Re: [Cfrg] Help with the use of contexts

Tibor Jager <> Sun, 05 February 2017 07:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6EAC51294C9 for <>; Sat, 4 Feb 2017 23:48:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HgGf5QIb6mBR for <>; Sat, 4 Feb 2017 23:48:03 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E8C3112945C for <>; Sat, 4 Feb 2017 23:48:02 -0800 (PST)
Received: by with SMTP id 11so29331929qkl.3 for <>; Sat, 04 Feb 2017 23:48:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=8DvZzCCgiZk0shW1SebR+twKG/r+RFkMcbgvEjElcNM=; b=JXdaIT3X2CFM8xtknTd1umVfhCTL+6gMw39Pw7nUsfWOiXLa6iK/OPqMggWJDBGZdm upeFaOOGhrQ7qt1RSBcTw+6Sd+ARDdTnHzXUe4cvVGTB9YTqrbJCejyLCpzC9vN1Dno/ Ij0xDZ0XSePNvgMAqFLNMvAMtp+XyCf13Xt08sauUPCIDkGvlUO8bSyc+rhugviPYUcw kU2WWM3IWBar5i/2WwfJprx2XnUYkpXV945W95SZ8bpBLjmTTklsDoQ+MdmQgjTYL/de 6zGFNUdxe6UVSTdXYt34bn77QzA2qC2K7NzaE3xEYpdjWZ0XEYFD+4vjkvodOj5FdBwO W0xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=8DvZzCCgiZk0shW1SebR+twKG/r+RFkMcbgvEjElcNM=; b=s6cVhAvAmuLE/sXWYztXNMrfNYl7Ms+x4OD3GNNru+vorgHvhZDdiQNMSgCt09G3hH UYRj6V9o2f84uhPbZ7BsMrJrju3sa6HkkhdQ31I+FsVZIMMOHufRnbMuC3VS7O95ZMCU VdiIN52i+vsH8Uw/9tcPV8tZJ57Chmht3h0xbgYkyfdredSaXygW0VtCQt6mswPx0OTL tQmhCJwQte5mmEJiulsHEX/KhFCgm/RXdEp+ZSi1ZUtqZtVKWgUgv980EmlOI9LoI62a SeOBGoeEQjYhfOhEVYlU8Hk+odPilWFzwKBoUl0PMdH93qLDLBH6T0e3q4RYpi18Cero 5shQ==
X-Gm-Message-State: AMke39mlfOCjonAq4LVnEyvW9RmdRZX4dloAEZ0ssVhdvQnx7PwF273tIXyfeV4gasitaSlETahJ7RVQkzxRbg==
X-Received: by with SMTP id h1mr4370809qkf.88.1486280881714; Sat, 04 Feb 2017 23:48:01 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sat, 4 Feb 2017 23:48:01 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
From: Tibor Jager <>
Date: Sun, 05 Feb 2017 08:48:01 +0100
Message-ID: <>
Content-Type: multipart/alternative; boundary="94eb2c06fa2cfdc4730547c3bb12"
Archived-At: <>
Subject: Re: [Cfrg] Help with the use of contexts
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Feb 2017 07:48:04 -0000

On 03/02/2017 13:55, Ilari Liusvaara wrote:
> On Fri, Feb 03, 2017 at 09:16:11AM +0100, Tibor Jager wrote:
>> On 30 January 2017 at 12:40, Paterson, Kenny <>
>> wrote:
>>> So: does anyone else want to offer an opinion on the question of
>> Contexts are a clean and relatively simple way to prevent cross-protocol
>> attacks, in particular when implemented in an as simple way as proposed
>> by Adam and Dan.
> Unfortunately, in practice those are anything but clean and simple.
> Yes, the theoretical notion is pretty simple (where (context,message)
> tuple replaces the message in standard notion of signature security).
> The biggest practical problem: Backwards compatiblity, the ever-present
> nemsis of security.

We do not have to change old protocols in order to enable domain separation
via contexts in new protocols:

- Old protocols: keep signing messages as before: sig = Sign(sk, m)
- New protocols: sign messages as sig = Sign(sk, ctx||m)

Here, ctx is a "unique" and sufficiently large context string, which even
in presence of an attacker is unlikely to occur in the message m of any
existing protocol. For example, one could use the ASCII string "TLS 1.3 TLS
1.3 TLS 1.3 ...", repeating "TLS 1.3" a suitable number of times. The
symbol || denotes concatenation of bytes, possibly with a NULL-byte as a

This is how I understand the solution pointed to by Adam and explained by
Dan, and it seems similar in spirit to (but simpler than) what Natanael
described. In particular, it seems not to break backwards compatibility
with existing protocols, but would allow a smooth transition to the use of
contexts to achieve domain separation, and thus help to prevent
cross-protocol attacks.