Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?

[Ilari Liusvaara <ilariliusvaara@welho.com>]

On Fri, Apr 12, 2024 at 10:17:01AM -0400, Deirdre Connolly wrote:
> > The only new thing is draft-connolly-cfrg-hpke-mlkem proposing adding
> > some extra hashing to KEM because it does not consider IND-CCA2 to be
> > enough (there is now proof that IND-CCA2 is enough).
> 
> To match IND-CCA2 security of HPKE alone. There is evidence that the MAL-
> bindings of DHKEM are actually desired security properties of HPKE that
> came 'for free' in all the original formal analysis of HPKE, and that it
> was a unfortunate mistake to not build into HPKE as part of the KeySchedule
> vs purely inside DHKEM (it fixed DHKEM's IND-CCA security, but). There is
> remaining work to do but, beyond matching DHKEM's MAL binding properties
> because variance of expectations isn't great, I wouldn't be surprised if we
> find that HPKE KEMs require X-BIND-K-PK to get implicit key authentication
> in base mode, which seems table-stakes.

At least with HPKE one can not do that "replace recipient" thingy, but
how would MAL-bindings of KEM manifest at HPKE level (or the
corresponding LEAK-bindings if there are no malicious keys)?

I think auth and authPSK modes are pretty much exclusive to DHKEM. And I
think there was some might-be-useful property for PSK mode that needed
LEAK-BIND-K-PK.

Regarding unfortunate mistakes, I consider it unfortunate that HPKE does
not combine KEM and KDF. Right now, for each KEM there is at most one
sane KDF.

And with regards to implicit key authentication in base mode, is it a
problem if one can make a (enc, ct) pair that decrypts under any of
private keys corresponding to some given set of multiple public keys?




-Ilari