Paper 2024/523

Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK

Sophie Schmieg, Google

In "Keeping up with the KEMs" Cremers et al. introduced various binding models for KEMs. The authors show that ML-KEM is LEAK-BIND-K-CT and LEAK-BIND-K-PK, i.e. binding the ciphertext and the public key in the case of an adversary having access, but not being able to manipulate the key material. They further conjecture that ML-KEM also has MAL-BIND-K-PK, but not MAL-BIND-K-CT, the binding of public key or ciphertext to the shared secret in the case of an attacker with the ability to manipulate the key material. This short paper demonstrates that ML-KEM does neither have MALBIND-K-CT nor MAL-BIND-K-PK, due to the attacker being able to produce mal-formed private keys, giving concrete examples for both. We also suggest mitigations, and sketch a proof for binding both ciphertext and public key when the attacker is not able to manipulate the private key as liberally.

Available format(s)
Public-key cryptography
Publication info
ML-KEMbindinginvisible salamanders
Contact author(s)
sschmieg @ google com
2024-04-06: approved
2024-04-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Sophie Schmieg},
      title = {Unbindable Kemmy Schmidt: {ML}-{KEM} is neither {MAL}-{BIND}-K-{CT} nor {MAL}-{BIND}-K-{PK}},
      howpublished = {Cryptology ePrint Archive, Paper 2024/523},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.