPKE ciphersuites in both > > explicit properties and now these implicit properties that we understand > > better, so we diverge as little as possible, while providing PQ security > in > > a FIPS/CNSA 2.0¹-compatible way, with minimal complexity. > > Even without that extra KDF step, there is still re-encapsulation > resistance, which translates to re-encryption resistance in PSK mode > (base mode trivially can not resist re-encryption): > > If the KDF is secure and PSK is unknown (otherwise re-encryption > resistance trivially fails), the outputs for different KEM shared > secrets are pseudorandom and uncomputable. Therefore the attacker must > match the resulting shared secret. > > As the sender is honest (otherwise there is no security), with > overwhelming probability the the ciphertext is honest (w.r.t. key M). > > Coming up with dishonest ML-KEM ciphertext (with respect to any key) > that decapsulates to the same shared secret as previous is at least > as hard as second preimage attack against SHA3-256 (because the cases > are context-separated). > > Coming up with honest ML-KEM ciphertext (w.r.t. key B) that decapsulates > to the same shared secret as previous requires G(m|H(M))=G(m'|H(B)). > There are two ways to satisfy this: > > - H(M)=H(B) and m=m'. Since M and B are different, this is at least > as hard as SHA3-256 collision attack. > - m'|H(B) is 2nd preimage of m|H(M). This is at least as hard as > SHA3-256 second preimage attack. > > The first requires incompetent adversary (should just retain B and > not bother with all this). And no incopetent adversary can ever be > strictly more dangerous than the most dangerous competent adversary. > > Therefore for any competent adversary, re-encapsulation is at least as > hard as second preimage attack against SHA3-256, and thus re-encryption > in HPKE PSK mode is at least as hard as second preimage attack against > SHA3-256. > > > I think more general version of the previous statement is that if the > KEM is IND-CCA2 and LEAK-BIND-K-PK, then HPKE in PSK mode resists re- > encryption. I think all current HPKE KEMs do provide this. > > Of course, stronger assumptions from KEM might lead to even stronger > properties from HPKE. However, I already view relying on this thing as > a red flag. Any such additional properties would be even bigger red > flags. > > The extra KDF step has significant complexity cost. Especially given > that ML-KEM internally uses SHA-3, and that KDF step is based on SHA-2. > > > > > -Ilari > > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://mailman.irtf.org/mailman/listinfo/cfrg >
- [CFRG] ML-KEM for HPKE Deirdre Connolly
- Re: [CFRG] ML-KEM for HPKE Orie Steele
- Re: [CFRG] ML-KEM for HPKE Watson Ladd
- Re: [CFRG] ML-KEM for HPKE Orie Steele
- Re: [CFRG] ML-KEM for HPKE Ilari Liusvaara
- Re: [CFRG] ML-KEM for HPKE Deirdre Connolly
- Re: [CFRG] ML-KEM for HPKE Ilari Liusvaara
- Re: [CFRG] ML-KEM for HPKE Karthik Bhargavan