Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces

"Hao, Feng" <> Mon, 22 June 2020 17:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E5803A107C for <>; Mon, 22 Jun 2020 10:20:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kBNTQQ1TUBcn for <>; Mon, 22 Jun 2020 10:20:52 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DEFC3A107E for <>; Mon, 22 Jun 2020 10:20:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=YW+feYHGH2GMy5tMD7ssokrn7iDqocI09E4B4qBAmyHj9wJ6DTVOpXgXW9B0IgLUwi4IgNlbNe/LrwF07EH73G2Syvextn23knMt5lLHc18Hemhgt2XY4Lh39hLpXvj8dZTVE0xDBSH7AOOtllL5sn5Hg+zDtvEWnk9s013CoH6LHv1XJmF59xlA91jGfMnBbUL1O+3NNA5/EBfrUhASIXKZGRez+KJtA7jnfsQLdSKe21ZC12785DTwhL72En6ROskD9JhGA29vQPue4brhV857sTer5je3qbFq0c3f6dNVhmObqCDC7+XZPCRDqFv4+w6TSZnXLG2D3w3A/FPpXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Yn6xEvIsigd38OkvXm+WwweJA+QBD3Y3THziubcc2WM=; b=CIcVAMzfTzDuYOgOIuILn78DAAze0RccBUfJut34zrLMCaN9eESqjuEqToN80pYZyKHersfypYNx/QoKssVGvW4EzRcSHFDNa2CHnTZbEBLQYe/DxAAt0ugvA9N8PqPl/i5en/KO/DuQyO4FnNU093zdJ7D+huyiSlWkpYoY21je3MVuU1/DKfHqjKyYuEHAGXmN1OsqMHXk+fAi0r/x8KPkjrzCtwl17CAKYci4+qwoDoSaqjsHRz/GXpYxykSZ4C/iuQKLihnR7iFs9sfla9Dg+t4Eh2pslcRalHa/JXSCfzdr69TWS90Vo0Y2EWtCHmSPfsFawlVds9EmexCIww==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from (2603:10a6:803:65::27) by (2603:10a6:800:193::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.23; Mon, 22 Jun 2020 17:20:49 +0000
Received: from ([fe80::dd1c:bb47:e1be:cc52]) by ([fe80::dd1c:bb47:e1be:cc52%6]) with mapi id 15.20.3109.027; Mon, 22 Jun 2020 17:20:49 +0000
From: "Hao, Feng" <>
To: Dan Brown <>, Hugo Krawczyk <>, Loup Vaillant-David <>, "<>" <>
Thread-Topic: [Cfrg] Using ephemeral DH in lieu of fresh nonces
Thread-Index: AQHWSKY9Eg6uxJ8U8EOiX/JtUel+Wajkv8IAgAAypQA=
Date: Mon, 22 Jun 2020 17:20:49 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-GB
user-agent: Microsoft-MacOutlook/16.37.20051002
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0d19384c-cfa1-4230-de33-08d816d09bd5
x-ms-traffictypediagnostic: VI1PR01MB7023:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 0442E569BC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BletWOvrc6zaapburxFXRjgZgWLErSdnoKkcd87+GzXF1UmCGXT7mjfugVFt9s6AZnLqgqTh6OIMyQrt8ssAJWxe8TF+GCJhBGWIqqFBL1JET0cwbszM0U8FmscQSG8GhAH8gF8QyvQoiKRDkOJ91NpLNfkFLbqx4vt6daGF8ozXxUCa1zNkIwfag+GPxahvdDFhBt8LifXFV3fX/e4HiTvG7W6s6LLSePHKilp/HqkD69pHDjUxrrSUO3n/goeY+lSC5VUjD/9gdzg126Dc/2r/T0xrgMNtHqldr45rV+CzalfoWvzfnUPisx1+xqSK66KGtMlDKKHUxWllBRvtY8dZ25PgR3LWYMifz0V1FOMf4bwGuTitZT8+RGl3anqTzvtMZ6jxP070xnNAZgcX7qKyWXkmcLadogf5+8V8ktqspz3zUbqvt605lbM2emCT
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM;; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(376002)(346002)(366004)(396003)(39860400002)(9326002)(6486002)(86362001)(166002)(8936002)(5660300002)(8676002)(64756008)(66446008)(91956017)(66476007)(83380400001)(76116006)(33656002)(71200400001)(66946007)(66556008)(53546011)(26005)(2906002)(6512007)(186003)(966005)(6506007)(478600001)(316002)(110136005)(786003)(491001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: hF5eO9B3B6An59Wv7c9dLAU4Ma8ZkSokkz0mp8XZYrbWedFnarrGtzDZIpwdGPoxfZ3300hGS5f0qa7TluCUpvguoYnPI1liGnrryZiCMk0aaDypXOtM2ObkaNFWl+m/F/Q9hxx5vYwC8x6Ng9VHeuhRHZyvjA9vFV4oDrJUkJh2gEIIc8BPz8TsF9gSUOB8DdoF/VZhWm+KOli5sR/Rcq3YIeTpS80TEydM1RzA3tS5E0IKGQQWyZPfCkCa7AXUe+vhBCgLf7VIZL+d277NMHKuuRSng3gorpqEld9kdZFNe8xlr6PAtmurS0k6Wo4pdzYOUbszQfwTRFfGyLfhZuapJRAq2YLUPehF09tVEI+ySR958oDEQedHFPjf56YdJfWoHl1VFmzgBcF4wh1rYuTCrgBUvikvvbK1FSLmFh1Q2iSJcoO96gJoSUXWCJeoQsrhh1sfj+tZQ7vZ79/gmHpMIcYH0juMdrEWYScZnDE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_58869C52A2D54DF6B0C5A69C32EB0683livewarwickacuk_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0d19384c-cfa1-4230-de33-08d816d09bd5
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2020 17:20:49.5348 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Y+93DK/M2pKLnwX5NcHSqkoFbIErebLjXgp5qfCsu3xGaFeYJgGYu5ghsGBm23yRaNqqZhq6NPE/OIZ8yvWNqHs6iuOEvz2wgkIw+TLDuoo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB7023
Archived-At: <>
Subject: Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Jun 2020 17:20:55 -0000


