Re: [lamps] [Pqc] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
tirumal reddy <kondtir@gmail.com> Fri, 12 April 2024 06:31 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91395C14F60E; Thu, 11 Apr 2024 23:31:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3q9valqTBlG2; Thu, 11 Apr 2024 23:31:19 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B57CC14F60D; Thu, 11 Apr 2024 23:31:19 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-56e4556990cso105711a12.1; Thu, 11 Apr 2024 23:31:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712903477; x=1713508277; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WjjaZGy5vuKP2dCe2Z0k1Gc6zGu3Jy/gVK4HrwE4+rA=; b=JqyTAdHYkfejalYIHngpxM0gfsmU+nBOSszpxu9EyAQ0F4K3qHCfa+PpG+Kgscyhwp /1LBnSuJ8Z3S5JAYaaN0nA1KQxGUKTsos1Aow3DDJcujiaMwGZaoW6KLR4mTAKt5vzGp j4ZenURN3mUoTzI76ryb3SZgV7q9CxqjpzZa/uRjnDsQAiE8QZr3fiiUJVv9C4fJw9tG f0TIFdL187445UW0ECbZiRKsEZuWFv6ScDNbQ1Zuqqzx4Ejbuneteg1rqO1h0dNX9MIP Qo8PhoAtsPNFuxiB9OlcGv/PWzJbn3S+UYLUOdLWARoV1F25H4ZAohflWczn83ajxq2I JCMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712903477; x=1713508277; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WjjaZGy5vuKP2dCe2Z0k1Gc6zGu3Jy/gVK4HrwE4+rA=; b=ZqCFqKc2g9xpBrioUfaIvMmFU37/OqU7PtseQb1ny0TwS3FU6nlSxtzwaOZkeMHOMn czNDaIAPIrsetPQeS2yjGH/eKp3Rx2NF6/ag0JS5ZkXbnaR5659ecbB5c8pIfdR+q5fv t3Qjb24plM8jeP9GZVxarILLjFYm1UFK+IAAelqJScYb8shx5IuDGC0x2fPwxAra8AyH xWR9qZj7lhZ3sf0aVihoGNquPn/IlHf1faBc61jGk8PH/6+KGIVHtvlmSFAo59Se3B7c dKKpYVkhM9YNL1CJm/xwmmUPntQHkh70c7UiWzR70vvAmwKH5RoCz3i/dRDkoihk4v7P 38Pw==
X-Forwarded-Encrypted: i=1; AJvYcCUMpVl/FDVZR7lE2esaX1XD0i9MfliCXGqDjlQ2QwNZebOWdCoGWXizLiJHD0ntgZoc8qwFB3bGadcxbHO0c1fFOALMyXwH2yKml8Uv
X-Gm-Message-State: AOJu0Yy+XmKpBDx3jPPkERwy2+qcbL2Ec9zg+pG+QaCfE1YR49Jgzceg jyF5/GO+D1Ehe1Wy9kKBftsoVD/iTarUKEuUaamm4m6D4VHwvq5lwS1VwNkagLuI5AclFkD29sO zt76/99zPpso2sjklo/4QTJ5ALw4kQz9A
X-Google-Smtp-Source: AGHT+IEZxN8LfjeOjemBa94QVtJaI/q8uzPLkbCnp3DpypzwvpoC9Yl1VWX3C2rnnGVSn+ThdOzxdykHgX0ek90fAH4=
X-Received: by 2002:a50:9f86:0:b0:56f:c13c:4233 with SMTP id c6-20020a509f86000000b0056fc13c4233mr660543edf.3.1712903476831; Thu, 11 Apr 2024 23:31:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com> <CH0PR11MB57391B1E18D87AEB8D9519EE9F052@CH0PR11MB5739.namprd11.prod.outlook.com> <CAFR824ybzCDY-C1cXFHcUhgZ-m8wgqgw4eCNoCraX7sPNNxC6g@mail.gmail.com>
In-Reply-To: <CAFR824ybzCDY-C1cXFHcUhgZ-m8wgqgw4eCNoCraX7sPNNxC6g@mail.gmail.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 12 Apr 2024 12:00:39 +0530
Message-ID: <CAFpG3gfj8xp4UxsczBT953BE7yDEu3_GdQgR6z02qV8EVFUfNg@mail.gmail.com>
To: Deirdre Connolly <durumcrustulum@gmail.com>
Cc: Mike Ounsworth <Mike.Ounsworth@entrust.com>, Russ Housley <housley@vigilsec.com>, LAMPS <spasm@ietf.org>, "pqc@ietf.org" <pqc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000456e790615e06be2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/U-CHarZRXIVOQrt5o1D_A0z1YSM>
Subject: Re: [lamps] [Pqc] [EXTERNAL] Re: CMS Kyber: include PK and CT in the KDF?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 06:31:23 -0000
On Fri, 12 Apr 2024 at 03:41, Deirdre Connolly <durumcrustulum@gmail.com> wrote: > > Given the analysis at this point, it seems prudent to bind the PK and > CT, and it seems like draft-cms-kyber (and equivalents in other protocol > WGs) is the right place to do it. > > Choosing to do this is basically bulletproof, no matter what happens with > ML-KEM between now and the final FIPS 203. It is also bulletproof in case > anyone happens to copy this pattern for other KEMs without thinking more of > it. > It would be advantageous if the cryptographic library for PQC KEMs could be seamlessly integrated without the need to create a new mechanism within the JOSE/COSE WGs to establish