[Cfrg] TLS PRF security proof?
Dan Brown <dbrown@certicom.com> Tue, 08 July 2014 19:19 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEBD71A0305 for <cfrg@ietfa.amsl.com>; Tue, 8 Jul 2014 12:19:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.401
X-Spam-Level:
X-Spam-Status: No, score=0.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MANGLED_OFF=2.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_gv8NQt8vfF for <cfrg@ietfa.amsl.com>; Tue, 8 Jul 2014 12:19:42 -0700 (PDT)
Received: from smtp-p01.blackberry.com (smtp-p01.blackberry.com [208.65.78.88]) by ietfa.amsl.com (Postfix) with ESMTP id 8F3841A02D7 for <cfrg@irtf.org>; Tue, 8 Jul 2014 12:19:41 -0700 (PDT)
Received: from xct107cnc.rim.net ([10.65.161.207]) by mhs211cnc.rim.net with ESMTP/TLS/AES128-SHA; 08 Jul 2014 15:19:36 -0400
Received: from XCT116CNC.rim.net (10.65.161.216) by XCT107CNC.rim.net (10.65.161.207) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 8 Jul 2014 15:19:35 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT116CNC.rim.net ([::1]) with mapi id 14.03.0174.001; Tue, 8 Jul 2014 15:19:35 -0400
From: Dan Brown <dbrown@certicom.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: TLS PRF security proof?
Thread-Index: Ac+a3pfHyneQDJEcQp6NTm7HFwn/Fg==
Date: Tue, 08 Jul 2014 19:19:34 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5CB648D@XMB116CNC.rim.net>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.252]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0020_01CF9AC0.063C30C0"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/wrjU9fSQ-puQt6cnIxb_jyvxWFU
Subject: [Cfrg] TLS PRF security proof?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 19:19:44 -0000
Dear CFRG list, Is there a published security proof for the current TLS PRF in the draft TLS 1.3? Specifically, I refer to the current TLS PRF, which I try to paraphrase here as: PRF_k ( m ) = HMAC_k( HMAC_k(m) | m) | HMAC_k ( HMAC_k^2(m) | m) | HMAC_k ( HMAC_k^3(m) | m) | . where the underscores are used to indicate a secret key input to a function, and the caret indicates repeated application of a function, and | indicates string concatenation, and the ellipsis (.) indicates to repeat (in the obvious manner by more iterations) and to truncate as needed. So, my question is if the security of PRF_k has been proved assuming some security property of HMAC_k. So far, I've scanned: http://eprint.iacr.org/2014/182 http://eprint.iacr.org/2013/339 http://eprint.iacr.org/2013/367 These three reports all seem to prove some security for TLS assuming the PRF has some security property, rather than prove the security of the TLS PRF (but apologies if I am mistaken). The 3 reports indicate the kind of security that PRF_k ought to have for its role in TLS. Naively, I'd note that the input m is public, and in some early stages of the handshake, m is subject to the modification by the adversary, but the output is usually kept secret, and needs to be kept secret, so it looks as though TLS PRF benefits from at least the standard PRF security properties. Regardless of provable security, I wonder why the TLS PRF applies a MAC to an iterated MAC tag, rather than say a counter. Anyway, it reminds me of some kind of chaining feedback mode, like CBC where blocks encrypted depend on the key, so key-dependent input is not a real concern. Even so, oughtn't there be there some simpler design, more like a counter mode, that avoids any key-dependent inputs? I would imagine that the PRF security of TLS PRF could be proved secure in the random oracle model, and perhaps if HMAC_k is some kind of secure PRF. I do not see how one could prove the PRF security of PRF_k using only the assumption that HMAC_k is a secure MAC, just because a secure MAC might be biased. If I had to whip up a PRF security proof, it would go something like this: suppose adversary A can distinguish oracle access to function PRF_k from a random function BIGRAND (with similar domain and range). Then build an adversary B that can distinguish between oracle access to function HMAC_k and a random function SMALLRAND (with same domain and range) as follows. B simulates the PRF_k oracle for A by calling her oracle for HMAC_k, per the definition of PRF_k. To finish the proof, we just need to be sure that using SMALLRAND instead of HMAC_k in the PRF_k construction yields something indistinguishable from BIGRAND. To make proving that easier, we could note that m is almost a fixed length, and the output of F is fairly short. (Under arbitrary length outputs, PRF_k built from SMALLRAND would likely start enter a periodic cycle at around block 2^128, unlike BIGRAND, but we can still have computational indistinguishability because it would take 2^128 steps just to scan the output of arbitrarily long PRF_k to detect the cycling pattern.) Best regards, Daniel Brown Research In Motion Limited
- [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Igoe, Kevin M.
- Re: [Cfrg] TLS PRF security proof? Dan Harkins
- Re: [Cfrg] TLS PRF security proof? Peter Gutmann
- Re: [Cfrg] TLS PRF security proof? Paterson, Kenny
- Re: [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Dan Brown
- Re: [Cfrg] TLS PRF security proof? Paul Hoffman
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Andy Lutomirski
- Re: [Cfrg] TLS PRF security proof? Jakob Breier
- Re: [Cfrg] TLS PRF security proof? Hugo Krawczyk
- Re: [Cfrg] TLS PRF security proof? Watson Ladd
- Re: [Cfrg] TLS PRF security proof? Hugo Krawczyk