Hi Markku-Juhani,
Thank you for your discussion. Please see my comment below. I am trying to understand your comment correctly.
From: pqc-...@list.nist.gov <pqc-...@list.nist.gov>
On Behalf Of Markku-Juhani O. Saarinen
Sent: Wednesday, September 27, 2023 10:18 AM
To: pqc-forum <pqc-...@list.nist.gov>
Cc: Peter Schwabe <pe...@cryptojedi.org>
Subject: [pqc-forum] Re: Public-key validation in ML-KEM draft standard
Peter,
Thanks for the summary. Here's an additional argument for option (2).
The "modulus check" input validation (Section 6.2 of FIPS 203 ipd) was not present in previous specifications or implementations. It is framed in terms of "abort" in case of failing check. Line 987 states that "application-appropriate steps shall be taken to abort." As in most standards, the keyword "shall" indicates a formal requirement (see definition on line 385) and, therefore, this new check is required in all compliant implementations (and should be tested in FIPS certification, etc.) So this is simultaneously rather vague (abort? what does that mean in protocol x? an error message y?) and very strict -- the implementor has to do something special in this case.
My main objection is that this requirement complicates the state machine, implementations, and security proofs of protocols that use Kyber. It also complicates testing. Without it, the Kyber Encapsulation and Decapsulation are deterministic functions from fixed-length byte strings to fixed-length byte strings (if we include the random inputs) and Kyber can be used in "garbage-in garbage-out" mode without the caller being aware if the input is valid (e.g., correctly decrypted) or not.
There is no obvious security reason for this check, and in any case, protocol designers should not assume anything from it, as it does not catch all invlaid public keys. Due to the use of hash H(ek) in the derivation of the shared secret, option (2) does not make the public key "malleable" -- modifying the public key in any way will always impact the shared secret.
Additional note: There are "type checks" (Lines 982, 1011, 1013) in both Encapsulation and Decapsulation, which check that the input byte string is of specified length (all inputs and outputs of Kyber at a specific security level have a constant length.) I support the statement that one should not proceed with the execution of the primitive if insufficient data is available -- padding is in no way applicable to these schemes.
[Dang, Quynh H. (Fed)] Are you suggesting that we should say something like “The caller shall make sure that the length of the Encap key or Decap key is correct before calling Encap or Decap respectively.” and that should be all: no further length check and no further modulus check in Encap and Decap ?
Regards,
Quynh.
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/cadf517c-310d-425c-86c0-2abe25be5e0bn%40list.nist.gov.
Thank you for your discussion. Please see my comment below. I am trying to understand your comment correctly.
Additional note: There are "type checks" (Lines 982, 1011, 1013) in both Encapsulation and Decapsulation, which check that the input byte string is of specified length (all inputs and outputs of Kyber at a specific security level have a constant length.) I support the statement that one should not proceed with the execution of the primitive if insufficient data is available -- padding is in no way applicable to these schemes.
[Dang, Quynh H. (Fed)] Are you suggesting that we should say something like “The caller shall make sure that the length of the Encap key or Decap key is correct before calling Encap or Decap respectively.” and that should be all: no further length check and no further modulus check in Encap and Decap ?
Regards,
Quynh.
Hi Markku,
Thank you for the clarification!
Hi all,
( My discussions do not represent any views or thoughts of any other person or group. I am seeking technical correctness, perfection/betterness (if possible) and understanding.)
Within the option 2, I think the modulus reduction step is not needed.
The current implementations from the Kyber's team and Cloudflare do not do this reduction step, but they can still produce correct output because the reduction happens later in the Encrypt and it preserves correctness. So, implementations may skip that step as long as the Encap produces the correct result at the end.
The issue is that new implementers might implement that step unnecessarily if we add it to the specification, and that would add cycle cost for all executions of the Encap forever.
The aim of the reduction step is to avoid the risk of an overflow which could lead to wrong computation results when the coefficient(s) are larger than (q - 1), outside of Zq.
However, taking a closer look, it seems that the sensible and rightful concern above turns out to be not a concern.
First, the coefficients' size is 12 bits, so if they are larger than (q - 1), from 3329 to 4095, they are still 12 bits long. Therefore, if an implementation handles the required computations (multiplications and additions) between the coefficients in Zq correctly without having an overflow in an Encap, it should also not have an overflow with some or all coefficients being larger than 3328.
