Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: include PK and CT in the KDF?
Deirdre Connolly <durumcrustulum@gmail.com> Thu, 11 April 2024 22:11 UTC
Return-Path: <neried7@gmail.com>
X-Original-To: pqc@ietfa.amsl.com
Delivered-To: pqc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01A2DC14F6BD; Thu, 11 Apr 2024 15:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.843
X-Spam-Level:
X-Spam-Status: No, score=-1.843 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2PprCRn_8Tj; Thu, 11 Apr 2024 15:10:57 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B552AC14F6B7; Thu, 11 Apr 2024 15:10:57 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-56e136cbcecso328362a12.3; Thu, 11 Apr 2024 15:10:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712873456; x=1713478256; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=X/h6IlxUPWV4MKs4EbpUS3b/QGsCD5ILEhlEHT7Dbz8=; b=YhB0ieQjsWLzwQdQkdqCLu0VDx0SaFfuAIZ0Gbf7QfEKFcNGJR6zhWeg7URjCwg5IT TUij7Ekll9C9oLB5cGyLKSK9izlT7NB7c+Cv2vaaS2gtW+2PWTvgw/NvZSdtua2SR62Z qTrTQdJ45RXk17Wv9cC/s0khRvJ6l8Qi866xIH0X5nvyDOwljU9iY2zMeQR5UwLBoewV RZ6x/xwdjcdk5MKjjLnvJ/wqZpQje+eTR8KlOdvAtr17inmhxQu+3iNgClevHvq1EgbU vLvm/6/opfP6nnPbiqu/yZ0oEm4N/9nIEsbpdCPqBso0ehF27yrlXIyh6BY4QT3zMOQ4 QL/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712873456; x=1713478256; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=X/h6IlxUPWV4MKs4EbpUS3b/QGsCD5ILEhlEHT7Dbz8=; b=unpC3eJv8gAjuwKdyriDJvnLzy1OC2qPALXqRwy6F9BUvDKFJTlnBBOLDZZPFd3Vmf 2lq1bpw5bUzE40CHf01Ee2Y/0Bt3ITEYKl3EbEmMurDTc6Ch6rrfoNsz0/HQmhyyBNNM iRbpl7qVv6069ejCq5KfZO5b8i4NBEE4xGsil+y3q358+yYhWoGftxvULHDkoaVKNIBd QzltbsXfWylVje/El91w0RJX1KaEP26Qz2B+x0DGlabzruDrqSXhS1vukjdXHVeH6nNK Rc8B+QPJTkNJn7FdnN3Ei/1WT6UDahfFCJuyBgRircO79Ez5YDKtKFWRuMDjd6ti8GkP YDBw==
X-Forwarded-Encrypted: i=1; AJvYcCXZ/mmfUHeMkSGdkKeBmIureJKZ8p9Pn1hcn/THKwEy1VZddP3Iu0/gaF5MB8Z4kHSYxmKKLMPcTkZoUIp172KmzV37lI5+fBgZp04F
X-Gm-Message-State: AOJu0YxuzxWJU938H9tc18aVgu1P7RVxgbRqEi0JpIf5d+4ZUdYJTIZY QfyyRF0DkGB/NlbcqzgpCVZdEgx65yIOaW+KZ2ZPSZSfmBKTWLKrP3J+MHbFB4NbtWRgvR8udws R/JCdkIgEIwsYEMatCny03fmq4s6awaS3
X-Google-Smtp-Source: AGHT+IG2t9gjh3eOsOnMFWVqnF+i8xjQs9UQF5bLB1PEmc1cGw+mC1DnUFDEaQGAxQVvKEUT12XhwFiOFnbjqu233AY=
X-Received: by 2002:a50:d642:0:b0:56d:fdb3:bcc5 with SMTP id c2-20020a50d642000000b0056dfdb3bcc5mr605054edj.12.1712873455519; Thu, 11 Apr 2024 15:10:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com> <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com>
In-Reply-To: <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Thu, 11 Apr 2024 18:10:18 -0400
Message-ID: <CAFR824ybzCDY-C1cXFHcUhgZ-m8wgqgw4eCNoCraX7sPNNxC6g@mail.gmail.com>
To: Mike Ounsworth <Mike.Ounsworth@entrust.com>
Cc: Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dc93330615d96d5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pqc/vNJW3nfj6f8mqddLu52ZR5P9DKM>
Subject: Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: include PK and CT in the KDF?
