IETF Logo Mail Archive

Re: [lamps] CMS Kyber: include PK and CT in the KDF?

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 12 April 2024 14:33 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED5AC151065 for <spasm@ietfa.amsl.com>; Fri, 12 Apr 2024 07:33:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7sfFJeSjV62 for <spasm@ietfa.amsl.com>; Fri, 12 Apr 2024 07:33:08 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2b.welho.com [83.102.41.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70958C151095 for <spasm@ietf.org>; Fri, 12 Apr 2024 07:33:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 6A40146D5C for <spasm@ietf.org>; Fri, 12 Apr 2024 17:33:05 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id MbE-78N9erSc for <spasm@ietf.org>; Fri, 12 Apr 2024 17:33:05 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 1EBDE2309 for <spasm@ietf.org>; Fri, 12 Apr 2024 17:33:04 +0300 (EEST)
Date: Fri, 12 Apr 2024 17:33:03 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: LAMPS <spasm@ietf.org>
Message-ID: <ZhlGH2eWJ2pkWnYc@LK-Perkele-VII2.locald>
References: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAFR824w0rBfxGzCJrSZ3f45Lyn7SEVLZK6cM9ZaZVHVPujs-5g@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/_8Ymcc6h2GDQqin5DjteyIwEWIY>
Subject: Re: [lamps] CMS Kyber: include PK and CT in the KDF?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 14:33:12 -0000

On Thu, Apr 11, 2024 at 10:30:05AM -0400, Deirdre Connolly wrote:
> Looking again at CMS Kyber
> <https://www.ietf.org/id/draft-ietf-lamps-cms-kyber-03.html>, it seems to
> not bind the encapsulation key or the KEM ciphertext anywhere in the CMS
> scheme or the KDF. To mitigate the less-than-ideal binding properties
> <https://eprint.iacr.org/2023/1933.pdf> of ML-KEM, I would consider
> including the encapsulation key and ciphertext along with the shared secret
> `ss` as input to the KDF.

What is to prevent an attacker from just replacing the recipient with
one with desired key wrapping correct CEK, complely bypassing any
binding properties of the KEM or any extra added binding?

And that seems like much easier thing to exploit than any LEAK-BIND-*,
let alone MAL-BIND-*, failures.




-Ilari

v2.23.0 | Report a Bug | By Email