Mastodawn

In "Keeping up with the KEMs" Cremers et al. introduced various binding models for KEMs. The authors show that ML-KEM is LEAK-BIND-K-CT and LEAK-BIND-K-PK, i.e. binding the ciphertext and the public key in the case of an adversary having access, but not being able to manipulate the key material. They further conjecture that ML-KEM also has MAL-BIND-K-PK, but not MAL-BIND-K-CT, the binding of public key or ciphertext to the shared secret in the case of an attacker with the ability to manipulate the key material. This short paper demonstrates that ML-KEM does neither have MALBIND-K-CT nor MAL-BIND-K-PK, due to the attacker being able to produce mal-formed private keys, giving concrete examples for both. We also suggest mitigations, and sketch a proof for binding both ciphertext and public key when the attacker is not able to manipulate the private key as liberally.

IACR Cryptology ePrint Archive

Show thread

🌈 Andrew ☄️Apr 10, 2024

@sophieschmieg its not my field, but I love the paper title

Show thread

Jordan Mar 26, 2024

@sophieschmieg Potentially-stupid question from a non-cryptographer: since ML-KEM encapsulation is non-deterministic already (is specified to use a random number generator as part of the input), how is this different from an honest encapsulator coincidentally generating the same shared secret?

Show thread

Jordan Mar 26, 2024

@sophieschmieg Partial answer to my own question: the amount of randomness is the same as the length of the shared secret, so if the encoding is always value-preserving, there won’t be any such collisions normally. I don’t know myself if Kyber/ML-KEM preserves all the entropy like that but it would make sense if it did.

Show thread

Sophie Schmieg Mar 26, 2024

@jrose for ML-KEM, the entropy going into the encaps function is concatenated with the hash of the public key (or in the case of this attack, the hash of a different public key), and the concatenated string is that hashed with SHA-3-512. The first 32 bytes of that hash is the shared secret, the last 32 bytes are used as encryption entropy to encrypt the original entropy with a CPA scheme.

Show thread

Sophie Schmieg Mar 26, 2024

@jrose the trick is that on decapsulation, you recover the entropy used by the encapsulator, and can use that to rerun the encapsulation algorithm. If the encapsulator was honest, you return the shared key, if the encapsulator lied you return pseudorandom garbage.

So while the original scheme could be attacked via adaptively chosen ciphertexts, this transform forces the attacker to not have any choice in the ciphertexts they produce, making the whole construction IND-CCA

Show thread

Jordan Mar 26, 2024

@sophieschmieg Ah, and the last piece here is that recomputing the full public key from the secret key is unnecessarily expensive, so the hash is cached instead? Which means it can be replaced without disturbing anything on decapsulation (well, except that it can no longer receive ciphertexts on the original public key). Do I have that right?

Show thread

Sophie Schmieg Mar 26, 2024

@jrose you can't even recompute the public key from the private key in Kyber, so the cache is necessary (you compute t = As + e, t and A is the public key, s is the private key, e is discarded). The cache of the hash of the public key is not though, that's just a performance optimization.

Show thread

Jordan Mar 26, 2024

@sophieschmieg I’m spoiled by entering cryptographic programming when EC keys were the recommended thing. Super flexible, super capable, super compact. Then I forget most systems just aren’t that general, often by design. Thanks for explaining!

Show thread

Paul Hoffman Mar 26, 2024

@sophieschmieg s/now// You get to decide when.

@sophieschmieg Nice!!!

Show thread

Gikkyme Mar 26, 2024

@sophieschmieg
Well i want to know what's the next step after having basic knowledge of cryptography and what's the job positions currently available in the market