[CFRG] Re: DHKEM binding properties
"D. J. Bernstein" <djb@cr.yp.to> Tue, 30 July 2024 14:42 UTC
Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CE72C14CEFF for <cfrg@ietfa.amsl.com>; Tue, 30 Jul 2024 07:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fi7y-5ZezIkA for <cfrg@ietfa.amsl.com>; Tue, 30 Jul 2024 07:42:31 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id AA0D3C14F71B for <cfrg@irtf.org>; Tue, 30 Jul 2024 07:42:31 -0700 (PDT)
Received: (qmail 23269 invoked by uid 1010); 30 Jul 2024 14:42:30 -0000
Received: from unknown (unknown) by unknown with QMTP; 30 Jul 2024 14:42:30 -0000
Received: (qmail 822107 invoked by uid 1000); 30 Jul 2024 14:42:09 -0000
Date: Tue, 30 Jul 2024 14:42:09 -0000
Message-ID: <20240730144209.822105.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CABdrxL4iTV5U4MntAL1qnyNRcdWpK_NLL6bWQ4S3NbuqM49T3w@mail.gmail.com>
Message-ID-Hash: THP3WZDGC77YHXEUCCP7VUMW7SGJQ73V
X-Message-ID-Hash: THP3WZDGC77YHXEUCCP7VUMW7SGJQ73V
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: DHKEM binding properties
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/usk2zMfvVJbus6Jeyun7j84PFuI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>
Cas Cremers writes: > Also, if we were to redesign KEMs with what we know now, we would > probably only recommend explicitly rejecting KEMs. Please clarify. Who's "we", what is the information that "we know now", when did this information appear, and what is the evidence that "we would probably" abandon implicit rejection given this information? On a technical level, how does this information override (1) the fact that various deployed post-quantum KEMs such as NTRU-HRSS would be broken by fast chosen-ciphertext attacks if they abandoned implicit rejection, and (2) the easy theorem that implicit rejection cannot have lower IND-CCA2 security than explicit rejection does? I'd appreciate an answer that avoids the new MALEFICENT-BINDS-VOLDEMORT jargon. Any actual attack should be something that can be explained with a convincing jargon-free example. The reason I'm already confused by "we" is that the phrase "if we were to redesign KEMs with what we know now" sounds like it's talking about people who designed KEMs earlier, whereas other parts of the message sound like they're talking about the authors of eprint 2023/1933. ---D. J. Bernstein
- [CFRG] DHKEM binding properties Peter C
- [CFRG] Re: DHKEM binding properties D. J. Bernstein
- [CFRG] Re: DHKEM binding properties Peter C
- [CFRG] Re: DHKEM binding properties Cas Cremers
- [CFRG] Re: DHKEM binding properties Peter C