Re: [Cfrg] [TLS] Document on increasing the lifetime of session keys

"Stanislav V. Smyshlyaev" <> Sun, 28 August 2016 14:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E23CF12D08E for <>; Sun, 28 Aug 2016 07:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.206
X-Spam-Status: No, score=-1.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kicqD4S-g3jT for <>; Sun, 28 Aug 2016 07:42:24 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F3A8012B00B for <>; Sun, 28 Aug 2016 07:42:23 -0700 (PDT)
Received: by with SMTP id g62so85179070lfe.3 for <>; Sun, 28 Aug 2016 07:42:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:content-transfer-encoding:message-id:date:subject:from :in-reply-to:references:to:cc; bh=xrw66QyWF7UMh7uLhJ/mOwz0oG+ekBTR2wBTkownCA8=; b=w+fwxZPNjTL7HOThAS7QmUloQP3ADoTEXU7m7zYHMSmn4sfRf+gjYEwDlZJI7r2+8f giHddPX3PndL29JuVHUg1DZFo2Vk/XH1od/BeZbav1foHb5BJhOPeVcThgmKf7i1yeWl aF4R0CkYjm1kwDD4NfsvspilC6l/VIqSe2mxpW1mhqxEB/yLUcpk4kYhQbsdp5gSn3u5 QHg/Tbw6LkJaisGkG+B2fY+cWdxFYTcnnr0bEr3zVx+0NBd0ySYVCSWwEgu1zFVKMuzK 7D4Pvs1z0F7vPu/zcl1VXEsr6ZAweoCPzHAbZOOEu8PWY4H88HygyeGJrndT9326G5ff zcag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:content-transfer-encoding :message-id:date:subject:from:in-reply-to:references:to:cc; bh=xrw66QyWF7UMh7uLhJ/mOwz0oG+ekBTR2wBTkownCA8=; b=W4BxqWet9vikO4WEG93yEbSoZQMg0X3reJfhPRkkcQWeBBFKsPiz2XffZ7+CM3dvcy aOQu7vgF3a7CS9ox+D6ujS79Af37mWpfMN8ECaVdKLKHdf0JS1yMpTfp7zDEa/M5XTSz nb+oI/MHT2dV9FLDA9UgyL0rpqmEvlngMTGYU80QkPRiN/XSpj+ghjMSoopyS5Ty525g 2g/KKdu8w4IL+TcLYWnJbBuGsZXTclo6BVHlovhWK0iMce4hdnbKOULqrAgLds36vRPE 8fu6WafFJTLWjUIsSDljsrd6cktROTYKnyvjuCKNheW6r3+Esi13JnFrzonQoJ/wCksd Rhlw==
X-Gm-Message-State: AE9vXwOLXXYMXSsG6UNFGJaY0Ty/k85QpYVpNh+jqUQxwRHqAmOeyCoagN2S8rh2f+KB4A==
X-Received: by with SMTP id i196mr4194531lfe.45.1472395341965; Sun, 28 Aug 2016 07:42:21 -0700 (PDT)
Received: from [] ([]) by with ESMTPSA id 74sm5714418ljb.36.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 28 Aug 2016 07:42:21 -0700 (PDT)
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Mailer: BlackBerry Email (
Message-ID: <>
Date: Sun, 28 Aug 2016 17:42:20 +0300
From: "Stanislav V. Smyshlyaev" <>
In-Reply-To: <>
References: <> <>
To: Eric Rescorla <>
Archived-At: <>
Cc: Mihir Bellare <>,, "<>" <>
Subject: Re: [Cfrg] [TLS] Document on increasing the lifetime of session keys
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 28 Aug 2016 14:42:26 -0000

‎Dear Eric,

Thank you for your comment - indeed, re-keying mechanisms based on secret state are widely used in the protocols (key trees are usual practice in ESP with GOSTs for more than 10 years, for example). My point is that a simple (e.g. without any additional keys or structures) and effective mechanism to increase ‎block cipher modes limitations on plaintext size can be helpful itself, without incorporating to a protocol. 

About connection with TLS 1.3 draft - for example, we don't want the GCM mode be defined inside some protocol RFC, it should be defined separately, isn't it?  So the question is that if such mechanisms are needed, than separate documents on them can be a better solution.

And my primary point here is about stateless techniques: as follows from t‎he preprint I cited before, the key lifetime for CTR can be increased quadratically, for example. 

Kindest regards,

От: Eric Rescorla
Отправлено: воскресенье, 28 августа 2016 г., 16:52
Кому: Stanislav V. Smyshlyaev
Копия:; Mihir Bellare; Paul Lambert; Paterson, Kenny; Mike Hamburg; <>
Тема: Re: [TLS] Document on increasing the lifetime of session keys


TLS 1.3 incorporates a rekeying mechanism (KeyUpdate) similar to that if Abdalla and Bellare 1(b).


On Sun, Aug 28, 2016 at 3:48 AM, Stanislav V. Smyshlyaev <> wrote:

Dear colleagues,

Since there is a considerable interest to the question of increasing session keys lifetime (several productive off-the-list personal discussions about CryptoPro key meshing algorithms and" target="_blank" rel="nofollow"> started after the Friday posting), maybe we should think about getting started a work on a document on efficient re-keying (about techniques without secret state and/or techniques with it (like in M. Abdalla and M. Bellare work," target="_blank" rel="nofollow"> mechanisms for common cipher modes (CTR, CCM, GCM, CBC, CFB) in CFRG? 

If you consider it reasonable, we can prepare a first version of such a draft based on our results (both included in that our preprint and new ones which we are working on currently) before IETF 97 to be able to have a discussion on this issue there in Seoul.

Kindest regards,
Stanislav Smyshlyaev

TLS mailing list" rel="noreferrer nofollow" target="_blank">