| Thread Links | Date Links | ||||
|---|---|---|---|---|---|
| Thread Prev | Thread Next | Thread Index | Date Prev | Date Next | Date Index |
| --- This message came from the IEEE 802.11 Working Group Reflector ---
Hello, Using KEMs is a relatively new technique and due to their nature there are certain attacks that are possible if they are not used carefully. These attacks are outlined in this paper:
https://eprint.iacr.org/2023/1933 These are "unknown keyshare attacks", also known as "identity mis-binding attacks", where an attacker is able to trick one side of the exchange into thinking the protocol finished with the attacker and the
other thinks it finished with the peer. See figures 2 and 3 in the paper. Due to the internal nature of ML-KEM, in which the output keying material is bound to the public key that generated it (see FIPS 203, algorithm 17 line 1 and algorithm 18 line 6), an unknown keysyare attack
is probably not possible against the protocol described in 11-25/1303r1. But it would be more robust if the protocol followed the suggestions from the aforementioned paper. That is, bind the output key expressly to the ciphertext before exporting it from the
protocol. It would also make sense to bind it to the public key as a backstop in the event that this protocol is used with a future KEM which might not internally do what ML-KEM does. I would suggest binding a transcript digest of the exchange—which will have both the public key and ciphertext— with the shared secret to produce the output key. This is a "best practice" which is being
done by other protocols as they become PQC-aware (see TLS, IKE, and EDHOC). Unsurprisingly, this is the technique being proposed in 11-25/1108r1. regards, Dan. -- "the object of life is not to be on the side of the majority, but to escape finding oneself in the ranks of the insane." – Marcus Aurelius To unsubscribe from the STDS-802-11 list, click the following link: https://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11&A=1 |