a binding of the encapsulation key and ciphertext into the shared secret. I also see variations in the KDF usage: for instance, the CMS specification utilizes KMAC, while the draft-connolly-cfrg-hpke-mlkem proposes use of HKDF-Extract and HKDF-Expand. We identified this challenge during our work on https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-kem/ <https://datatracker.ietf.org/doc/draft-reddy-cose-jose-pqc-kem/> -Tiru > > > I still would like to see an analysis of whether the PK is always > available at decryption time. > > NIST has just announced they will make storing/using keys as just a seed > to expand the whole keypair will be explicitly supported / described in the > final FIPS 203, allowing a 64byte key seed to be expanded to provide the PK > (in a much more secure way too) at Decaps() time. if CMS-Kyber wants to > explicitly recommend storing keys as seeds and expanding them into memory > only when needed to process the PK in Decaps() that's probably a nice > solution (and is apparently FIPS-compatible even now? It may require > looking up another FIPS document to confirm) > > On Thu, Apr 11, 2024 at 6:03 PM Mike Ounsworth <Mike.Ounsworth@entrust.com> > wrote: > >> > It is _very_ important to me that one ML-KEM labrary be able to >> support CMS, JOSE, COSE, and so on. so, whateve happen in one WG needs to >> be aligned with others. >> >> >> >> Agreed, hence cross-posting to PQUIP. >> >> >> >> >> >> > If there is consensus to do so, the CMS kyber draft could address this >> in the algorithm-specific layer. >> >> >> >> +1 to this suggestion. >> >> We’re on a deadline to get these RFCs out in short order after FIPS 203, >> and have to act on what we know now. Given the analysis at this point, it >> seems prudent to bind the PK and CT, and it seems like draft-cms-kyber (and >> equivalents in other protocol WGs) is the right place to do it. >> >> >> >> I still would like to see an analysis of whether the PK is always >> available at decryption time. I would like to hear from smartcard, HSM, >> IoT, TPM type people about whether it’s fair to assume that the CMS / JOSE >> / COSE / etc layer of a decryption routine will have access to the public >> key at decryption time, or whether that will force some folks into awkward >> re-architecturing exercises. For example, if someone has a TPM architecture >> where only the wrapped private key is stored locally (cause why would you >> ever need to encrypt for yourself?), then I could see that being an >> annoying architecture change to also keep the public key. On the other >> hand, ML-KEM is greenfield, so maybe it’s ok to say “When ML-KEM; your >> private key object MUST contain the public key”. >> >> I’m asking whether there’s an engineering architecture concern here that >> overshadows the security gain. Maybe I’ll stop rambling here. >> >> >> >> --- >> >> *Mike* Ounsworth >> >> >> >> *From:* Spasm <spasm-bounces@ietf.org> *On Behalf Of *Russ Housley >> *Sent:* Thursday, April 11, 2024 4:31 PM >> *To:* Deirdre Connolly <durumcrustulum@gmail.com> >> *Cc:* LAMPS <spasm@ietf.org> >> *Subject:* [EXTERNAL] Re: [lamps] CMS Kyber: include PK and CT in the >> KDF? >> >> >> >> Deirdre: There was a discussion of this a few months ago. Inside ML-KEM, >> the public key is included in the KDF that computes the shared secret. >> There was discussion ot addint a hash of the ciphertext to the KDF >> computation, but no one thought >> >> Deirdre: >> >> >> >> There was a discussion of this a few months ago. Inside ML-KEM, the >> public key is included in the KDF that computes the shared secret. There >> was discussion ot addint a hash of the ciphertext to the KDF computation, >> but no one thought that should be done in cms-kemri since that