Hi Stephan, >From your e-mail it's unclear which attack you worry about, but in the attached document, you describe the problem unique to the implementation of Kyber in TLS as:
If the random number generated > for the encryption operation is weak, an attacker may sniff the pk sent > over the wire and “guess” the random number to obtain the shared secret ss. This is not unique to Kyber. If an attacker can successfully guess server randomness, then they can guess the private key of the server's ephemeral ECDH keypair (checking against the server keyshare), and compute the shared secret as well. Adding an extra ephemeral server KEM keypair to which the client encapsulates doesn't change the situation: the attacker you describe can still guess the KEM private key, and then decrypt the extra shared secret. Best, Bas On Mon, Jun 19, 2023 at 10:24 AM Stephan Müller <smuel...@chronox.de> wrote: > Hi, > > Post-quantum computing cryptographic algorithms are designed and available > for > use. Considering that the Kyber algorithm is going to be mandated by US > authorities in the future as a complete replacement for asymmetric key > exchange and agreement, a proposal integrating Kyber into TLS is specified > with [1]. > > This proposal, however, has one central shortcoming: only the TLS server > contributes to the security strength of the shared secret generated by > Kyber. > This shortcoming can be solved with a slightly improved approach where the > client and the server both independent of each other contribute to the > security of the communication channel where the channel even retains its > security when one side has insufficient entropy. > > The entire analysis and the suggested proposal to address the outlined > issue > is provided with [2]. I would like to share this proposal to contribute to > the > discussion how Kyber can be applied to TLS. > > [1] https://www.ietf.org/archive/id/draft-ietf-tls-hybrid-design-06.txt > > [2] http://www.chronox.de/papers/TLS_and_Kyber_analysis.pdf > > Ciao > Stephan > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
