IETF Logo Mail Archive

Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?

Deirdre Connolly <durumcrustulum@gmail.com> Fri, 12 April 2024 13:45 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C384C14F614; Fri, 12 Apr 2024 06:45:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.844
X-Spam-Level:
X-Spam-Status: No, score=-1.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydVjyLTiVkhS; Fri, 12 Apr 2024 06:45:45 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8AFC14F5F9; Fri, 12 Apr 2024 06:45:45 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-56e6646d78bso1002655a12.1; Fri, 12 Apr 2024 06:45:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712929543; x=1713534343; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=39W64EvPntcyuWpLAtrdZ7eIZ3sfiv3Gxugt6iAu5ww=; b=RKAPtQ64IQd2d/NrfaMVmZXNxg0MhW8s6dcQSNpRyBCVfIM8jBXIBNeGU/xgF6NzDG olFC3lmAW5tOGR9qc9UfU3BD+Bd+eC7+KVjA/4k90ZW+Q5DOnD5pkU3hR0sFNaQp+07n OLuUqzNh++Z9/diAi9DOYKfvv37wd4J0nOEd43Qy2fOghGUwY/sSuHXBFuzOE4109tp0 sjOoTqEanooJPhcHOiKoQvWfgUtJlH3Zhtz1+4YK60uu2NjZrdZG/+LJAGVc2nNCxDW3 taHKPSXiEyLXS+UZGS5ZjIqM+EnMMi1j6DYpDvQQNuyoQczZ8MxuhyeNvQW3z8Oo3cay dWQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712929543; x=1713534343; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=39W64EvPntcyuWpLAtrdZ7eIZ3sfiv3Gxugt6iAu5ww=; b=mUXCSUK6dbloQ4cHIiyNT/gcvG9HIe5lQkXFy2Gwpu3Yp3uVjqLhKlN8GwNEWoVdQN 6g88qPvd+WjcKlu5RsI0ksLOzEybCGY4lfW5v3tgZ/jw74ZNtXmX7X2zoZ0CuQNGF2uB ENLmMuhTOfs/QtxpiFACYKiIPBhexJa3i+FsyHADSA7qGAZno288CA+4w1v1TRAPaeqw 66OcLWiwccUYUeRLoRKmtPqtaXLBSeAUQKQeOyP56kgosHlsfmazMiwyXorokB1nPSN3 vma2bzXr5gIo0GXVMmKnBjXwj9JjlqgtCJ/vxnqGe83Y4DXPpUoSKs+zUjipIpT3svfG s6Ig==
X-Forwarded-Encrypted: i=1; AJvYcCV9DRU+0Yzwl9EmQ72o07IJeK+8uEylW0Glm9XQG+5+UP0n/XSNRanUqiYkws/4FbpvOq6Ap+2io+Ya/Cera9uN8L82xkHpuXmR5NI+
X-Gm-Message-State: AOJu0Yz8nnW/MWDkrCagDhPgc4kB0aaqFdzkbAlSpPAULv5mMFP8Bmzr XzFP3/fjoMZ7/TP4/hp9Uk1pF2hpXWHhAHEPKyNKrU1bBq7MY+ISifEekjGTd+6yqOk5+GhGUfL 0XVt23w5x18yGpUPEAEqUqAwY+mI=
X-Google-Smtp-Source: AGHT+IFYnYW/pVVAgCrS1GRCTG/BguA77BWs6uZlBd4glGvp48Mj0+XOmO1uewFAmNMKaaBlpVM4qAr1v3I1F/2WAiM=
X-Received: by 2002:a50:871a:0:b0:56e:3072:3cb4 with SMTP id i26-20020a50871a000000b0056e30723cb4mr2122698edb.22.1712929543132; Fri, 12 Apr 2024 06:45:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com> <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com> <353.1712925244@obiwan.sandelman.ca> <CAEEbLAaTfnTK_BqaPmU=FfQ4MqO=KzfWnDT=QWL5=560LQ5PiQ@mail.gmail.com>
In-Reply-To: <CAEEbLAaTfnTK_BqaPmU=FfQ4MqO=KzfWnDT=QWL5=560LQ5PiQ@mail.gmail.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Fri, 12 Apr 2024 09:45:30 -0400
Message-ID: <CAFR824wdsQ6F_jQWAYVCRyTeGKfT6rcMPinAcbUYaB42g=O-dw@mail.gmail.com>
To: Sophie Schmieg <sschmieg@google.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>, pqc@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f1a03f0615e67c79"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/Lj7_Yx_TLJPvT3f5er_ZSSA6EfU>
Subject: Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 13:45:49 -0000

Yes, ideally if FIPS 203 does what NIST says they intend, regarding the key
seed, then all of this is moot. Currently the draft as written allows the
LEAK binding of PK and CT and is weak enough to mitigate. If they change it
correctly, all of this is moot and I'll be very glad 🤞🤞🤞

On Fri, Apr 12, 2024, 9:35 AM Sophie Schmieg <sschmieg@google.com> wrote:

> The binding situation of ML-KEM are actually quite good: As long as the
> private key is not mal-formed, it is robust against any misbinding (it is
> MAL-BIND-K-CT and MAL-BIND-K-PK if the attacker has to give a seed that
> produces the private key). In other words, the only misbinding properties
> it has require the protocol to involve revealing a private key or accepting
> private keys from third parties. I consider that to be very strong
> misbinding guarantees. Compare and contrast with RSA-KEM or ECIES without
> hashed in ephemeral public keys, neither of which have HON-BIND-K-CT, and
> in the case of RSA-KEM not even HON-BIND-K-PK (ECIES without hashing public
> keys does not have MAL-BIND-K-PK).
>
> I do think just using the shared secret of ML-KEM is fine in almost all
> protocols, and protocols using KEMs that are not currently secure against
> misbinding will even get an upgrade.
>
> On Fri, Apr 12, 2024 at 8:34 AM Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
>
>>
>> Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
>>     > I still would like to see an analysis of whether the PK is always
>> available
>>     > at decryption time. I would like to hear from smartcard, HSM, IoT,
>> TPM type
>>     > people about whether it's fair to assume that the CMS / JOSE / COSE
>> / etc
>>     > layer of a decryption routine will have access to the public key at
>>     > decryption time, or whether that will force some folks into awkward
>>
>> It's not an argument that one sees at all levels of API today, but I
>> think it
>> could be added.
>>
>>     > re-architecturing exercises. For example, if someone has a TPM
>> architecture
>>     > where only the wrapped private key is stored locally (cause why
>> would you
>>     > ever need to encrypt for yourself?), then I could see that being an
>> annoying
>>     > architecture change to also keep the public key. On the other hand,
>> ML-KEM
>>     > is greenfield, so maybe it's ok to say "When ML-KEM; your private
>> key object
>>     > MUST contain the public key".
>>
>> +1
>>
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting
>> )
>>            Sandelman Software Works Inc, Ottawa and Worldwide
>>
>>
>>
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://www.ietf.org/mailman/listinfo/spasm
>>
>
>
> --
>
> Sophie Schmieg | Information Security Engineer | ISE Crypto |
> sschmieg@google.com
>
>

v2.23.0 | Report a Bug | By Email