would be an >> algorithm-specific detail at a algorithm agile layer. >> >> >> >> If there is consensus to do so, the CMS kyber draft could address this in >> the algorithm-specific layer. >> >> >> >> It is _very_ important to me that one ML-KEM labrary be able to support >> CMS, JOSE, COSE, and so on. so, whateve happen in one WG needs to be >> aligned with others. >> >> >> >> Russ >> >> >> >> >> >> On Apr 11, 2024, at 10:30 AM, Deirdre Connolly <durumcrustulum@gmail.com> >> wrote: >> >> >> >> Looking again at CMS Kyber >> <https://urldefense.com/v3/__https:/www.ietf.org/id/draft-ietf-lamps-cms-kyber-03.html__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfawt_J-kL$>, >> it seems to not bind the encapsulation key or the KEM ciphertext anywhere >> in the CMS scheme or the KDF. To mitigate the less-than-ideal binding >> properties >> <https://urldefense.com/v3/__https:/eprint.iacr.org/2023/1933.pdf__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa-WRFsEg$> of >> ML-KEM, I would consider including the encapsulation key and ciphertext >> along with the shared secret `ss` as input to the KDF. >> >> >> >> ML-KEM, as currently drafted as FIPS 203 IPD >> <https://urldefense.com/v3/__https:/nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa6TeNnwB$>, >> is LEAK-BIND-K-PK and LEAK-BIND-K-CT at best >> <https://urldefense.com/v3/__https:/eprint.iacr.org/2024/523__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa2woeUJG$>. >> To safely use the shared secret output from ML-KEM without opening it up to >> re-encapsulation attacks >> <https://urldefense.com/v3/__https:/cryspen.com/post/pqxdh/__;!!FJ-Y8qCqXTj2!ZlXBL5zdkVBiGN9kO1SGzVWESjCU-Qx4JhNBJbo6Rc_mqMsre90MkvNPbifOgYG0NQ5JvsFw6syNRc5LwlFfa5CF-wTk$>, >> including the PK and CT concatted with the `ss` as the preimage to the KDF >> is a secure and easy way to maximally bind the resulting KEK to the KEM >> public values. This construction is also a secure solution for any KEM with >> even the weakest of binding properties, so it would be a safe pattern for >> other KEMs: >> >> >> >> - KEK = KDF(ss) >> >> + KEK = KDF(ss || ct || pk) >> >> >> >> The ML-KEM standard may change between the current draft and the final >> one later this summer/year, but even if so, this change would be basically >> bulletproof either way in terms of security. >> >> >> >> Cheers, >> >> Deirdre >> >> >> > -- > Pqc mailing list > Pqc@ietf.org > https://www.ietf.org/mailman/listinfo/pqc >
- [lamps] CMS Kyber: include PK and CT in the KDF? Deirdre Connolly
- Re: [lamps] CMS Kyber: include PK and CT in the K… Russ Housley
- Re: [lamps] [EXTERNAL] Re: CMS Kyber: include PK … Mike Ounsworth
- Re: [lamps] [EXTERNAL] Re: CMS Kyber: include PK … Deirdre Connolly
- Re: [lamps] [Ext] [Pqc] [EXTERNAL] Re: CMS Kyber:… Paul Hoffman
- Re: [lamps] [Ext] [Pqc] [EXTERNAL] Re: CMS Kyber:… Deirdre Connolly
- Re: [lamps] [Ext] [Pqc] [EXTERNAL] Re: CMS Kyber:… Paul Hoffman
- Re: [lamps] [Pqc] [EXTERNAL] Re: CMS Kyber: inclu… tirumal reddy
- Re: [lamps] [EXTERNAL] Re: CMS Kyber: include PK … Sophie Schmieg
- Re: [lamps] [EXTERNAL] Re: CMS Kyber: include PK … Deirdre Connolly
- Re: [lamps] CMS Kyber: include PK and CT in the K… Watson Ladd
- Re: [lamps] [Pqc] [EXTERNAL] Re: CMS Kyber: inclu… Ilari Liusvaara
- Re: [lamps] [Pqc] [EXTERNAL] Re: CMS Kyber: inclu… Deirdre Connolly
- Re: [lamps] [Pqc] [EXTERNAL] Re: CMS Kyber: inclu… Ilari Liusvaara
- Re: [lamps] [CFRG] [Pqc] [EXTERNAL] Re: CMS Kyber… Deirdre Connolly
- Re: [lamps] [CFRG] [Pqc] [EXTERNAL] Re: CMS Kyber… Ilari Liusvaara
- Re: [lamps] [EXTERNAL] Re: CMS Kyber: include PK … Michael Richardson
- Re: [lamps] CMS Kyber: include PK and CT in the K… Hubert Kario
- Re: [lamps] CMS Kyber: include PK and CT in the K… Ilari Liusvaara