Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)

Atul Luykx <Atul.Luykx@esat.kuleuven.be> Tue, 14 February 2017 16:17 UTC

Return-Path: <atul.luykx@esat.kuleuven.be>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA38A129686 for <cfrg@ietfa.amsl.com>; Tue, 14 Feb 2017 08:17:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctSJYDinWtbq for <cfrg@ietfa.amsl.com>; Tue, 14 Feb 2017 08:17:57 -0800 (PST)
Received: from cavuit02.kulnet.kuleuven.be (rhcavuit02.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E29BA12962B for <cfrg@irtf.org>; Tue, 14 Feb 2017 08:17:56 -0800 (PST)
X-KULeuven-Envelope-From: atul.luykx@esat.kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: 5522A128046.AAE7E
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-1.cc.kuleuven.be (icts-p-smtps-1e.kulnet.kuleuven.be [134.58.240.33]) by cavuit02.kulnet.kuleuven.be (Postfix) with ESMTP id 5522A128046 for <cfrg@irtf.org>; Tue, 14 Feb 2017 17:17:53 +0100 (CET)
Received: from hydrogen.esat.kuleuven.be (hydrogen.esat.kuleuven.be [134.58.56.153]) by icts-p-smtps-1.cc.kuleuven.be (Postfix) with ESMTP id 519D4403B; Tue, 14 Feb 2017 17:17:53 +0100 (CET)
Received: from cobalt.esat.kuleuven.be (cobalt.esat.kuleuven.be [134.58.56.187]) by hydrogen.esat.kuleuven.be (Postfix) with ESMTP id 4B5AF2002C; Tue, 14 Feb 2017 17:17:53 +0100 (CET)
Received: from webmail.esat.kuleuven.be (localhost [127.0.0.1]) by cobalt.esat.kuleuven.be (Postfix) with ESMTP id 468FB40; Tue, 14 Feb 2017 17:17:53 +0100 (CET)
Received: from c-73-71-218-252.hsd1.ca.comcast.net ([73.71.218.252]) by webmail.esat.kuleuven.be with HTTP (HTTP/1.1 POST); Tue, 14 Feb 2017 17:17:53 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Date: Tue, 14 Feb 2017 08:17:53 -0800
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
In-Reply-To: <D4C85054.2FDA4%qdang@nist.gov>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CABkgnnVrFGHe0eKREXbG_pv=y18ouopZsE2c5+Czz0HAGko6rg@mail.gmail.com> <D4C331C7.86224%kenny.paterson@rhul.ac.uk> <VI1PR8303MB0094D686941D99290BB431FCAB590@VI1PR8303MB0094.EURPRD83.prod.outlook.com> <D4C73D19.2FB4B%qdang@nist.gov> <D4C85054.2FDA4%qdang@nist.gov>
Message-ID: <be49d59e37339cbaea8fef9bdb2a8971@esat.kuleuven.be>
X-Sender: aluykx@esat.kuleuven.be
User-Agent: ESAT webmail service, powered by Roundcube
X-Virus-Scanned: clamav-milter 0.99.2 at cobalt
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/dKPcoQeh2jYBzRnhYquU2fcN0F0>
Cc: Antoine Delignat-Lavaud <antdl@microsoft.com>, IRTF CFRG <cfrg@irtf.org>, tls@ietf.org
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2017 16:18:00 -0000

Hey Quynh,

> When someone says AES-128 has 128 bits of security he or she means
> that 2^128 AES operations will break the cipher with probability 100%:
> finding the key and the plaintext.
The claim is stronger: regardless of the number of plaintext-ciphertext 
pairs available to the adversary, it will still take roughly 2^128 
operations to recover the key with AES. This contrasts with any mode of 
operation, where adversarial success probability increases according to 
the amount of data available and the computational complexity required 
to perform such an attack is not the limiting factor (which is the core 
of the problem we're discussing right now).

Regardless, correct me if I'm wrong Quynh, but you seem to have two 
issues with Eric's text:
1. the data limit recommendation is too strict, and
2. it only gives a data limit in terms of full records.

For point 1 it seems like most people would rather err on the side of 
caution instead of recommending that people switch when adversaries have 
success probability 2^{-32}. I don't see the discussion progressing on 
this point, and basically a decision needs to be made.

I don't think point 2 is a problem because it gives people a good enough 
heuristic, however this can be fixed easily by minimally modifying the 
original text.