I want to second Dan that the use of nonce in a crypto protocol needs to be carefully justified, not just in a theoretical model, but considering the practical context as well. As a general principle, only items that are strictly necessary should be included in a protocol. Any small change, even though looking harmless at a glance, might be abused in some unintended way.

For example, in the Active Authentication protocol in the 1st generation of e-passport design, there is a subliminal attack that involves mis-using the nonce for tracing the movements of a passenger. This attack was not considered in the initial theoretical design as the nonce was assumed to be generated at random, but it can cause serious privacy concerns. This is one of the reasons that the AA protocol has been removed from the subsequent 2nd and 3rd generations of e-passport and is no longer recommended for implementation. The AA protocol has be replaced by BAC and later EAC (based on PACE) for chip authentication. The misuse of random data in BAC and EAC for the same privacy attack is still theoretically possible, but is much harder. More details about e-passport protocols can be found in [1].

In the post-Snowden era, if we wish to consider a state-funded attacker who may launch an algorithm substitution attack for mass surveillance (e.g., by substituting a legitimate crypto implementation in a tamper-resistant hardware module say HSM without anyone able to notice the change), many symmetric and public key algorithms that involve random factors have been shown to be potentially vulnerable, but the attacks are not always straightforward and often require heavy pre-computation. However, the use of a nonce together with an encrypted item or DH, will make the ASA attack really trivial. More details on ASA can be found in Bellare, Paterson and Rogaway, Crypto’14 [2].

With the examples above, I don’t mean to say a nonce shouldn’t be used, but we should be careful to justify the use of nonce is not only sufficient but also strictly necessary. Dan has actually already touched on these issues in his reply. I thought maybe it’s helpful to elaborate them a bit more as these issues are often overlooked.



