--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20240419141559.384922.qmail%40cr.yp.to.
---D. J. Bernstein--You received this message because you are subscribed to the Google Groups "pqc-forum" group.To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20240419210427.405600.qmail%40cr.yp.to.Attachments:
- signature.asc
* Nobody has given any examples of any attack strategies that could
be blocked by the changes. (Meanwhile it's completely clear how the
changes would _enable_ attacks via, e.g., Dual EC.)
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/14c75610-3feb-4fc0-b0bf-5cf746ce1a00n%40list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAMjbhoWc2tZFy_syc8qEYMDd8o0-W-v%2BabX3c3HMQbVk2XUofg%40mail.gmail.com.
Dear all,
We are interested in hearing feedback from others regarding Sam’s suggestion to add domain separation early in key generation for ML-KEM (and, while not stated, ML-DSA), as described in: https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5CT4NC_6zRI/m/QZ7jLXEiCAAJ
Such a change would provide an inexpensive means to protect implementations from seed reuse across different algorithms and parameter sets and we are considering including this in the final versions of FIPS 203 and FIPS 204. The lines we would modify correspond to line 2 of Algorithm 12 in draft FIPS 203 and line 2 of Algorithm 1 in draft FIPS 204. The modification in each case would be to append to the input of the Hash/XOF a short string specific to the parameter set.
If you have thoughts on this, we’d appreciate it soon, as we are very close to finalizing the content of the FIPS.
Thanks everyone!
Ray Perlner (NIST PQC team)
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/CAEEbLAbr4R%3DQ%3DoUZ_P-O%3DxrHy__RAn-%2B5HcFZWYEG1ojms0N5A%40mail.gmail.com.
I support adding domain separation.
Thanks
--
V/R,
Uri
From: 'Perlner, Ray A. (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Date: Friday, May 17, 2024 at 10:38
To: Sophie Schmieg <ssch...@google.com>, Bas Westerbaan <b...@cloudflare.com>
Cc: Samuel Lee <samue...@microsoft.com>, pqc-forum <pqc-...@list.nist.gov>, D. J. Bernstein <d...@cr.yp.to>
Subject: [EXT] RE: [pqc-forum] Official comment on FIPS 203 ipd: seed as decapsulation key
Dear all, We are interested in hearing feedback from others regarding Sam’s suggestion to add domain separation early in key generation for ML-KEM (and, while not stated, ML-DSA), as described in: https: //groups. google. com/a/list. nist. gov/g/pqc-forum/c/5CT4NC_6zRI/m/QZ7jLXEiCAAJ
ZjQcmQRYFpfptBannerStart
|
ZjQcmQRYFpfptBannerEnd
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/DM6PR09MB48551A50F88DF01ECBE02D989CEE2%40DM6PR09MB4855.namprd09.prod.outlook.com.
D. J. Bernstein wrote:
>OCB2 being standardized with a change from OCB1 that eliminated security. It took more than ten years for the public to notice the security failure.
I think that is an excellent example of why paywalled algorithm standards like ISO should be considered cybersecurity risks and avoided like the plague.
Cheers,
John Preuß Mattsson
This Message Is From an External SenderThis message came from outside the Laboratory.
D. J. Bernstein wrote:
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/GVXPR07MB9678C67F98B6350AFAA8ED3F89EE2%40GVXPR07MB9678.eurprd07.prod.outlook.com.
Hi,
I have not looked into MALBIND-K-CT and MAL-BIND-K-PK but this seems similar/related to the work Tobias Hemmert et al. did on how to prevent backdoored public keys in LWE and (Classic) McEliece systems [1-2].
[1] https://eprint.iacr.org/2022/1381
[2] https://eprint.iacr.org/2022/362
Perlner, Ray A. (Fed) wrote:
>We are interested in hearing feedback from others regarding Sam’s suggestion to add domainseparation early in key generation for ML-KEM (and, while not stated, ML-DSA), as described in: >https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/5CT4NC_6zRI/m/QZ7jLXEiCAAJ
I like the suggestion by Samuel Lee to slightly tweak the key generation. That seems better than prepending the seed with a code point byte.
Cheers,
John
Hi all,
Due to the generally positive feedback we’ve received for domain separating KeyGen for different parameter sets of ML-KEM and ML-DSA, we plan to introduce domain separation in the final drafts of FIPS 203 and FIPS 204.
Thus, we plan to change line 2 of Algorithm 12 in draft FIPS 203 to:
(ρ,σ) ← G(d || k)
And we plan to change line 2 of Algorithm 1 in draft FIPS 204 to:
(𝜌, 𝜌′, 𝐾) ∈ 𝔹32 × 𝔹64 × 𝔹32 ← H(𝜉||IntegerToBytes(𝑘, 1)||IntegerToBytes(ℓ, 1), 128)
Best,
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/2859dfe2-67a1-4b81-9939-10cb39b112b2%40nist.gov.
I agree with Robin that ideally the expanded decapsulation key blobs for ML-KEM should contain the private seed (and similar for ML-DSA), to avoid having 3 forms of key object (private key w/ private seed, private key w/out private seed, and public key).It is a weird and easily avoidable detail with the proposed ML-KEM API, that if someone imports a key from a decapsulation key blob they cannot export it as a private seed.
This thread's a bit tedious, so here's a summary
Seed pros:
"Proves" the key is well-formed
Short
Seed cons:
Needs to be expanded
No context
Can't easily find seeds that produce interesting test cases
Expanded pros:
Ready to use
Easier to manipulate (say for testing edge cases)
Expanded cons:
Apparently doesn't bind the implicit rejection key or something (I didn't read "Unbindable Kemmy Schmidt"), allows some form of tampering?
Big