Re: [Cfrg] TLS PRF security proof?
"Igoe, Kevin M." <kmigoe@nsa.gov> Tue, 08 July 2014 19:56 UTC
Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD8251A0009 for <cfrg@ietfa.amsl.com>; Tue, 8 Jul 2014 12:56:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.551
X-Spam-Level:
X-Spam-Status: No, score=-7.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUAPl1NhRiJ8 for <cfrg@ietfa.amsl.com>; Tue, 8 Jul 2014 12:56:39 -0700 (PDT)
Received: from emvm-gh1-uea08.nsa.gov (emvm-gh1-uea08.nsa.gov [63.239.67.9]) by ietfa.amsl.com (Postfix) with ESMTP id ED2271A0010 for <cfrg@irtf.org>; Tue, 8 Jul 2014 12:56:38 -0700 (PDT)
X-TM-IMSS-Message-ID: <57ea1e57000a51ed@nsa.gov>
Received: from MSHT-GH1-UEA02.corp.nsa.gov ([10.215.227.181]) by nsa.gov ([63.239.67.9]) with ESMTP (TREND IMSS SMTP Service 7.1; TLSv1/SSLv3 AES128-SHA (128/128)) id 57ea1e57000a51ed ; Tue, 8 Jul 2014 15:56:06 -0400
Received: from MSMR-GH1-UEA03.corp.nsa.gov ([10.215.224.3]) by MSHT-GH1-UEA02.corp.nsa.gov ([10.215.227.181]) with mapi id 14.02.0342.003; Tue, 8 Jul 2014 15:56:37 -0400
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: 'Andy Lutomirski' <luto@amacapital.net>, Dan Brown <dbrown@certicom.com>
Thread-Topic: [Cfrg] TLS PRF security proof?
Thread-Index: Ac+a3pfHyneQDJEcQp6NTm7HFwn/FgAJR3CAAAfZiDA=
Date: Tue, 08 Jul 2014 19:56:37 +0000
Message-ID: <3C4AAD4B5304AB44A6BA85173B4675CABAA9F8D1@MSMR-GH1-UEA03.corp.nsa.gov>
References: <810C31990B57ED40B2062BA10D43FBF5CB648D@XMB116CNC.rim.net> <CALCETrVekyPJeUdEReZ8L8zqrP5UOgHR4+MkYtNt2FFFdmMVew@mail.gmail.com>
In-Reply-To: <CALCETrVekyPJeUdEReZ8L8zqrP5UOgHR4+MkYtNt2FFFdmMVew@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.215.225.46]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/OzlsaBPnK-wNI8zwpdE0ZF-Q-v8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 19:56:41 -0000
Definitely useful in the long run, but in the short run no one is going to modify more than a small fraction of the existing TLS deployments. Perhaps in TLS 1.3. Any chance of cooking up a security proof for the existing PRF? I'm not optimistic since HMAC_k is a coalescent function => the HMAC_k^t(m) eventually starts to cycle. Typically the time to fall onto the cycle and the length of the cycle are both about sqrt(N), but the usual random map model gives a quantifiable probability of falling onto a far shorter is a far shorter time. A low enough probability to be of little practical concern, but still a possible source of problems. > -----Original Message----- > From: Cfrg [mailto:cfrg-bounces@irtf.org] On Behalf Of Andy Lutomirski > Sent: Tuesday, July 08, 2014 3:24 PM > To: Dan Brown > Cc: cfrg@irtf.org > Subject: Re: [Cfrg] TLS PRF security proof? > > On Tue, Jul 8, 2014 at 12:19 PM, Dan Brown <dbrown@certicom.com> wrote: > > > > Dear CFRG list, > > > > > > > > Is there a published security proof for the current TLS PRF in the > draft TLS 1.3? > > > > Would it be useful if CFRG were to publish a recommended PRF? Perhaps > something using a modern hash function combiner using (HMAC-)SHA-512 > and either SHA-3 or something from the Salsa/ChaCha family as the base? > > --Andy > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Igoe, Kevin M.
- Re: [Cfrg] TLS PRF security proof? Dan Harkins
- Re: [Cfrg] TLS PRF security proof? Peter Gutmann
- Re: [Cfrg] TLS PRF security proof? Paterson, Kenny
- Re: [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Paul Hoffman
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Jakob Breier
- Re: [Cfrg] TLS PRF security proof? Hugo Krawczyk
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Hugo Krawczyk