Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add text in Security Consideration regarding the benefits of the 64-byte seed format #69

Merged
merged 9 commits into from
Nov 4, 2024
Merged

Add text in Security Consideration regarding the benefits of the 64-byte seed format #69

Changes from 1 commit
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
47c80b4
Add text in Security Consideration regarding the benefits of the 64-b…
dconnolly Oct 24, 2024
cca1958
RNG stuff
dconnolly Oct 24, 2024
b754572
Protect secret key material
dconnolly Oct 24, 2024
698e041
Indent⁻
dconnolly Oct 24, 2024
aa4de49
Update draft-ietf-lamps-kyber-certificates.md
dconnolly Oct 24, 2024
4546ca7
Point at FIPS 203 randomness / RBG requirements
dconnolly Oct 24, 2024
747b208
fixing spaces
seanturner Oct 24, 2024
a9b8510
Ref KEM binding properties first formalization paper
dconnolly Oct 24, 2024
c46178f
Wrap a line
dconnolly Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 45 additions & 3 deletions draft-ietf-lamps-kyber-certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,31 @@ normative:
ISO/IEC: 8825-1:2021

informative:
CDM23:
title: "Keeping Up with the KEMs: Stronger Security Notions for KEMs and automated analysis of KEM-based protocols"
target: https://eprint.iacr.org/2023/1933.pdf
date: 2023
author:
-
ins: C. Cremers
name: Cas Cremers
org: CISPA Helmholtz Center for Information Security
-
ins: A. Dax
name: Alexander Dax
org: CISPA Helmholtz Center for Information Security
-
ins: N. Medinger
name: Niklas Medinger
org: CISPA Helmholtz Center for Information Security
KEMMY24:
title: "Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK"
target: https://eprint.iacr.org/2024/523.pdf
date: 2024
author:
-
ins: S. Schmieg
name: Sophie Schmieg
NIST-PQC:
target: https://csrc.nist.gov/projects/post-quantum-cryptography
title: >
Expand Down Expand Up @@ -295,9 +320,26 @@ encoded using the textual encoding defined in {{?RFC7468}}.

# Security Considerations

The Security Considerations section of {{RFC5280}} applies to this specification as well.

For ML-KEM specific security considerations refer to {{?I-D.sfluhrer-cfrg-ml-kem-security-considerations}}.
The Security Considerations section of {{RFC5280}} applies to this
specification as well.

dconnolly marked this conversation as resolved.
Show resolved Hide resolved
For ML-KEM specific security considerations refer to
{{?I-D.sfluhrer-cfrg-ml-kem-security-considerations}}.

dconnolly marked this conversation as resolved.
Show resolved Hide resolved
Per the analysis of the final {{FIPS203}} in {{KEMMY24}}, a compliant
instantiation of ML-KEM is LEAK-BIND-K-PK-secure and LEAK-BIND-K-CT-secure
when using the expanded key format, but not MAL-BIND-K-PK-secure nor
MAL-BIND-K-CT-secure. This means that the computed shared secret binds to the
encapsulation key used to compute it against a malicious adversary that has
access to leaked, honestly-generated key material but is not capable of
manufacturing maliciously generated keypairs. This binding to the
encapsulation key broadly protects against re-encapsulation attacks but not
completely.

Using the 64-byte seed format provides a step up in binding security by
mitigating an attack enabled by the hash of the public encapsulation key
stored in the expanded private decapsulation key format, providing
MAL-BIND-K-CT security and LEAK-BIND-K-PK security.

# IANA Considerations

Expand Down