Secondly, our key gen requires the coefficients of the public key being in Zq. If the implementer follows our specification (requirement), there are no coefficients being out of the range, out of Zq.
If a key gen implementation generates a public key whose coefficients being outside of the range sometimes or all of the times, for example instead of 1, 2 the coefficients are q + 1 and q + 2 etc....(these are functionally equivalent coefficients in Zq), the reduction is not handled correctly in this implementation. And, very likely a key pair from this implementation is not a functional key pair (meaning the Decap always fails). The reason is that the resulting coefficients of the public key come from many multiplications and additions. If the reduction is not performed, it is very likely that one or more of the unreduced coefficients in the public key are not functionally correct due to an overflow since the size of the coefficients remains the same, only 12 bits. The Encap does not need to make sure that the result is computationally correct, not having an overflow, with a nonfunctional public key, a wrong public key.
Regards,
Quynh.
From: Markku-Juhani O. Saarinen <mjos....@gmail.com>
Sent: Wednesday, September 27, 2023 11:00 AM
To: pqc-forum <pqc-...@list.nist.gov>
Hi Peter, Markku, Quynh, all,
Thank you for your comments on public-key validation of Kyber.
Below the point of view from NXP.
Firstly, could you please quantify what the expected saving is of removing this boundary check?
With respect to the remainder of the Encapsulation, this seems negligible.
So we do not consider the improved efficiency of Encapsulation a very strong argument against having the bound check.
Secondly, the wish for error-free APIs is understandable but seems unrealistic in virtually all (industrial) software environments.
For example, Encapsulation will require a call to a randomness source which shall be implemented using a prescribed function from SP 800-90* (see paragraph “Randomness generation” on Line 682 of FIPS 203 draft).
Quoting from SP 800-90A section 9 (page 26): “When the generate function returns an error, a null string is returned as the output string (see Section 9.3.1) and shall not be used as pseudorandom output.”
Are you proposing not to handle this RNG error within Encapsulation, and would there not be an issue with compliance?
Regardless of SP 800-90*, validation of RNG output is a good practice for cryptographic implementations.
Besides RNGs, many implementations will have to deal with various other types of error handling to deal with HW for SHA3, NTTs, etc. (but this is not applicable everywhere)
Can you really guarantee no loss of security whatsoever when return error codes are ignored by the caller?
On the other hand, input sanitation is a general good practice and especially so for cryptographic implementations that have failed due to malformed inputs time after time.
We are in favor of option 1): including the explicit step to verify the public key in Encapsulation as proposed in the current draft standard.
At the moment, we do not see that option 2 will really lead to meaningfully improved efficiency or security in practice.
Kind regards,
NXP PQC Team
From: 'Dang, Quynh H. (Fed)' via pqc-forum <pqc-...@list.nist.gov>
Sent: Wednesday, September 27, 2023 6:02 PM
To: Markku-Juhani O. Saarinen <mjos....@gmail.com>; pqc-forum <pqc-...@list.nist.gov>
Cc: Peter Schwabe <pe...@cryptojedi.org>
Subject: [EXT] RE: [pqc-forum] Re: Public-key validation in ML-KEM draft standard
Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, report the message using the 'Report this email' button |
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/MW4PR09MB10059A7F90D38A6A3CC3B6131F3C2A%40MW4PR09MB10059.namprd09.prod.outlook.com.
Hi Joost and all,
Thank you for the comment/discussion.
( My discussions do not represent any views or thoughts of any other person or group. I am seeking technical correctness, perfection/betterness (if possible) and understanding.)
I heard a comment from someone which said that the 32-byte random string should be treated as an input to the function so that testing would be easier. With this, how this seed is generated is the system matter, not matter with the Encap. The caller just passes a 32-byte array to the Encap along with a right size public key.
What do you think ?
Regards,
Quynh.
I heard a comment from someone which said that the 32-byte random string should be treated as an input to the function so that testing would be easier. With this, how this seed is generated is the system matter, not matter with the Encap. The caller just passes a 32-byte array to the Encap along with a right size public key.