Atul


On 2017-02-14 03:59, Dang, Quynh (Fed) wrote:
> Hi Markulf and all,
> 
> I provided more explanation below.
> 
>  From: 'Quynh' <Quynh.Dang@nist.gov>
> Date: Monday, February 13, 2017 at 10:45 AM
> To: Markulf Kohlweiss <markulf@microsoft.com>om>, "Paterson, Kenny"
> <Kenny.Paterson@rhul.ac.uk>uk>, Sean Turner <sean@sn3rd.com>
> Cc: Antoine Delignat-Lavaud <antdl@microsoft.com>om>, IRTF CFRG
> <cfrg@irtf.org>rg>, "<tls@ietf.org>" <tls@ietf.org>
> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs
> (#765/#769)
> 
>> Hi Markulf,
>> 
>> The probability of a bad thing to happen is actually below (or
>> about) 2^(-33). It practically won’t happen when the chance is 1
>> in 2^32. And, to achieve that chance, you must collect 2^48 128-bit
>> blocks.
>> 
>> Regards,
>> Quynh.
>> 
>> From: TLS <tls-bounces@ietf.org> on behalf of Markulf Kohlweiss
>> <markulf@microsoft.com>
>> Date: Monday, February 13, 2017 at 10:34 AM
>> To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>uk>, Sean Turner
>> <sean@sn3rd.com>
>> Cc: Antoine Delignat-Lavaud <antdl@microsoft.com>om>, IRTF CFRG
>> <cfrg@irtf.org>rg>, "<tls@ietf.org>" <tls@ietf.org>
>> Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage"
>> PRs (#765/#769)
>> 
>>> Hello,
>>> 
>>> Our analysis of miTLS also supports option a)
>>> 
>>> A security level of 2^-32 seems too low from a provable security
>>> point of view, especially for a confidentiality bound.
> 
> When someone says AES-128 has 128 bits of security he or she means
> that 2^128 AES operations will break the cipher with probability 100%:
> finding the key and the plaintext.  It does not mean that attackers
> have only 2^(-128) chance of success. If an attacker could run 2^100
> AES operations, his or her chance of success is way below 2^(-32):
> this does not mean that AES has a security level of 2^(-32) or
> 2^(-28).
> 
> The success probability 1/2^32 means that after 2^48 AES operations,
> the attacker has a success probability of 2^-32 which is practically
> zero.
> 
> Also, many users don’t know what “confidentiality bound” means.
> 
> The current text Eric wrote talks about a number 2^24.5 of full-size
> records. In many situations, the record sizes are not full size, but
> different sizes. My latest suggestion text does not assume full size
> records, it covers variable record sizes, it just counts AES-input
> blocks or AES operations.
> 
> Regards,
> Quynh.
> 
>> We verified an implementation of the TLS 1.3 record
>> (https://eprint.iacr.org/2016/1178, to appear at Security & Privacy
>> 2017) where we arrive at a combined bound for authenticity and
>> confidentiality that is compatible with the Iwata et al. bound.
>> 
>> Regards,
>> Markulf (for the miTLS team)
>> 
>> Hi,
>> 
>> My preference is to go with the existing text, option a).
>> 
>> From the github discussion, I think option c) involves a less
>> conservative
>> security bound (success probability for IND-CPA attacker bounded by
>> 2^{-32} instead of 2^{-60}). I can live with that, but the WG should
>> be
>> aware of the weaker security guarantees it provides.
>> 
>> I do not understand option b). It seems to rely on an analysis of
>> collisions of ciphertext blocks rather than the established security
>> proof
>> for AES-GCM.
>> 
>> Regards,
>> 
>> Kenny
>> 
>> On 10/02/2017 05:44, "Cfrg on behalf of Martin Thomson"
>> <cfrg-bounces at irtf.org on behalf of martin.thomson at gmail.com>
>> wrote:
>> 
>> On 10 February 2017 at 16:07, Sean Turner <sean at sn3rd.com> wrote:
>> 
>> a) Close these two PRs and go with the existing text [0]
>> b) Adopt PR#765 [1]
>> c) Adopt PR#769 [2]
>> 
>> a) I'm happy enough with the current text (I've implemented that any
>> 
>> it's relatively easy).
>> 
>> I could live with c, but I'm opposed to b. It just doesn't make
>> sense.
>> It's not obviously wrong any more, but the way it is written it is
>> very confusing and easily open to misinterpretation.
>> 
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg at irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls