[CFRG] Re: DHKEM binding properties

Peter C <Peter.C@ncsc.gov.uk> Tue, 30 July 2024 10:49 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD0D4C151076 for <cfrg@ietfa.amsl.com>; Tue, 30 Jul 2024 03:49:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.708
X-Spam-Level:
X-Spam-Status: No, score=-7.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ep3FBf9zttYu for <cfrg@ietfa.amsl.com>; Tue, 30 Jul 2024 03:49:23 -0700 (PDT)
Received: from GBR01-LO4-obe.outbound.protection.outlook.com (mail-lo4gbr01on20600.outbound.protection.outlook.com [IPv6:2a01:111:f403:261a::600]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA6D4C14F749 for <cfrg@irtf.org>; Tue, 30 Jul 2024 03:49:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pkbZd2MoiPdhoNOCQ7qXaQgVgW3FLjljYWCSuRf46dRXRpW38aA+KkkfVgsv/pOMbgUx3M4QsMUeKxnl7uLamg0GujYzVU7jS8UVUlfC2OvG7Yahtk2Tmr7oMf56J559j0gPJoznxRwVasUX7ICymqkf2ArSixS9VuS6ex29pibWz0FZKPmURA2MU6eMwKTKluO0KW8KDh7PQscZdTiechW9Tkwa47GIpuXYq6KVhq/Xq3lysrtlkcA1wE68D3q07IJJXWPTI8V5rZGR3zvdVMKMN4g2ZJzAGebyuyaaejadVbKCxjZ2viCL5qhlQcY0T0bldsfnFpDiZiUyYSODzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DL3hJbfOKYV9M4nZjavt6P7Jej/BLCBek6jPgs69iJg=; b=kGIu4giTpZ6+pMFwNMvr+NUnCU9oi7awImPDSyqoh1fQBhqq5bWe0ZbrU+tACQNMjGFeUnuMPUf0u1uChfDcc/XN+qync8oDnWpAt9zSysIV9rc1beRb5lWNoZftTta46wzhzWTydqeUEhNTAsQXQxJeBb4/aWhd24nmiRKXZYxJebVOWZE/qkHLJFoBJy8cS2KEQF+xq6qmYkuwFJ2XL2licRKv9ZVtgAmIpfDuNal8guZocgG1Nhk9f5NElorjIsBLgALO0GOzR77aeDVn89zltg45wlIkJOn2uDDs6YWjPSLQd8aRXwY7EaQdaB1phSUhC42HVXpTNRUfRYq0yA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DL3hJbfOKYV9M4nZjavt6P7Jej/BLCBek6jPgs69iJg=; b=XfId2fHW1aHllAq1WYmWjtjXy8ArFc7d0cT4BmMex5jTwclP117UAxNU8ghWlH0/D6gYOHuMkt/1Qw+P7+TzrkAGGCM5TcgxpdqC+a1nNcYrjhyalQ+TvZ1UHog+F3H6PeBtAK/bQ5VtQh4E+gzn6gidSDgacN6hvDeeOZgSIEDnRXqvJE4+xdwJJDvhZgpkzc+ws8nuWuJpa7SalqsYXhv3ju4nHN8XOA9UjHlS4PA480veI4eAGLofUniyqGO7cjR65t36Nrfg1jPzygcBOEbX8i5sFOM/dGInsrOXL5SjS9Ucz1UDvDwvSI7x6rrjvlJtzi6qWyPPDpgBnoSP9g==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by LO2P123MB4048.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:179::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.30; Tue, 30 Jul 2024 10:49:15 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%4]) with mapi id 15.20.7807.026; Tue, 30 Jul 2024 10:49:15 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Cas Cremers <cas.cremers@gmail.com>
Thread-Topic: [CFRG] Re: DHKEM binding properties
Thread-Index: AdrfcxnSwc0Lh5NwSDSFLO2heNwQFgAz5suAAFZgxzAACyw6AAAnsFAQ
