We have
been studying the implicit rejection and have some observations regarding the
role of the long-term secret value ‘z’ in Kyber.
In Kyber.CCAKEM.Dec, ‘z’ is used to implement implicit rejection as
if c = c’ then
return K := KFD(\bar{K}’ || H(c) )
else
return
K := KDF( z || H(c) )
We look
at this from a high-assurance implementation (i.e., side-channel protected)
point of view.
If ‘z’
requires the same level of protection against physical attacks as the secret
key ‘s’ then this results in significant costs in storage (storing shares of
the masked ‘z’). Moreover, the branch K := KDF( z || H(c) ) needs an
DPA-protected KDF (assuming ‘z’ is secret) which is not necessarily the case
for the K := KFD(\bar{K}’ || H(c) ) branch.
Academic
works have commonly left this part unprotected in masked implementations of
Kyber / Saber (cf. [1-4]), which removes the unpredictability property of the
rejection mechanism (‘z’ is assumed to be leaked in full).
Therefore,
for high-assurance implementations a switch to an explicit rejection mechanism
would be preferable and improve the efficiency.
If
implicit rejection is a design goal which is desirable (but is it really?) we
suggest one of the following.
What
about optionally randomizing ‘z’?
This
could be achieved by using K := KDF( (z xor R) || H(c) ) where ‘R’ denotes an
optionally true random element.
For
‘R==0’ it implements the current solution as specified in the specification
while for ‘R==random’ it randomizes the input to the KDF, which removes the
strict DPA-protection requirement and makes high assurance implementations much
simpler.
What do
you (= the Kyber team, NIST and the entire PQC community) think about such a
change to the rejection?
Any
obvious downsides we overlooked?
Best regards
NXP PQC
Team
[1] https://eprint.iacr.org/2020/733.pdf
[2] https://eprint.iacr.org/2021/483.pdf
[3] https://eprint.iacr.org/2022/158.pdf
[4] https://eprint.iacr.org/2022/389.pdf
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/3e210b6f-08d3-48f3-9689-1d048f9b3c58n%40list.nist.gov.
def high_level_protocol(…):…K = kyber_decaps(…)# the decapsulation failed, K == KDF(z || H(c))reply = symmetric_send_recv(K, msg)If (reply == error):… # Handle error
On 16 Dec 2022, at 14:14, Mike Hamburg <mi...@shiftleft.org> wrote:
Hi Tobias,
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/D5D7F317-6B6C-4636-9AF5-6CE9DE47DA50%40shiftleft.org.
One way out would be for NIST to separately validate two explicitly
labeled universes, one for implementations of the full KEM aiming for
IND-CCA2 and one for implementations that skip (or don't guarantee
security of) implicit rejection, with protocol designers choosing which
one they need. But I would recommend against this split unless there's
solid evidence that the cost savings will make a big difference in
deployment. I'm reminded of what
https://www.imperialviolet.org/2018/12/12/cecpq2.html
said about having an IND-CPA universe and an IND-CCA2 universe: "CPA vs
CCA security is a subtle and dangerous distinction, and if we're going
to invest in a post-quantum primitive, better it not be fragile."
---D. J. Bernstein
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/20221216180834.222129.qmail%40cr.yp.to.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/F534CBA6-E66D-40AC-B3FC-208939EF90B2%40shiftleft.org.
On 20 Dec 2022, at 14:25, D. J. Bernstein <d...@cr.yp.to> wrote:To clarify, by "as secure" you mean that a polynomial-time QROM IND-CCA2
attack against the KEM, with implicit or explicit rejection, implies a
polynomial-time attack against the PKE?
Many readers will expect "as secure" to be saying that the KEMs match
the PKE in security level.