[CFRG] DHKEM binding properties
Peter C <Peter.C@ncsc.gov.uk> Fri, 26 July 2024 16:07 UTC
Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAC54C180B5E for <cfrg@ietfa.amsl.com>; Fri, 26 Jul 2024 09:07:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.707
X-Spam-Level:
X-Spam-Status: No, score=-7.707 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhS-0r2QWcBK for <cfrg@ietfa.amsl.com>; Fri, 26 Jul 2024 09:07:14 -0700 (PDT)
Received: from GBR01-LO4-obe.outbound.protection.outlook.com (mail-lo4gbr01on20600.outbound.protection.outlook.com [IPv6:2a01:111:f403:261a::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E387C1E0D93 for <cfrg@irtf.org>; Fri, 26 Jul 2024 09:03:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=onwjDQ/h7MwzHzjjoGOxaIwm2Tl+SQZEiqKonjSHOc/8J8FSqFQmKvTRIDPL9u6m162P0g8OYmFPrcYGNHFW/kB0AbE5e2yKY+sSNNRurRGFZmsSG0isGN7Eodhra8q60dXfHPZWmcSfLh+R7wMcKvcc0wdU/BMaeleflzrumY9ROztAkAlGtIOMQybwoamg1wt/GCBiiBcTHYBU2yEJmbbtQeF1f39+mEAx8HprOdN8imjqlh/SqAbU+vECyJMG/Gw2s+3peIex/Capgu+Pb0fFNesJXGUrMhYgrmv4upUiPOClrMKErqA5/bgJzgrIkFv2urbCsKBmtMIXhJLl4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=z5SwYhSuNSvlsbZjJ9EfnUSz7loHDjDQmrVrKIuFzJc=; b=AKCvDubzTmUMbFtDp1q0BtYexfEkPWzz49f4SON4ZRZIIqsCl/N6n/JoZNd2wzYssCc9m7jxVlNxBfQ7R4nLjlv0t4wIU0MPQMa3Oc7+Img2IfqEYbqUXTdnyuTkBfTFs6CAvqKD55JP45A3Klu7LadfT/TN6TJr/YZb9j85qUOC10dOhB6sfAsfnwBUIzOwQLoDDqkgGcirsCfFpR+160khnR2ELlkHWiBj2kgW57lGcwVb3OUt4Dy/38BPFNzvJbx+pJmwut9lekcoCVSoRgUk0Rjt6yKpwL4K8+yngXHxTAumlJKEbvk/pJPeId2QA47fC9Fxl3pXszBrh3xzjA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z5SwYhSuNSvlsbZjJ9EfnUSz7loHDjDQmrVrKIuFzJc=; b=PUhdJHZjg+RIQBvsF+fiEofLuyc+Sk0c7ke0boufdT9dqKGAoo1H1eHJFxcCxMu4OtAyoX8v63jY2I1GIvPPYMVSYvRB8KL+esrt9bGvDx4C+m30fGrrPSykCzSBKiuuM4Doc/2wBnh+EiFXPwHYQEjgVpLb3vAI0t5rUopYkWdl2Kr9x7JE5BnKP+ngYCE31xsgPfJ2M+rgVJeByc3NvTpYCTDefFNYWuMGB5UHv1VMm9mUXtEiAdetA4STat+KcLFl5+t9X4kKRV5yHwDbOmhnwizFVZFvjHhfDpOovxGnIRDXVeQ+qkv+hA0EQa8aOJHKFKUA4hfT6mTp1aotJg==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by CWXP123MB2773.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:43::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.29; Fri, 26 Jul 2024 16:02:42 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%4]) with mapi id 15.20.7784.020; Fri, 26 Jul 2024 16:02:42 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Thread-Topic: DHKEM binding properties
Thread-Index: AdrfcxnSwc0Lh5NwSDSFLO2heNwQFg==
Date: Fri, 26 Jul 2024 16:02:42 +0000
Message-ID: <LO2P123MB7051522D421F4E6C05173615BCB42@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|CWXP123MB2773:EE_
x-ms-office365-filtering-correlation-id: 5f8ecd76-270a-48a1-2a96-08dcad8c61bb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|366016|38070700018;