Date: Tue, 30 Jul 2024 10:49:15 +0000
Message-ID: <LO2P123MB7051B207CAB5FB0B268802EDBCB02@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
References: <LO2P123MB7051522D421F4E6C05173615BCB42@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <CAFR824zPPm+p1L5zde5smAXuBBZxS+6Psa68povowW85+2PpWQ@mail.gmail.com> <LO2P123MB7051EC6EB4D58E3228BAD5C2BCB72@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <CABdrxL4iTV5U4MntAL1qnyNRcdWpK_NLL6bWQ4S3NbuqM49T3w@mail.gmail.com>
In-Reply-To: <CABdrxL4iTV5U4MntAL1qnyNRcdWpK_NLL6bWQ4S3NbuqM49T3w@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|LO2P123MB4048:EE_
x-ms-office365-filtering-correlation-id: 28134d7d-bf1b-4c6c-1f90-08dcb0854164
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|376014|1800799024|4022899009|366016|38070700018;
x-microsoft-antispam-message-info: 0bUALFicEtg2j9Exj85RuyLFbUqi1nLIKqTUfZd3uQ/6dx+ZvPkpXqDGezhBUxj/x+uyYUVfKwN85+LO3kPpgUnhQeIyM1Ge4k/dj4fAzOEKe1XvJ4dL2DjIuFdU0PHHwF+fFTHIuJPwfZqUXVns+hjflSQinYxJFENXcgjA3quf3lACMEs+yvB6spKOzacIwudXLEB2UebqpBIKZJ9PtoU+C11UnvOdiEX+Lj8H11vrZuNM0Onj/oZ54nHLupIYyAJFJdhNwdVwC3vl7s3RubwAoyTjOAxcnKF/j0ba5D6qYe0Wil/xitOGpkY5a90ly/Ct7ddTERfbu6J0h9FXAFUsWm4zFENX8nucM+wrFtzm5Gu2Pre4O9sUhG5hzaJI8cAGBcVhDyyt5Jmh4VAAsli22q6IGH1gzfn0Zv89JbV1YookZb1IH+XEn2LIB59IzSBe6vYdRNz/77IZogPuqT/G85GEtYPmcBi9qf73zIZHs5PiNsfRYpSdWW6mfii7D0fD1m5yzV9guJRsuW6nxrS/25Z2pKTBHSBB7durIZ125kX7tlilh1ej04bXeenvb4qdzFK9x3raOxg6UMfcu285SjzaVY/7SxYCFKoca8HF6riG6EkNuqKS32mB1nqe4CfDR0JzFsfcem5Tq0h4XkKALQe3uIZP7HU8xERlQs8zlqb1SMCnWbeeW6blQee38TFiB+93UfmMa969ZTpVJiLWU75BLaAwJEByxWmj+S7rJmHl1pM78E6aWTh3QHyI5IjEhR5v3XJnAX6rXCZkwVLMLtGgbcrviLLxd+nVC5DibiezkfdLKYzDXYv36TjirFMIlmiKQ/cBl+i9tHd22Gf14ikkDEtGMyK27of8kHKgcs6i0sypSBff436hVS6BONqFVP6bCg9U/DNFi17MFV66cKKTc/aSwZkFSE/8xZMBvWIGa+NUdjPYQMQ7CrQSr8yGcUcNd918vYRumqlP0gUmrZS2q2aHQSxJJKMud+7KELOxA8rJ0CxevB8OCawqwo9ISUicgYPfw8uNMWN2GNUs6tY2W7WC6Q+gJxe6b0mP5KH2GDmrnORexscujz5nbKLIyVRZieQkVCZF61lo8GYfIWomytpaoD4ARAS00tZeZugTvXi0Ub2AKxE+372EJ/s9XjvQn4on60yGCsfKi6BWv2076V5PK5PbmNByXWEwK2CjZHtOn7giAQB14CqqqBQG2BIdy9SKTpq4agEzBaGMvpiQBdZ0csLu6YfauBmGPSyZz4djol4vlMYLynlH9FyV4Kqagf7X72ErcBjA0o6ZUTErc2P46BZt4V2llLJzY5Sioc1NrVxIfedQvlVFWMH7yHVzY0bOJ5DLDd2YT5agiNhh44PbzwFv/go6wjk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(4022899009)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: iA+2ahx2ZjEV8BVboJCf+gEZO3rTDT4YJwqdwOJpk1MT1VN+DpaF8TKiaiJge8TzF0aC+OIbHQU4l05FX+6B8IiokUa7QHDyOUv7aBEKLNxPMwr7eoA6xp0yt79zUp3aIn8mbeWpqjqvMSZ5j1EJzeuameqtUhk5lrFzUgt9VPZBgQpqbIOTvfezB7e2ZOfpmzof41kZKrD9LUWd9kNm1pY8nRGqyyvliI1ghaackRGv+XIa+PyXmbxwZWoxiDjXn+pPV/IAK/ChNP9zXhO4+IrTDHdqD3/36twUW+FlyjZaIwOUz8lJkuRhBfb6vkX4mL0n5/xP2iozzK1HpiQkZjAHx2uLpDKmuxvsu/QkBgMJ72Qpx05t+eXxHRSiJ95XRjHs46Eaz0V2arR/ViKc8S1zC1oo0rqTZTUuqgoYSFjPcCMxVeuxOGFGsPlkUDtCXIdn6rDt0o3ss6HnI6Zu/zPSYeeoERIoqg28yV1X0TQJryjT1+4wou+uIG6uh9VlXnE/J1m88pyLbWHOwqx3wtNlyJK8vnMv1ydLUNeDF2sx5J/CNBiwXq5yez+gOTmFLvm8nanrOGVDdvHk0tzLOEuNGJJF/Z1FcFAucLaNu3804zqf4pK1cjEhnmWWylO1e4wAhvPSMfz/o+EQhVnOEFcTmQDEKGf2BwDH2EPU/gAm5gpSXqyOjP8+0NoAkSZoTzn+vI8CNSelxUl5w3IMkFqJvuOYLprUQf8ULpq+PTLht3xxP0vr6aKMl/ySXwPVXl1KljMZV+DJzJ0mckgDlGKZIHzxpemisWamA1IbiwUYzSIKCg8UrqkpFML8QzGZskuZr8ECmmnmgBE7//1MGRqXvuyXQc5wzK6k0hb4XvLQShXeuqQ6WqNcaFsXR8wpGhVtren0SnDM23Ng9+FPULhEkzft7b1JXq8pUdr81zSfhzbwMoq3oHa/IWAty/U+2TrLyCc+ueXp+3sqyr0PzBI+7TMshPw0crXc4AgJ0f241HD/UGTsj/fDAqr2HZLB8kP57kihARQh7RkKD0zYeu6mtHvxn+cKUYgsLuHOfO321lHZ6euCWIh0mHhnF1dkE3jeC/vyUHWBfkwJbmvWSSDVbwE47uaLA2KyphT2gJj+oRSqEkTUhBmuRZvQU9XUOWDznrevDvwPKgYvlvJeHTXFPeyHnTOc3L0uvdmx+cP9MJ1ZUHNDCegH81vE0X5MMZVhDs2hbOrhl7XO087GMh88q88guqtsifZ4wdD8cIzj/2/4NgDVJlvkfErsP1maAu5u0YYwpRiBy6XIlSmfq+xa3+5kZDxsfP0dLsxM/M3uL+2D0hgzJRKt2Wufj/kwr7l/qHCf2u8yCvlT3+yhvBppf04JSFXF4aVAvKsUT8wI4OANaNSaLBrueW7c/llTqIU6CneKCMnVjtX6qv6iO5PaEZJyaJa99fNUhvQQytMLiSijauFj/uEh0l4/lh7z0JXuE9hN7u0j0QNi+NKKXuoCD72Df7F6ScvSJbrDK5WE/troTdG1Mf7KA+sCrIfP3vMbw+eth3kJGc32mazspK8FznhxOykYaApBEPCJLdROOpBQEE+qiDZZvpVb/EvU
Content-Type: multipart/alternative; boundary="_000_LO2P123MB7051B207CAB5FB0B268802EDBCB02LO2P123MB7051GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 28134d7d-bf1b-4c6c-1f90-08dcb0854164
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2024 10:49:15.3768 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mfm67HR4teycECAUn0elbucVJM2/4nh7v1tqv/YFY22QxiTpQcPd0EzMtSDvF+WXlYy95bjvtIsThFiSDc2SxA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB4048
Message-ID-Hash: ET2QLPUN5KZNNLG6BQXE3IIICLALGDGS
X-Message-ID-Hash: ET2QLPUN5KZNNLG6BQXE3IIICLALGDGS
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-cfrg.irtf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: CFRG <cfrg@irtf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [CFRG] Re: DHKEM binding properties
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/zQ7F1VcN4I7_jPK_IeZE6b7V_10>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Owner: <mailto:cfrg-owner@irtf.org>
List-Post: <mailto:cfrg@irtf.org>
List-Subscribe: <mailto:cfrg-join@irtf.org>
List-Unsubscribe: <mailto:cfrg-leave@irtf.org>