From: Cfrg <> on behalf of Dan Brown <>
Date: Monday, 22 June 2020 at 16:20
To: Hugo Krawczyk <>il>, Loup Vaillant-David <>fr>, "<>" <>
Subject: Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces

Hi Hugo,
Good points about the advantages of nonces with ephemeral DH (for PAKE or TLS, etc.).
What about the disadvantages, such as misuse of nonces as a subliminal channel to exfiltrate keys?

Perhaps some protocols are already mitigate this disadvantage (e.g. strict patterned nonces, counters).  Perhaps nonce-misuse is non-issue due to the obscure threat model and due to the abundance of other subliminal channels (timing, non-crypto nonces, etc.)

Best regards,

From: Cfrg <> On Behalf Of Hugo Krawczyk
Sent: Monday, June 22, 2020 11:02 AM
To: Loup Vaillant-David <>fr>; <> <>
Subject: [Cfrg] Using ephemeral DH in lieu of fresh nonces

In the email below, Loup raises a natural question: Why not reuse ephemeral DH values in a protocol instead of fresh nonces?

Formalisms apart, fresh non-repeating session identifiers are essential for many reasons: against replay attacks, for binding session flows together, avoiding  "composition attacks" (e.g., where flows from different sessions are mixed-and-matched), ensuring domain separation, etc. A natural implementation of session id's uses session-specific fresh random nonces. An equally natural question (and I think your email was referring to this issue) is why not use the ephemeral DH in lieu of random nonces, after all these values are selected as fresh random values for each session.

A generic reason (which I strongly advocate) for not doing so is that one should avoid having the same element in the protocol to serve  two separate functionalities/roles (in this case it would be using a DH value as key share and also as nonce/sessionid). This results in fragile protocols that can easily go wrong with variants of the protocol or when the protocol evolves over time, and is prone to bad implementations. For example, if one of the roles of this element is not  required anymore (due to changes in the protocol or changes in the setting where the protocol operates), the element may be changed "without remembering" that it had this other role.

Concretely, in the case of using ephemeral DH values for freshness, there are good practical examples where security breaks with the dual use of these values. For example, an application may decide (e.g., for performance reasons) that they do not need "perfect" forward secrecy, but that a one-minute forward-secrecy window of repeated ephemeral DH values is enough for the application. With repeated DH values used as session ids, the uniqueness of the session id is gone.  This is also the case of applications that need to avoid forward secrecy at all (see requests for a static version of TLS 1.3 in the TLS mailing list). Yet another example is the SIGMA-I protocol (used in TLS 1.3 and IKEv1). If the initiator sends g^x in the first message, this value can be used against replay attacks in the responder's signature. Then, someone decides (and there may be good reasons for that) to send g^x only in the third message and you lose your anti-replay mechanism.

Mea culpa: I have used ephemeral DH values in the dual functionality of key shares and session identifiers in several of my papers for the sake of analysis/notation simplicity. But you should not do it when building real-world implementations. In the SIGMA instantiation in draft-krawczyk-cfrg-opaque, for example, nonces are used in addition to DH values. (See also appendix B of<> )


On Fri, Jun 19, 2020 at 12:34 PM Loup Vaillant-David <<>> wrote:
>>From the latest draft:<>

""" Let sid be a session id byte string chosen for each protocol
""" session before protocol execution; The length len(sid) SHOULD be
""" larger or equal to 16 bytes.

""" It is RECOMMENDED sid, is generated by sampling ephemeral random
""" strings.

Unlike ZPAD, The draft doesn't explain this recommendation.
What problem may occur if we omit sid altogether?

Even if G ends up being reused across several sessions, I don't believe
there's any way to tell, because Ya and Yb are uniformly distributed if
ya and yb are indeed random. I feel like I'm missing something.


Cfrg mailing list<><>
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.