Paper 2024/523

Unbindable Kemmy Schmidt: ML-KEM is neither MAL-BIND-K-CT nor MAL-BIND-K-PK

Sophie Schmieg, Google
Abstract

In "Keeping up with the KEMs" Cremers et al. introduced various binding models for KEMs. The authors show that ML-KEM is LEAK-BIND-K-CT and LEAK-BIND-K-PK, i.e. binding the ciphertext and the public key in the case of an adversary having access, but not being able to manipulate the key material. They further conjecture that ML-KEM also has MAL-BIND-K-PK, but not MAL-BIND-K-CT, the binding of public key or ciphertext to the shared secret in the case of an attacker with the ability to manipulate the key material. This short paper demonstrates that ML-KEM does neither have MALBIND-K-CT nor MAL-BIND-K-PK, due to the attacker being able to produce mal-formed private keys, giving concrete examples for both. We also suggest mitigations, and sketch a proof for binding both ciphertext and public key when the attacker is not able to manipulate the private key as liberally.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
ML-KEMbindinginvisible salamanders
Contact author(s)
sschmieg @ google com
History
2024-04-06: approved
2024-04-03: received
See all versions
Short URL
https://ia.cr/2024/523
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/523,
      author = {Sophie Schmieg},
      title = {Unbindable Kemmy Schmidt: {ML}-{KEM} is neither {MAL}-{BIND}-K-{CT} nor {MAL}-{BIND}-K-{PK}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/523},
      year = {2024},
      url = {https://eprint.iacr.org/2024/523}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.