Cas,

Sorry, I should have said ‘avoid’ rather than ‘block’.  That was poor word choice on my part.

While I agree that the private key will often contain a copy of the public key, some of the discussion around KEM combiners in lamps suggested that this may not always be the case with existing deployments of traditional algorithms, at least for very constrained devices.

I think the point I’m trying to make is that by defining the API in this way you are ruling out the possibility of a malformed key pair where the public key that the sender sees does not match the public key contained in the recipient’s private key.  If it’s outside the scope of the intended binding notion, or if it’s captured by a different binding notion, that’s fine.  However, I’m perfectly happy with the idea that some combinations of adversary and security property cannot be achieved in practice.  LEAK-IND-CCA2?

Peter

PS I’m not sure what was wrong with the IACR ePrint server, but I was getting the same 404 errors as Deirdre for the older versions of the paper.  It’s be fine now.


From: Cas Cremers <cas.cremers@gmail.com>
Sent: Monday, July 29, 2024 4:07 PM
To: Peter C <Peter.C@ncsc.gov.uk>
Cc: Deirdre Connolly <durumcrustulum@gmail.com>; CFRG <cfrg@irtf.org>
Subject: Re: [CFRG] Re: DHKEM binding properties

You don't often get email from cas.cremers@gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Hi Peter,

while you directed the email to Deirdre, we think it may be a good point to chime in here as the original authors of https://eprint.iacr.org/2023/1933:

TL;DR: Yes, DH-KEM is probably not MAL secure. This is not because of an API mismatch but because it does not explicitly check for well-formed key material. Our API models real-world KEM usage. The ‘trivial attacks’ we ‘block’ in our paper are degenerate cases in our properties, we will update the wording.

Let us first address some points, before going to the API.
1. Deirdre's Slides: Checking Deirdre's backup slides, there seem to be some relics from earlier talks. We no longer conjecture MAL properties but provide a proof for LEAK in the ROM (for DH-KEM and other KEMs).
2. Previous Paper Versions: We've checked, and the previous versions of the paper are available to us on IACR as expected: https://eprint.iacr.org/archive/versions/2023/1933

MAL-Binding and API Choices
We agree that MAL claims need careful interpretation. As mentioned, we no longer conjecture these properties for any KEM implementation. This change is not due to our API choice differing from the real-world API, but because these properties can only be achieved if the KEM implementation verifies the well-formedness of the supplied key material. For example, a KEM implementation might check whether the hash of the public key stored inside the secret key is correct. Without these checks, a MAL adversary could alter the stored hash to break binding. More details can be found in Section 3 of [this paper](https://eprint.iacr.org/2024/523.pdf).

Next, we will elaborate on our API choices, why they differ from the real-world API, and why we believe this is necessary.

Let’s recall the intuition behind our binding properties:
Given a shared secret, a public key, or a ciphertext, two KEM operations which use (or result in) this value, should with overwhelming probability also produce equal values for one (or more) of the other parameters. Note, that we did not include the private key here, as during a KEM exchange, only one of the parties knows the private key.
As an example, given a shared secret, any two KEM operations that result in this shared secret must also agree on the used public key. In our paper, this property is called X-K-PK, where X can be different threat models.

If we now want to formally write down such a property, we have to refer to the public key of a KEM. However, the previous KEM.Decaps API does not allow us to do this because the public key does not appear in it – even though KEM.Decaps uses the public key internally. This is only possible because in the real-world the public key (or a hash of it) is usually stored inside of the secret key.
To allow us to formally state properties which include the public key over KEM.Decaps, we thus added the public key to the KEM.Decaps API. We want to stress that this is only a syntactic change which we believe to be necessary to state our properties.

First, we acknowledge that 'trivial attacks' was a poor word choice (originating in crypto literature tradition). The ‘trivial attacks’ we ‘block’ are not actual attacks, but ‘degenerate’ cases in our property definition that would lead to a property which is not achievable for any KEM. Any changes we made to the real-world API, and assumptions we placed on it were only made to formally write down our properties. We believe our API models real-world KEM usage and we will update the eprint with better wording.
Additionally, our API changes alone do not 'block' any behavior. The behavior is 'blocked' by our assumption that the KEM.Decaps algorithm uses the explicitly supplied public key instead of extracting it from the secret key. This assumption is necessary; without it, our binding properties depend on a parameter that might never be used, resulting in a useless, unachievable property for any KEM.