X-BeenThere: pqc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Post Quantum Cryptography discussion list <pqc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pqc>, <mailto:pqc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pqc/>
List-Post: <mailto:pqc@ietf.org>
List-Help: <mailto:pqc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pqc>, <mailto:pqc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 22:11:02 -0000
> Given the analysis at this point, it seems prudent to bind the PK and CT, and it seems like draft-cms-kyber (and equivalents in other protocol WGs) is the right place to do it. Choosing to do this is basically bulletproof, no matter what happens with ML-KEM between now and the final FIPS 203. It is also bulletproof in case anyone happens to copy this pattern for other KEMs without thinking more of it. > I still would like to see an analysis of whether the PK is always available at decryption time. NIST has just announced they will make storing/using keys as just a seed to expand the whole keypair will be explicitly supported / described in the final FIPS 203, allowing a 64byte key seed to be expanded to provide the PK (in a much more secure way too) at Decaps() time. if CMS-Kyber wants to explicitly recommend storing keys as seeds and expanding them into memory only when needed to process the PK in Decaps() that's probably a nice solution (and is apparently FIPS-compatible even now? It may require looking up another FIPS document to confirm) On Thu, Apr 11, 2024 at 6:03 PM Mike Ounsworth <Mike.Ounsworth@entrust.com> wrote: > > It is _very_ important to me that one ML-KEM labrary be able to support > CMS, JOSE, COSE, and so on. so, whateve happen in one WG needs to be > aligned with others. > > > > Agreed, hence cross-posting to PQUIP. > > > > > > > If there is consensus to do so, the CMS kyber draft could address this > in the algorithm-specific layer. > > > > +1 to this suggestion. > > We’re on a deadline to get these RFCs out in short order after FIPS 203, > and have to act on what we know now. Given the analysis at this point, it > seems prudent to bind the PK and CT, and it seems like draft-cms-kyber (and > equivalents in other protocol WGs) is the right place to do it. > > > > I still would like to see an analysis of whether the PK is always > available at decryption time. I would like to hear from smartcard, HSM, > IoT, TPM type people about whether it’s fair to assume that the CMS / JOSE > / COSE / etc layer of a decryption routine will have access to the public > key at decryption time, or whether that will force some folks into awkward > re-architecturing exercises. For example, if someone has a TPM architecture > where only the wrapped private key is stored locally (cause why would you > ever need to encrypt for yourself?), then I could see that being an > annoying architecture change to also keep the public key. On the other > hand, ML-KEM is greenfield, so maybe it’s ok to say “When ML-KEM; your > private key object MUST contain the public key”. > > I’m asking whether there’s an engineering architecture concern here that > overshadows the security gain. Maybe I’ll stop rambling here. > > > > --- > > *Mike* Ounsworth > > > > *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Russ Housley > *Sent:* Thursday, April 11, 2024 4:31 PM > *To:* Deirdre Connolly <durumcrustulum@gmail.com> > *Cc:* LAMPS <spasm@ietf.org> > *Subject:* [EXTERNAL] Re: [lamps] CMS Kyber: include PK and CT in the KDF? > > > > Deirdre: There was a discussion of this a few months ago. Inside ML-KEM, > the public key is included in the KDF that computes the shared secret. > There was discussion ot addint a hash of the ciphertext to the KDF > computation, but no one thought > > Deirdre: > > > > There was a discussion of this a few months ago. Inside ML-KEM, the > public key is included in the KDF that computes the shared secret. There > was discussion ot addint a hash of the ciphertext to the KDF computation, > but no one thought that should be done in cms-kemri since that would be an > algorithm-specific detail at a algorithm agile layer. > > > > If there is consensus to do so, the CMS kyber draft could address this in > the algorithm-specific layer. > > > > It is _very_ important to me that one ML-KEM labrary be able to support > CMS, JOSE, COSE, and so on. so, whateve happen in one WG needs to be > aligned with others. > > > > Russ > > > > > > On Apr 11, 2024, at 10:30 AM, Deirdre Connolly <durumcrustulum@gmail.com> > wrote: > > > > Looking again at CMS Kyber > <https://urldefense.com/v3/__https:/www.ietf.org/id/draft-ietf-lamps-cms-kyber-03.html__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfawt_J-kL$>, > it seems to not bind the encapsulation key or the KEM ciphertext anywhere > in the CMS scheme or the KDF. To mitigate the less-than-ideal binding > properties > <https://urldefense.com/v3/__https:/eprint.iacr.org/2023/1933.pdf__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa-WRFsEg$> of > ML-KEM, I would consider including the encapsulation key and ciphertext > along with the shared secret `ss` as input to the KDF. > > > > ML-KEM, as currently drafted as FIPS 203 IPD > <https://urldefense.com/v3/__https:/nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa6TeNnwB$>, > is LEAK-BIND-K-PK and LEAK-BIND-K-CT at best > <https://urldefense.com/v3/__https:/eprint.iacr.org/2024/523__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa2woeUJG$>. > To safely use the shared secret output from ML-KEM without opening it up to > re-encapsulation attacks > <https://urldefense.com/v3/__https:/cryspen.com/post/pqxdh/__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa5CF-wTk$>, > including the PK and CT concatted with the `ss` as the preimage to the KDF > is a secure and easy way to maximally bind the resulting KEK to the KEM > public values. This construction is also a secure solution for any KEM with > even the weakest of binding properties, so it would be a safe pattern for > other KEMs: > > > > - KEK = KDF(ss) > > + KEK = KDF(ss || ct || pk) > > > > The ML-KEM standard may change between the current draft and the final one > later this summer/year, but even if so, this change would be basically > bulletproof either way in terms of security. > > > > Cheers, > > Deirdre > > >
- Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: inclu… Mike Ounsworth
- Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: inclu… Deirdre Connolly
- Re: [Pqc] [Ext] [EXTERNAL] Re: [lamps] CMS Kyber:… Paul Hoffman
- Re: [Pqc] [Ext] [EXTERNAL] Re: [lamps] CMS Kyber:… Deirdre Connolly
- Re: [Pqc] [Ext] [EXTERNAL] Re: [lamps] CMS Kyber:… Paul Hoffman
- Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: inclu… Kris Kwiatkowski
- Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: inclu… Deirdre Connolly
- Re: [Pqc] [EXTERNAL] Re: [lamps] CMS Kyber: inclu… tirumal reddy
- Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: inclu… Ilari Liusvaara
- Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: inclu… Sophie Schmieg
- Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: inclu… Deirdre Connolly
- Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: inclu… Ilari Liusvaara
- Re: [Pqc] [CFRG] [lamps] [EXTERNAL] Re: CMS Kyber… Deirdre Connolly
- Re: [Pqc] [CFRG] [lamps] [EXTERNAL] Re: CMS Kyber… Ilari Liusvaara
- Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: inclu… Michael Richardson
- Re: [Pqc] [lamps] [EXTERNAL] Re: CMS Kyber: inclu… Deirdre Connolly