Kyber-CCA-KEM - Deterministic implicit rejection

DannyNiu

8/11/24, 9:38 AM

In Kyber-CCA-KEM, there's a step in the Fujisaki-Okamoto transformation, where decryption failure results in a random shared secret returned from the decapsulation call.

I have a C language project currently implementing RSA-OAEP and ECDH, and I haven't reserved a PRNG parameter for the decryption interfaces, since they use explicit rejection, have no decryption failure, or doesn't support CCA in the first place.

In this case, is it acceptable to return the output from a certain random oracle seeded with the ciphertext and the decryption private key?

127

1 + 1

chosen-ciphertext-attack

lattice-crypto

kem

kyber

DannyNiu

8/11/24, 9:39 AM

Professor Peikert, care to join?

Score:2

Crypto

xagawa

8/12/24, 7:57 AM

Let me assume that you want to use the following decapsulation algorithm:

On input $sk$ and $c$:
let $m' = \mathrm{Dec}(sk,c)$
if $m' = \bot$ or $\mathrm{Enc}(pk,m';G(m')) \neq c$, then return $H(sk,c)$
else return $H(m',c)$

The explicit-rejection version of the Fujisaki-Okamoto transform, where the decapsulation algorithm returns $\bot$ in step 3, is secure in the (Q)ROM. (See Hövelmanns, Hülsing, and Majenz (ASIACRYPT 2022) and Ge, Shan, and Xue (CRYPTO 2023).) Thus, the variant where the decapsulation algorithm returns $F(pk,c)$ for some fixed $F$ independent from $sk$ is also secure. But, if it involves sk as $H(sk,c)$, this value 'leaks' $sk$. We need to argue if it is secure or not.

Fortunately, this variant using $H(sk,c)$ is directly treated in Chen, Lu, Jia, and Li (ISC 2022). Since Kyber's key pair (pk,sk) is (almost surely) one-to-one, we can use their theorem and the variant is secure in the QROM.

NOTE: I didn't check their proof in detail. Additional Note: Kyber might modify their FO transform according to the discussion in the PQC mailing list.

+ 3

DannyNiu

8/12/24, 12:04 PM

I also post this Q to NIST PQC mailing list, and Peter Schwabe told me that's already being done in the Kyber GitHub branch dedicated to standard drafting.

xagawa

8/12/24, 4:30 PM

@DannyNiu You mean that H(seed,c) instead of H(sk,c), right? If so, it is IND-CCA-secure and fine as in the first paragraph.

DannyNiu

8/13/24, 3:42 AM

I suppose yes, Peter did say "with a dedicated part of the secret key".

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Kyber-CCA-KEM - Deterministic implicit rejection

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.