x-microsoft-antispam-message-info: /122xNYwrgz8HxeBoMq7kEkO/6i1YlVgy1vwptwzz/SWkI6WrqxC1l9blp6JQVFKnU4ZTv+t0Q+BCsPQjtoi4kdea8nPnay0pygPxsK5GwBkZpljaL3l0Wsbax5dmRbTgrmpWIRgh0LiF4hZ5XC/D5D1JTdS7/2LcMcy4xY30jfq3aXP0OOMC1qFlkGb1WCn+xdrvBqukvJZHS7t8O4OQ1QVpeDsAnXiR6u5/metGaZq8OS/shr+xyhgt6dSVRP5oE1eNdbby2YyYIvby1o/GWslmwGMbZ4i/OgRLfafAoly6Jo+titFA7VHCXUpoZCRaGDNWUpOgZ4vqu0rTZdzeY6GLS9c8G9fvsQ1TjWEQQUiVD+4Pf3oULDRBcQkgzvRQPAcVD9ztDuqSUYYMIMP4EdHWIFsLelQtmZNgc9aRfJs3OOWYEi1w6uVhWD0ApRKy5i7RN3C7I+UJ3602MGVVEpdZiwnPtrT91t7blQNDpY3zX22Y1vq1vwpZXcyw+rwZi+ejUc65utf9fmjveXjwFLA4nk1jnBwTCtPAeTcwi6zSynLzTpsdJ7XQOvXmpLKpASiF0jPHeWT/hB/VsrQ9thKZeyWYD7FO5oWHcNCoC3ClooGkE3CS2MXxQT/9T6ScNimHh+GHGLegzfTUm26HxJBYrobh6+R9h1mrHT2lkEm+uRQJVfdCpr/JwIfzH9w62VHfkabxLK70hrxlCPkB4DjocqiqcbQbTJeGUv1H1py550lKN4qQzaccHmn+opJKI8wDZu+veJGar/k6+LYVrPqr8FpJUxmEVunxv/ym8AMO+4q57JTeSyWo0LViLp8VXOS2wTheZa18HSHoJ3BnqsFwhawf/ukB5CGMBxJ0Lirl+dRd+/TyTJE6UeYbHMEIOBGMn2zpQt8RNPyMKGtAmBlXJ7JRFZ4IqNA7oR7WzGOfMDqbH39xCr+DkJCggd5XaTetzbmHjUUj57Y3y+hQy7FVN5je9R+H9ENjwvtBuhV2wkI946tF2TOjndR/D60y68MHZgXoHdOTaf763yu+ovN4oQ1F9+QXYa3rSZyGTfSum45jJG5f1LzlgRumBZH5UmoGFCBGku5REv/Na6Ca8NtaIY9KgeeqzTV8wXDMi0NfkloBUjMEbZjqBz6aHg1rAI0W+skx51V6dI0YPPP7L8BgdClz9s9Qn0fWDoaRd4ZBlPT96dwxc8QVjDTc5P8/qZocwQ8Ap/yKxtdxS28Cykc/bXsooWrVworLzjr6nWvY1y0Jv5KZ2hpYuHKb6w/gmGs8RbnXu3Y8jMZmdLtQ0iHlfsO77j0i+dsbvTd70tZsaB2Wm0OgBToOnle+fKYb+RS1y5+I4y7hi720d1jwi0CXbosCeA+Gi8CWO8wass=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TX6xGa868DtBHxNQJQXr+PeMcuWFvZcUPRRZbc8Me0vKY+adgvhV7HXg/7F7bmUwOlxh4yCfGul1131AcQy9w8rAVXmJiNBTYXgCJ/tw26LtgeqC4kCc8rSVcG/fx2DjnbPM5WExjoKbA8BmXQ5lA3yZrM6I8mfXc2yHM2+CpwbbD3h0alcTuLmExnM2KgirPuJuje5geJ2dEIOLguHhR2mjWoTd/PAoIejZp1z/4KpKmi4bvhjsU5/ujJ+AT8RdwDAb68+LDbIxqrnWTvnqqOskScs3MsF37buz1Im9nAdfCur0mqAvXHEURx9ghoLocMxhdsMwIqPxqV3evCZcN8fpQD8thOMwvvQ3URdWoyCcrrhc4VKurwvDbJfPGJzeNUHnzVqPLatOdwnxZUlNbnuHXUCMtFIa5cXb7Bup4XLB3T+RhL2LwoBhuGPmLvuoDZzgCO7EQi5r4YrPF0yaWIhPFyrf8tL/ycyzAL4x2B/fcAJM52cuDciB91nPfAeqbfmPxRBc2IadD4HQTCIT2VQ05MrxwVgZkpZ7WVsXSRjxgycP5fMfgNBWKrqFB3bD/A4rs+dXE+07J6XnLx6IbHJH5l4uI2+KAZO/Ej5w5/jaqzjP0exQZYVynHZqKuSL+Kwu9HkaobtU4iop4IjKRLpeaT/IosycCPvyLiHnpBeyJ2w7RyBCbe+nMJyxcRWvsosXJxSteMLDp9cxblSjp0ij1yWvXYMDEHXqR18V0I9hqJH5A65mbMi20ImmQTPLg4D9sxLa2CYRT4nHba2vGIhU77b6YzVlX3O7ANY1uhQg6kskgNI6GBCqJU/rZioG9wRd2j5aKhnQOjkQqU0CSTLBcLgrSGw4xpR9/UiOtcubE/ikxymTkbibOz1Vk6NU1opEYcwyRUE9d0GdP+4S1KYCE0esXm0VCqYqA++d/PL+tBAtiSb7jaeIvh5NFpWOqxq2fglXNXMqLhPPiIK71kM7NyPAuGkq920AAh5ZXVIMjnUnum7iExDDLDa/OJmvoZARCwv/gGUzcKUxwJesAAW7BZDrOAAG9AVMVpJhuyoXRECnTEJB6jifP437F3sfpAr1+9Tkst5jdU41dp2JA3Zo1+xrQlJs5WzrwUCzsDXPXMrJh9+XaQZXMVy79gXEQt0Hmrbq11ZtDO8/cvRiVhjoMPnLEdHGEUTLmXyCpCMAgNkd1f51NNDl4I46NBHhKM1XgjKbzo0OI673I5szZwq6LWjtSFq1bCVi+wdYthHNqTOD1Uw1GERt9ZGpdVStod5TDis+eauNKtYxgUfxzCXSu4nCbArjhD65j6Nx9U3DMfV6Cs8RrZCRWPimZGmb5I+vhWQ5iMjjbJfkWlxtdTz8SY6Cv/eJDhzYzK2NSXiIeYgvKeGjxmpgbybvra55er8AQIBHOM71gXfFRBZkGyNMW+JiP8pKLA9NB3LYM0b5GyJs28nooMo6w47UNiSRv9emnF2i3DlYYtNDjIIpuvXnfu/1o1WA0jPbOjt9KgRmQXF+OYEwDddnmRph2OQTgcsLQGxAZiWbM6AGJIOE/629nywp9uk/iWwi/PisUz0TBVoD/Xryb059+/ARA9zN
Content-Type: multipart/alternative; boundary="_000_LO2P123MB7051522D421F4E6C05173615BCB42LO2P123MB7051GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5f8ecd76-270a-48a1-2a96-08dcad8c61bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2024 16:02:42.6378 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z7+SLAM6zHkvR+ExEtdZq7yAp5frmhEoWSizA2vyd/KeX1pC/7muTpEILlwaLoWX1vDEErmmyPsz/8x2A5P9Cg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP123MB2773
Message-ID-Hash: 2KPDV77UF2BH5ZPAFZXR47GVEVZJ53T7
X-Message-ID-Hash: 2KPDV77UF2BH5ZPAFZXR47GVEVZJ53T7
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] DHKEM binding properties
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/IZWA5zTYb-3Qzpeut0LAA4kfVYI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Deirdre, I was going back through the slide deck for your HPKEv2 talk yesterday and wanted to check something from the backup slides. When discussing DHKEM's binding properties (slides 28-32) you say that "DHKEM is MAL-BIND-K-CT and MAL-BIND-K-PK secure as analyzed in the symbolic model" and cite Cremers et al (https://ia.cr/2023/1933) I can't find that claim in the paper. Was it in an earlier version? As far as I can tell, the final version only claims LEAK-BIND-P-Q properties for DHKEM (appendix D, table 5). For some reason, the IACR archive seems to have purged the previous versions. In any case, I think MAL-BIND-P-Q claims need to be interpreted very carefully. The paper changes the usual KEM.Decaps API to block what they describe as trivial attacks (see section 4.1) so they are not necessarily modelling real-world KEM usage. As specified in RFC 9180, DHKEM is not MAL-BIND-K-PK secure because DHKEM.Decaps recomputes the public key from the private key. To achieve MAL-BIND-K-PK, I think the public key needs to be provided as input to DHKEM.Decaps and used in the KDF instead of the recomputed key. Best, Peter Peter Campbell Technical Director Industry Liaison and International Standards peter.c@ncsc.gov.uk<mailto:peter.c@ncsc.gov.uk>
- [CFRG] DHKEM binding properties Peter C
- [CFRG] Re: DHKEM binding properties D. J. Bernstein
- [CFRG] Re: DHKEM binding properties Peter C
- [CFRG] Re: DHKEM binding properties Cas Cremers
- [CFRG] Re: DHKEM binding properties Peter C