Paper 2024/523
Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK
Abstract
In "Keeping up with the KEMs" Cremers et al. introduced various binding models for KEMs. The authors show that ML-KEM is LEAK-BIND-K-CT and LEAK-BIND-K-PK, i.e. binding the ciphertext and the public key in the case of an adversary having access, but not being able to manipulate the key material. They further conjecture that ML-KEM also has MAL-BIND-K-PK, but not MAL-BIND-K-CT, the binding of public key or ciphertext to the shared secret in the case of an attacker with the ability to manipulate the key material. This short paper demonstrates that ML-KEM does neither have MALBIND-K-CT nor MAL-BIND-K-PK, due to the attacker being able to produce mal-formed private keys, giving concrete examples for both. We also suggest mitigations, and sketch a proof for binding both ciphertext and public key when the attacker is not able to manipulate the private key as liberally.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Keywords
- ML-KEMbindinginvisible salamanders
- Contact author(s)
- sschmieg @ google com
- History
- 2024-04-06: approved
- 2024-04-03: received
- See all versions
- Short URL
- https://ia.cr/2024/523
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/523, author = {Sophie Schmieg}, title = {Unbindable Kemmy Schmidt: {ML}-{KEM} is neither {MAL}-{BIND}-K-{CT} nor {MAL}-{BIND}-K-{PK}}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/523}, year = {2024}, url = {https://eprint.iacr.org/2024/523} }