On 28 Sep 2023, at 12:51, Markku-Juhani O. Saarinen <mjos....@gmail.com> wrote:
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/0b385015-e3c8-4df9-925a-d44223746693n%40list.nist.gov.
From: Simon Hoerder <si...@hoerder.net>
Date: 28 September 2023 at 12:53:48 CEST
To: "Dang, Quynh H. (Fed)" <quynh...@nist.gov>
Subject: Re: [EXT] RE: [pqc-forum] Re: Public-key validation in ML-KEM draft standard
Hi Quynh,That proposal certainly has its practical advantages. I’d call it an established and successful divide-and-conquer approach. For example, a cryptographic library can focus on implementing the cryptography, have it tested and validated. The system integrator can then reuse that library and its validation in conjunction with whatever validated TRNG they have in their crypto module and take the whole thing to module validation. For hardware accelerators, it also allows for a neat separation of quite different functionalities that get combined at [crypto] module level.Having to do a combined algorithm and TRNG validation is possible but sounds needlessly painful to me. Not least of all because on the developer side your TRNG expert and your lattice expert probably are different people. Maybe they even work for different companies or in different time zones. For the evaluation lab, I’d still expect different experts to do the certification even if the likelihood of both working for the same company in the same building is higher.Sure, people can misuse the input for the random string and turn it into a foot gun. But the same can be said of overly complex implementations and certification projects where everything is connected to everything without clear boundaries.Best,SimonOn 28 Sep 2023, at 12:21, 'Dang, Quynh H. (Fed)' via pqc-forum <pqc-...@list.nist.gov> wrote:
Hi Joost and all,
Thank you for the comment/discussion.
( My discussions do not represent any views or thoughts of any other person or group. I am seeking technical correctness, perfection/betterness (if possible) and understanding.)
I heard a comment from someone which said that the 32-byte random string should be treated as an input to the function so that testing would be easier. With this, how this seed is generated is the system matter, not matter with the Encap. The caller just passes a 32-byte array to the Encap along with a right size public key.
What do you think ?
Regards,
Quynh.
From: Joost Renes <joost...@nxp.com>
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/MW4PR09MB1005987BED0DBB9E5BB44C6AEF3C1A%40MW4PR09MB10059.namprd09.prod.outlook.com.
Hi Markku,
> [Markku]: “All in all, no one has suggested that all error codes are ignored.”
> [Peter]: “In languages that don't support returning exceptions (like C), you'd have to fail by returning a non-zero value. […] Generally, forcing the caller to deal with non-zero return codes also adds complexity for the caller.”
Our understanding of Peter’s original message was that the main advantage of option 2.) was that caller did *not* have to deal with return codes (or can just ignore them).
If the caller has to deal with return error codes regardless (e.g., for the RNG), which we believe to be true, then this advantage is non-existent.
How exactly the abort should be handled and specified could still be discussed of course.
Kind regards,
Joost
Hi Joost,
Again, thank you for the input.
( My discussions do not represent any views or thoughts of any other person or group. I am seeking technical correctness, perfection/betterness (if possible) and understanding.)
See my comment below.
From: Joost Renes <joost...@nxp.com>
Sent: Thursday, September 28, 2023 5:50 AM
To: Dang, Quynh H. (Fed) <quynh...@nist.gov>; Markku-Juhani O. Saarinen <mjos....@gmail.com>; pqc-forum <pqc-...@list.nist.gov>
Cc: Peter Schwabe <pe...@cryptojedi.org>
Subject: RE: [EXT] RE: [pqc-forum] Re: Public-key validation in ML-KEM draft standard
Hi Peter, Markku, Quynh, all,
Thank you for your comments on public-key validation of Kyber.
Below the point of view from NXP.
Firstly, could you please quantify what the expected saving is of removing this boundary check?
With respect to the remainder of the Encapsulation, this seems negligible.
[Dang, Quynh H. (Fed)] Yes, it is a very small cost. But a KEM’s encap will be run for decades. The wasted cycles would be huge collectively. And, the modulus check does not provide any security benefits as far as I can see.
The caller of an Encap can make sure passing only a public key with correct length to it and how the caller handles various issues can be considered as a system matter.
Regards,
Quynh.
You might still want a check with a comment like. C users will need to perform this check.