IETF Logo Mail Archive

[Cfrg] TLS PRF security proof?

Dan Brown <dbrown@certicom.com> Tue, 08 July 2014 19:19 UTC

Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEBD71A0305 for <cfrg@ietfa.amsl.com>; Tue, 8 Jul 2014 12:19:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.401
X-Spam-Level:
X-Spam-Status: No, score=0.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MANGLED_OFF=2.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_gv8NQt8vfF for <cfrg@ietfa.amsl.com>; Tue, 8 Jul 2014 12:19:42 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3841A02D7 for <cfrg@irtf.org>; Tue, 8 Jul 2014 12:19:41 -0700 (PDT)
Received: from xct107cnc.rim.net ([10.65.161.207]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 08 Jul 2014 15:19:36 -0400
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT107CNC.rim.net (10.65.161.207) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 8 Jul 2014 15:19:35 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT116CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Tue, 8 Jul 2014 15:19:35 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: TLS PRF security proof?
Thread-Index: Ac+a3pfHyneQDJEcQp6NTm7HFwn/Fg==
Date: Tue, 08 Jul 2014 19:19:34 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CB648D@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0020_01CF9AC0.063C30C0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/wrjU9fSQ-puQt6cnIxb_jyvxWFU
Subject: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 19:19:44 -0000

Dear CFRG list,

 

Is there a published security proof for the current TLS PRF in the draft TLS
1.3?  

 

Specifically, I refer to the current TLS PRF, which I try to paraphrase here
as:

 

PRF_k ( m ) = HMAC_k( HMAC_k(m) | m) | HMAC_k ( HMAC_k^2(m) | m) | HMAC_k (
HMAC_k^3(m) | m) | .

 

where the underscores are used to indicate a secret key input to a function,
and the caret indicates repeated application of a function, and | indicates
string concatenation, and the ellipsis (.) indicates to repeat (in the
obvious manner by more iterations) and to truncate as needed.  So, my
question is if the security of PRF_k has been proved assuming some security
property of HMAC_k.  So far, I've scanned:

http://eprint.iacr.org/2014/182

http://eprint.iacr.org/2013/339

http://eprint.iacr.org/2013/367

 

These three reports all seem to prove some security for TLS assuming the PRF
has some security property, rather than prove the security of the TLS PRF
(but apologies if I am mistaken).

 

The 3 reports indicate the kind of security that PRF_k ought to have for its
role in TLS.  Naively, I'd note that the input m is public, and in some
early stages of the handshake, m is subject to the modification by the
adversary, but the output is usually kept secret, and needs to be kept
secret, so it looks as though TLS PRF benefits from at least the standard
PRF security properties.  

 

Regardless of provable security, I wonder why the TLS PRF applies a MAC to
an iterated MAC tag, rather than say a counter.  Anyway, it reminds me of
some kind of chaining feedback mode, like CBC where blocks encrypted depend
on the key, so key-dependent input is not a real concern. Even so, oughtn't
there be there some simpler design, more like a counter mode, that avoids
any key-dependent inputs?  

 

I would imagine that the PRF security of TLS PRF could be proved secure in
the random oracle model, and perhaps if HMAC_k is some kind of secure PRF.
I do not see how one could prove the PRF security of PRF_k using only the
assumption that HMAC_k is a secure MAC, just because a secure MAC might be
biased.

 

If I had to whip up a PRF security proof, it would go something like this:
suppose adversary A can distinguish oracle access to function PRF_k from a
random function BIGRAND (with similar domain and range).  Then build an
adversary B that can distinguish between oracle access to function HMAC_k
and a random function SMALLRAND (with same domain and range) as follows.  B
simulates the PRF_k oracle for A by calling her oracle for HMAC_k, per the
definition of PRF_k.  To finish the proof, we just need to be sure that
using SMALLRAND instead of HMAC_k in the PRF_k construction yields something
indistinguishable from BIGRAND.  To make proving that easier, we could note
that m is almost a fixed length, and the output of F is fairly short.
(Under arbitrary length outputs, PRF_k built from SMALLRAND would likely
start enter a periodic cycle at around block 2^128, unlike BIGRAND, but we
can still have computational indistinguishability because it would take
2^128 steps just to scan the output of arbitrarily long PRF_k to detect the
cycling pattern.)

 

Best regards,

 


Daniel Brown


Research In Motion Limited

v2.23.0 | Report a Bug | By Email