IETF Logo Mail Archive

Re: [lamps] CMS Kyber: include PK and CT in the KDF?

Watson Ladd <watsonbladd@gmail.com> Fri, 12 April 2024 03:48 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 440EAC14F618 for <spasm@ietfa.amsl.com>; Thu, 11 Apr 2024 20:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2Is9w8aLxyA for <spasm@ietfa.amsl.com>; Thu, 11 Apr 2024 20:48:38 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F82CC14F614 for <spasm@ietf.org>; Thu, 11 Apr 2024 20:48:38 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id ffacd0b85a97d-34641b7c49aso319620f8f.2 for <spasm@ietf.org>; Thu, 11 Apr 2024 20:48:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712893716; x=1713498516; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=V8ZnirZjHsyOeMZiZ91hc9cVnP8iDQda6LjlxXOaRhg=; b=KxL0Ah3CJU4KWyViRooBa4svCvSvg0/d6TzXCu6v7DCLfeP1DwboFtu9gOtsJt1aMU Dp3kw8CPqZmS1aTpeFz1fUrs+Gzdc2YWo+ODfhZosnIYZ6YJSm0bW/CAPEXCX8uQx32n 7Gz2l3O+OkuMYk9cWqXClpytibqWzIKi6QwD6N+g9ZAHxyNN4JrL1zb12J5hTDWSs9Fg hUbDJFi56+34JKkIMqDpKYmSq+DtYuZlquwMJERjzd1xtbi8O+29WjG+8jhNMOTOXT5K C6ooDkDPWR1tZA5DwE0wxZrYzRUg7RTAI+P6iOpWYnEhKg897LcmkcJPMkPT7Ii/30wW u8Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712893716; x=1713498516; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V8ZnirZjHsyOeMZiZ91hc9cVnP8iDQda6LjlxXOaRhg=; b=smstWtHZtRIrA2kQZE6YwkBH/gmfTq6nXAjvPJRq/9DFDcFbUfWUta9ShjVoOfw2iU qOtlDSABjfVSIXZTSrZulq9EaB9jWoIMa/j21US8N2UNqixP2gw627OUSYbyIA+c5JkS 6Y0cKkvME5ziivjNhGSWhOqI4CGnuKZaE/amG7zW5XHjqN7hwh6V0Sa1mbBe7q8SfKaH q5SvF0YeGEH0TRZoyRed9LR/t4LVsQLM+zp+Xl6L1Zve8YJerrPQZuFrwEzZAeU5rQ/9 DVHC1w7Muc4ezs3LYvI5xaYBiROzHHAtA8jM5DF7ClPD5r60fkA3aicRqOg86ZiQYPso aMfQ==
X-Forwarded-Encrypted: i=1; AJvYcCVB6MLWlRhTMWBpq5Pif3X/8aGTtCh1QcnY5xAtoaUg88xL/gp9DMuIQREFyb1qse10hn2mMOXzpgQw5C4cfA==
X-Gm-Message-State: AOJu0YzY/Ck8zIH3QV4mzpBeZVwZGpYOJJrJ7+o4Dp+oyYtTszzVFnjZ 3hHT+4QBAXrwmiGu4BVZe0jF1Nbzt8ZAXt6IU3dH/cYeIV3TaI01GwzUGscq6V5SsYdKX5/mSpN e6r6CVVV5sAZB6djH81I+6kWudcU=
X-Google-Smtp-Source: AGHT+IEnOXHrfB55V7UYGLArufBHEhifarhN5of70TANX+Nto5W4sGAyIhKmRoBXgYEKqSMC/MQ/jlF1xmU5D9cEWig=
X-Received: by 2002:adf:fa8b:0:b0:343:b686:89a0 with SMTP id h11-20020adffa8b000000b00343b68689a0mr828298wrr.13.1712893716402; Thu, 11 Apr 2024 20:48:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com> <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com>
In-Reply-To: <A31C1C09-297F-4C4A-837E-FD2A703AD96F@vigilsec.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 11 Apr 2024 20:48:25 -0700
Message-ID: <CACsn0c=9CDufOjLP98Rwj1BSO_eK=STsg2CObLSnmr+MrpyYUA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Deirdre Connolly <durumcrustulum@gmail.com>, LAMPS <spasm@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/VCza0_iELbsyzLYH0jPuTWrrX1E>
Subject: Re: [lamps] CMS Kyber: include PK and CT in the KDF?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 03:48:42 -0000

On Thu, Apr 11, 2024 at 2:31 PM Russ Housley <housley@vigilsec.com> wrote:
>
> Deirdre:
>
> There was a discussion of this a few months ago.  Inside ML-KEM, the public key is included in the KDF that computes the shared secret.  There was discussion ot addint a hash of the ciphertext to the KDF computation, but no one thought that should be done in cms-kemri since that would be an algorithm-specific detail at a algorithm agile layer.

Huh? CMS and TLS handle ECDH very differently today.
>
> If there is consensus to do so, the CMS kyber draft could address this in the algorithm-specific layer.
>
> It is _very_ important to me that one ML-KEM labrary be able to support CMS, JOSE, COSE, and so on.  so, whateve happen in one WG needs to be aligned with others.

That library exposes Ecapsulate, Decapsulate, and Kegen functions. It
will function just fine even if a protocol layers a combiner on top.
>
> Russ
>
>
> On Apr 11, 2024, at 10:30 AM, Deirdre Connolly <durumcrustulum@gmail.com> wrote:
>
> Looking again at CMS Kyber, it seems to not bind the encapsulation key or the KEM ciphertext anywhere in the CMS scheme or the KDF. To mitigate the less-than-ideal binding properties of ML-KEM, I would consider including the encapsulation key and ciphertext along with the shared secret `ss` as input to the KDF.
>
> ML-KEM, as currently drafted as FIPS 203 IPD, is LEAK-BIND-K-PK and LEAK-BIND-K-CT at best. To safely use the shared secret output from ML-KEM without opening it up to re-encapsulation attacks, including the PK and CT concatted with the `ss` as the preimage to the KDF is a secure and easy way to maximally bind the resulting KEK to the KEM public values. This construction is also a secure solution for any KEM with even the weakest of binding properties, so it would be a safe pattern for other KEMs:
>
> - KEK = KDF(ss)
> + KEK = KDF(ss || ct || pk)
>
> The ML-KEM standard may change between the current draft and the final one later this summer/year, but even if so, this change would be basically bulletproof either way in terms of security.
>
> Cheers,
> Deirdre
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm



-- 
Astra mortemque praestare gradatim

v2.23.0 | Report a Bug | By Email