Dismissing X-BIND-PK, CT-K
You correctly note that our dismissal X-BIND-PK, CT-K is not justified for implicitly rejecting KEMs in the context of MAL. This is an artifact of an earlier version, as pointed out to us previously by Dennis Jackson. Our next eprint update will fix this.

Of course, ideally, our binding properties would be independent of the API choice. If we were to redesign the KEM API from scratch, we would probably neither use the academic definitions nor the current real-world APIs, all of which have their drawbacks. Also, if we were to redesign KEMs with what we know now, we would probably only recommend explicitly rejecting KEMs.

Best regards,

Niklas, Alex, and Cas


On Mon, Jul 29, 2024 at 3:51 PM Peter C <Peter.C=40ncsc.gov.uk@dmarc.ietf.org<mailto:40ncsc.gov.uk@dmarc.ietf.org>> wrote:
Deirdre,

> > DHKEM is MAL-BIND-K-CT and MAL-BIND-K-PK secure as analyzed
> > in the symbolic model” and cite Cremers et al (https://ia.cr/2023/1933)

> This was an error from previous slide decks, those properties are modelled
> in Tamarin and tested with several protocols to see if attacks showed up
> when the KEMs used in protocols such as Kyber-AKE have varying binding
> properties. The eprint version seems to be weird (all the previous versions
> are 404'ing?) so I've attached the version I have in my archive as it has lots
> more material, case studies, and short proofs for different KEMs about their
> binding properties (as written, vs as in practice, but still)

Thanks for the clarification and a copy of the earlier version.

> > As specified in RFC 9180, DHKEM is not MAL-BIND-K-PK secure because
> > DHKEM.Decaps recomputes the public key from the private key.  To achieve
> > MAL-BIND-K-PK, I think the public key needs to be provided as input to
> > DHKEM.Decaps and used in the KDF instead of the recomputed

> Fair enough. Either way, we get much stronger BIND properties from the
> default HPKE construction DH-KEM than swapping DH-KEM out for say
> Classic McEliece, which is IND-CCA secure but gets us zero binding to the
> PK, not even HON, and which earlier drafts of HPKE would have protected
> against, but no longer does.

Classic McEliece is not HON-BIND-CT-K or HON-BIND-CT-PK since it is
implicitly rejecting.  It is not HON -BIND-K-PK or HON -BIND-K, CT-PK by
Grubbs et al (https://ia.cr/2021/708)  For one of the parameter sets, it is
not even HON-BIND-K-CT or HON-BIND-K, PK-CT if the implementation
does not check the ciphertext padding bits (see “IND-CCA2 for encodings”
in https://classic.mceliece.org/mceliece-rationale-20221023.pdf)

> Relatedly, depending on how thing like Kyber/ML-KEM are implemented and
> used in practice, we may rarely get MAL-BIND security in practice if the encaps
> keys are only partially used in the interior KDF, or other shenanigans (see the
> 'Kemmy Schmidt' note for more fun: https://eprint.iacr.org/2024/523.pdf) We
> may cover ourselves by including everything in the higher protocol key schedule
> anyway (like TLS 1.3) but in HPKE we don't do that. LEAK-BIND may be sufficient
> and achievable in practice for general KEM usages but since HPKE is supposed
> to be a pretty bulletproof building block (and basically is for DH-KEM) it would be
> even nicer to change HPKE to be as bulletproof for other KEM cipher suites, or
> whatever action actually results in users getting security in deployments without
> having to do this bespoke analyst themselves every time.

Again, I think any MAL-BIND-P-Q claims need to be interpreted very carefully as
they can work in a very different way to their HON- or LEAK- counterparts.  For
example, Cremers et al dismiss X-BIND-PK, CT-K on the basis that “if Decaps is
deterministic, this is trivally true”, but that only holds for HON- and LEAK-.  An
implicitly rejecting KEM will not be MAL-BIND-PK, CT-K if malformed public keys
can be used to cause decapsulation failures.

Peter


_______________________________________________
CFRG mailing list -- cfrg@irtf.org<mailto:cfrg@irtf.org>
To unsubscribe send an email to cfrg-leave@irtf.org<mailto:cfrg-leave@irtf.org>