It is widely known that elliptic curve Diffie-Hellman is vulnerable to maliciously crafted public keys, where a honestly generated private key combined with a malicious public key may result in predictable output. Are KEM algorithms resistant to similar attacks?
Consider the following scenario with respect to KEM algorithms in general. Mallory creates an encapsulating key and sends it to Alice. Alice carries out an encapsulation operation using good quality random source, getting a shared secret and a ciphertext. One would hope that even if Mallory created the encapsulating key maliciously, the shared secret and ciphertext still has good entropy, and there is no way for Mallory or anyone else to guess them before Alice sends the ciphertext to Mallory.
Is there a name for the security property described above? (As in a name like IND-CCA2 or MAL-BIND-K-CT, making it easy to search for)
Is this security property an explicit goal in KEM design, or is it a side effect of some other security properties considered in KEM design, or is it generally not considered?
Do existing KEMs have this security property? I'm mostly interested in ML-KEM, as it is the only one standardized by NIST at the moment, but answers about other KEMs are welcome too.
Background: consider the following protocol:
- Bob generates a KEM keypair and send the encapsulating key to Alice
- Alice does an encapsulation, sends the ciphertext to Bob, then encrypts a message with a symmetric AEAD cipher using the shared secret as key and sends the message ciphertext to Bob
- Bob does a decapsulation, and use the shared secret to decrypt Alice's secret message
(This is essentially the pqNN handshake in Post Quantum Noise.)
If the KEM being used does not have the aforementioned security property, then across multiple transactions, either Bob or an active MitM can use malicious encapsulation keys to force the same shared secret, leading to catastrophic key reuse.