IETF Logo Mail Archive

Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?

Sophie Schmieg <sschmieg@google.com> Fri, 12 April 2024 13:35 UTC

Return-Path: <sschmieg@google.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0F8AC14F6AD for <pqc@ietfa.amsl.com>; Fri, 12 Apr 2024 06:35:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.597
X-Spam-Level:
X-Spam-Status: No, score=-17.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYeFMVmWCdjj for <pqc@ietfa.amsl.com>; Fri, 12 Apr 2024 06:35:39 -0700 (PDT)
Received: from mail-oi1-x22c.google.com (mail-oi1-x22c.google.com [IPv6:2607:f8b0:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A8A9C14F6AC for <pqc@ietf.org>; Fri, 12 Apr 2024 06:35:39 -0700 (PDT)
Received: by mail-oi1-x22c.google.com with SMTP id 5614622812f47-3c397193878so513644b6e.3 for <pqc@ietf.org>; Fri, 12 Apr 2024 06:35:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1712928938; x=1713533738; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FaTAzahThoinI775jUJQf0MSB6HZnnE1nNxes2439Uc=; b=AbndUDg1T/elMW2lzZIyrR6IcyWiTavJJcghxPIALCtrhlR7eqdoaAltujn+JNi/Cp xvSe+4RJwrwyA5wFlkfijYuy/t37QY/PUWphY04DgiNT1P32G2ZjA9Z4uqynzd8J5XaL ICQ4l/RWSM89mcO3t4Vt+vGX2S4ra96lkE+sInHDEPuhfe3a237/XWry/eImB36C0jRW orWaFr6WGbq+BS2J0RmCg/H0hXxqhgJJpvzz/f4Xbl8ypSFI124DWXib5e84h68lLLDm /ZwLjW0DgVlVq6t238JQPooK6OGkluXranqUKbjFzliI0c5Nvl9cVfMAQlWWRWdqDdPQ vVzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712928938; x=1713533738; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FaTAzahThoinI775jUJQf0MSB6HZnnE1nNxes2439Uc=; b=GRfpa/kLr0CYXdCdylpWK6k5su3n63HnTuzXt0pFpuIbOty1zaCnFk6wVMZxRhlbr2 8ZZWkY4Toy20Nmnjo4xaiVLfdYnpAUVruX3WpqDivK2SrfL/6J03T/+xjjOqI6MsW5jA cevQpV74lMz687PpA2Qj/Vjx4SNbsoWzU8fjklzpiWc6dPMDpkU6mUfAt0YsHdbW/jJY WGiopWJUgqNitK+NqvxFc7hNnZmcLVmPdgzN86j5EJWVIoRyL8/08wlAkp+7SgZ3d0te FILrhPnm+C4Ff86ZwdPgHosDm+W9FIwcO1ARuD9wAop4cwommk2Ridp/eszwaCofiVcw EK8g==
X-Forwarded-Encrypted: i=1; AJvYcCVn4zCyoIq4BOI3ylAUnYOns+Pv/HHG4e7kx404CC5TP+Klv3SUnvUezh2r22flrjJTWJcj2vGInmLDtNo=
X-Gm-Message-State: AOJu0YxbPSrT8KKHGe3SWMS9iSxwWz/EruAnxjaz0jw198jGKSLuwpe1 IbwzkujNI554zCqIvRiRuNu7Uf/OVH5lZ2JvnfXeVker5lg4eWZZ5f2JWC3LHvM+f3i/xKif/Jt hoiH3gtDk/bhx3t4uY/1YTkzKGY3KRor+1x4f
X-Google-Smtp-Source: AGHT+IGIvSpbB6AUK+TSepZjjwfhQsxWWABMGKgsFco736f02Q+ND0IxLa7ceITXzbwV9KcD7yzw/5LMO26UtUlSj7k=
X-Received: by 2002:a05:6808:3085:b0:3c6:11c9:d6ea with SMTP id bl5-20020a056808308500b003c611c9d6eamr3353883oib.5.1712928936747; Fri, 12 Apr 2024 06:35:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com> <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com> <353.1712925244@obiwan.sandelman.ca>
In-Reply-To: <353.1712925244@obiwan.sandelman.ca>
From: Sophie Schmieg <sschmieg@google.com>
Date: Fri, 12 Apr 2024 09:35:21 -0400
Message-ID: <CAEEbLAaTfnTK_BqaPmU=FfQ4MqO=KzfWnDT=QWL5=560LQ5PiQ@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Deirdre Connolly <durumcrustulum@gmail.com>, LAMPS <spasm@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cd8ef20615e65862"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/X2Sl6j1_nw6kC82CoyF55l---LI>
Subject: Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 13:35:39 -0000

The binding situation of ML-KEM are actually quite good: As long as the
private key is not mal-formed, it is robust against any misbinding (it is
MAL-BIND-K-CT and MAL-BIND-K-PK if the attacker has to give a seed that
produces the private key). In other words, the only misbinding properties
it has require the protocol to involve revealing a private key or accepting
private keys from third parties. I consider that to be very strong
misbinding guarantees. Compare and contrast with RSA-KEM or ECIES without
hashed in ephemeral public keys, neither of which have HON-BIND-K-CT, and
in the case of RSA-KEM not even HON-BIND-K-PK (ECIES without hashing public
keys does not have MAL-BIND-K-PK).

I do think just using the shared secret of ML-KEM is fine in almost all
protocols, and protocols using KEMs that are not currently secure against
misbinding will even get an upgrade.

On Fri, Apr 12, 2024 at 8:34 AM Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Mike Ounsworth <Mike.Ounsworth=40entrust.com@dmarc.ietf.org> wrote:
>     > I still would like to see an analysis of whether the PK is always
> available
>     > at decryption time. I would like to hear from smartcard, HSM, IoT,
> TPM type
>     > people about whether it's fair to assume that the CMS / JOSE / COSE
> / etc
>     > layer of a decryption routine will have access to the public key at
>     > decryption time, or whether that will force some folks into awkward
>
> It's not an argument that one sees at all levels of API today, but I think
> it
> could be added.
>
>     > re-architecturing exercises. For example, if someone has a TPM
> architecture
>     > where only the wrapped private key is stored locally (cause why
> would you
>     > ever need to encrypt for yourself?), then I could see that being an
> annoying
>     > architecture change to also keep the public key. On the other hand,
> ML-KEM
>     > is greenfield, so maybe it's ok to say "When ML-KEM; your private
> key object
>     > MUST contain the public key".
>
> +1
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
>


-- 

Sophie Schmieg | Information Security Engineer | ISE Crypto |
sschmieg@google.com

v2.23.0 | Report a Bug | By Email