Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces

Dan Brown <> Mon, 22 June 2020 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C82E33A0BF1 for <>; Mon, 22 Jun 2020 08:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jRitQuYX38yi for <>; Mon, 22 Jun 2020 08:19:40 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6A8913A0BE5 for <>; Mon, 22 Jun 2020 08:19:39 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id 05MFIoch119772; Mon, 22 Jun 2020 11:19:32 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp19; bh=YyyXiczPn1tbPKMz/xjmZLhFBltfTaWf1ZNHV4MieeQ=; b=uLK8AjeTFuIFbd6hOpR0DS66pKILQo03OYcb5T3LFVBuPBKkkq+o7g61ptag0GQFhnnG CK1ZZm3mRsfK7V/oAA67Tvw1eYYwdyC1e4F5e/JNHmGDkR1eEN5zyB/Th6pwVQnhTunH w46goK3uYdDyb2WUtNnp1gr+iQgXEAeqAsD2Qn0tNcIf+YIkbRtVrjerqsEiBTumZjIE EW5blPkxa2+KTbxo/hQEDbVmMlHZPk/ZxMYV9cEgNuGCwQshF91+OuevEHyXDxWyVMkJ wkDSPpqCXRdE/y7eS1N2y3sW9Z+Ak8GAN0H9zwoCDyhRSL4hZg4Xxt2fKutfAcsZvZEe 6A==
Received: from ( []) by with ESMTP id 31seavm6tt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 22 Jun 2020 11:19:32 -0400
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 22 Jun 2020 11:19:32 -0400
Received: from ([fe80::ac8d:3541:704c:478a]) by ([fe80::ac8d:3541:704c:478a%5]) with mapi id 15.01.1913.007; Mon, 22 Jun 2020 11:19:32 -0400
From: Dan Brown <>
To: Hugo Krawczyk <>, Loup Vaillant-David <>, "<>" <>
Thread-Topic: [Cfrg] Using ephemeral DH in lieu of fresh nonces
Thread-Index: AQHWSKYmikeQFbsqOkmXt4xvq8L1H6jku+DA
Date: Mon, 22 Jun 2020 15:19:32 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.; boundary="----=_NextPart_000_004F_01D64886.FF53FC40"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.687 definitions=2020-06-22_09:2020-06-22, 2020-06-22 signatures=0
Archived-At: <>
Subject: Re: [Cfrg] Using ephemeral DH in lieu of fresh nonces
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Jun 2020 15:19:45 -0000

Hi Hugo,

Good points about the advantages of nonces with ephemeral DH (for PAKE or TLS, etc.).

What about the disadvantages, such as misuse of nonces as a subliminal channel to exfiltrate keys?  


Perhaps some protocols are already mitigate this disadvantage (e.g. strict patterned nonces, counters).  Perhaps nonce-misuse is non-issue due to the obscure threat model and due to the abundance of other subliminal channels (timing, non-crypto nonces, etc.)


Best regards,




From: Cfrg <> On Behalf Of Hugo Krawczyk
Sent: Monday, June 22, 2020 11:02 AM
To: Loup Vaillant-David <>fr>; <> <>
Subject: [Cfrg] Using ephemeral DH in lieu of fresh nonces


In the email below, Loup raises a natural question: Why not reuse ephemeral DH values in a protocol instead of fresh nonces?


Formalisms apart, fresh non-repeating session identifiers are essential for many reasons: against replay attacks, for binding session flows together, avoiding  "composition attacks" (e.g., where flows from different sessions are mixed-and-matched), ensuring domain separation, etc. A natural implementation of session id's uses session-specific fresh random nonces. An equally natural question (and I think your email was referring to this issue) is why not use the ephemeral DH in lieu of random nonces, after all these values are selected as fresh random values for each session. 


A generic reason (which I strongly advocate) for not doing so is that one should avoid having the same element in the protocol to serve  two separate functionalities/roles (in this case it would be using a DH value as key share and also as nonce/sessionid). This results in fragile protocols that can easily go wrong with variants of the protocol or when the protocol evolves over time, and is prone to bad implementations. For example, if one of the roles of this element is not  required anymore (due to changes in the protocol or changes in the setting where the protocol operates), the element may be changed "without remembering" that it had this other role. 


Concretely, in the case of using ephemeral DH values for freshness, there are good practical examples where security breaks with the dual use of these values. For example, an application may decide (e.g., for performance reasons) that they do not need "perfect" forward secrecy, but that a one-minute forward-secrecy window of repeated ephemeral DH values is enough for the application. With repeated DH values used as session ids, the uniqueness of the session id is gone.  This is also the case of applications that need to avoid forward secrecy at all (see requests for a static version of TLS 1.3 in the TLS mailing list). Yet another example is the SIGMA-I protocol (used in TLS 1.3 and IKEv1). If the initiator sends g^x in the first message, this value can be used against replay attacks in the responder's signature. Then, someone decides (and there may be good reasons for that) to send g^x only in the third message and you lose your anti-replay mechanism.


Mea culpa: I have used ephemeral DH values in the dual functionality of key shares and session identifiers in several of my papers for the sake of analysis/notation simplicity. But you should not do it when building real-world implementations. In the SIGMA instantiation in draft-krawczyk-cfrg-opaque, for example, nonces are used in addition to DH values. (See also appendix B of <>  )




On Fri, Jun 19, 2020 at 12:34 PM Loup Vaillant-David < <> > wrote:

>From the latest draft: <> 

""" Let sid be a session id byte string chosen for each protocol
""" session before protocol execution; The length len(sid) SHOULD be
""" larger or equal to 16 bytes.

""" It is RECOMMENDED sid, is generated by sampling ephemeral random
""" strings.

Unlike ZPAD, The draft doesn't explain this recommendation.
What problem may occur if we omit sid altogether?

Even if G ends up being reused across several sessions, I don't believe
there's any way to tell, because Ya and Yb are uniformly distributed if
ya and yb are indeed random. I feel like I'm missing something.


Cfrg mailing list <> <> 

This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.