Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Fri, 10 February 2017 19:06 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B400129AAE for <cfrg@ietfa.amsl.com>; Fri, 10 Feb 2017 11:06:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjjZcCCPBjq2 for <cfrg@ietfa.amsl.com>; Fri, 10 Feb 2017 11:06:49 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00081.outbound.protection.outlook.com [40.107.0.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69151129AA8 for <cfrg@irtf.org>; Fri, 10 Feb 2017 11:06:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6OzyjzLP4WJShn+EviFTB8rJm0DEwLTxO2uFz5XZZS0=; b=1zdo3QaGqbYnRrcryKHpxTeOkIhLmDQFmtVn1btWMH8+5HEa6UYwmo7bO6dKkxM34MQycERnT5BN0WAwK1+wPv3sLM0nNnRgqKSouiLVkJIGGC8kNXVxVpfXH8otgqvUvAh4b8J+mzc1srwYzdnjeeBN/bHZQ8FY1Z+phN4AgJ4=
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com (10.168.2.156) by AM4PR0301MB1905.eurprd03.prod.outlook.com (10.168.2.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Fri, 10 Feb 2017 19:06:47 +0000
Received: from AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) by AM4PR0301MB1906.eurprd03.prod.outlook.com ([10.168.2.156]) with mapi id 15.01.0888.029; Fri, 10 Feb 2017 19:06:46 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>, Sean Turner <sean@sn3rd.com>
Thread-Topic: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
Thread-Index: AQHSg1ulN42j3rwAVkipPJ3aFAzvI6FhuukAgAA4koCAAD3QgIAATPYAgAAZ1gCAAANQAA==
Date: Fri, 10 Feb 2017 19:06:46 +0000
Message-ID: <D4C3BE6A.86847%kenny.paterson@rhul.ac.uk>
References: <352D31A3-5A8B-4790-9473-195C256DEEC8@sn3rd.com> <CABkgnnVrFGHe0eKREXbG_pv=y18ouopZsE2c5+Czz0HAGko6rg@mail.gmail.com> <D4C331C7.86224%kenny.paterson@rhul.ac.uk> <D4C31FC4.2F5AF%qdang@nist.gov> <D4C3A5C5.86620%kenny.paterson@rhul.ac.uk> <D4C37519.2F85F%qdang@nist.gov>
In-Reply-To: <D4C37519.2F85F%qdang@nist.gov>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.1.161129
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [134.219.227.30]
x-microsoft-exchange-diagnostics: 1; AM4PR0301MB1905; 7:H/2lUTPrOyXAtY+2gLqUbtqRo8ML8FVIXma7sQleAuLcnRtHgmC90Z2z7yevEPa5rw3/XAMiNyf/covmUzwxSub9T8Rr5hI+zly/1c8VUD+vSnRi0U4Rt2U42ki6nyBq83knbJ8PrwQCTbu0RQNperZgQlGNdN/8PeBZlgFriX5Ww2ggNriAG9WG8Hmq2dZtKhEIujZmV5XN8sQm29zNEZHHnRrmFS/CXRZZDUh28hypBk2cvA0S5Yvw6QQYk6QFYC4eVKOdFy93AQrXuH7SXfFGlmz68BSS5iSPqcyvPbPhcW0i8tKCMVQDMmsRtiCpvo4MlZwgiMUFbgGb8c3eHpwNvwLlmllTIeUongbj50L4wc/PlO5FJ8xvKPzFlitBEMEcdPYEf6eODOxnJsLINGDhkwY1xvVPoWS69yBuWQ3gX4diPuGAnHw1xc25jFfAb+CempBL2B04FRZIZMdJQqNPwlFnhV7txiUHBi+bTB5s/p9E7B2oQNQtn7keOGrYOdOR5MnIFeBW82aTvdXOIg==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(6009001)(7916002)(39450400003)(377454003)(199003)(24454002)(189002)(42882006)(2900100001)(36756003)(2950100002)(7736002)(68736007)(122556002)(92566002)(189998001)(99286003)(4326007)(8656002)(25786008)(38730400002)(3280700002)(3660700001)(2906002)(6436002)(102836003)(6116002)(229853002)(3846002)(6506006)(6512007)(6306002)(50986999)(54356999)(101416001)(54906002)(76176999)(6486002)(83506001)(77096006)(81166006)(81156014)(86362001)(53936002)(66066001)(8936002)(105586002)(106356001)(8676002)(74482002)(106116001)(97736004)(305945005)(4001350100001)(5660300001)(93886004)(53546003)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0301MB1905; H:AM4PR0301MB1906.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-ms-office365-filtering-correlation-id: c22cc956-a16e-4a46-fb30-08d451e7f5c2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:AM4PR0301MB1905;
x-microsoft-antispam-prvs: <AM4PR0301MB1905552DA3E796F45AB9C364BC440@AM4PR0301MB1905.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(6072148); SRVR:AM4PR0301MB1905; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0301MB1905;
x-forefront-prvs: 0214EB3F68
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <6FFCA153BE3F9A48827B06F167E1D928@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: rhul.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Feb 2017 19:06:46.7423 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0301MB1905
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/yTI4TyZx4Yh80yppqa38c063QoE>
Cc: IRTF CFRG <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on key usage" PRs (#765/#769)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 19:06:53 -0000
Hi, On 10/02/2017 18:56, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote: >Dear Kenny, > >From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> >Date: Friday, February 10, 2017 at 12:22 PM >To: 'Quynh' <Quynh.Dang@nist.gov>, Sean Turner <sean@sn3rd.com> >Cc: IRTF CFRG <cfrg@irtf.org>, "<tls@ietf.org>" <tls@ietf.org> >Subject: Re: [TLS] [Cfrg] Closing out tls1.3 "Limits on key usage" PRs >(#765/#769) > > > >>Dear Quynh, >> >> >>On 10/02/2017 12:48, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote: >> >> >>>Hi Kenny, >>> >>> >>>>Hi, >>>> >>>> >>>> >>>> >>>>My preference is to go with the existing text, option a). >>>> >>>> >>>> >>>> >>>>From the github discussion, I think option c) involves a less >>>>conservative >>>>security bound (success probability for IND-CPA attacker bounded by >>>>2^{-32} instead of 2^{-60}). I can live with that, but the WG should be >>>>aware of the weaker security guarantees it provides. >>>> >>>> >>>> >>>> >>>>I do not understand option b). It seems to rely on an analysis of >>>>collisions of ciphertext blocks rather than the established security >>>>proof >>>>for AES-GCM. >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>>My suggestion was based on counting. I analyzed AES-GCM in TLS 1.3 as >>>being a counter-mode encryption and each counter is a 96-bit nonce || >>>32-bit counter. I don’t know if there is another kind of proof that is >>>more precise than that. >> >> >>Thanks for explaining. I think, then, that what you are doing is (in >>effect) accounting for the PRP/PRF switching lemma that is used (in a >>standard way) as part of the IND-CPA security proof of AES-GCM. One can >>obtain a greater degree of precision by using the proven bounds for >>IND-CPA security of AES-GCM. These incorporate the "security loss" coming >>from the PRP/PRF switching lemma. The current best form of these bounds >>is >>due to Iwata et al.. This is precisely what we analyse in the note at >>http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf - specifically, see >>equations (5) - (7) on page 6 of that note. >> > >I reviewed the paper more than once. I highly value the work. I suggested >to reference your paper in the text. I think the result in your paper >is the same with what is being suggested when the collision probability >allowed is 2^(-32). Thanks for this feedback. I guess my confusion arises from wondering what you mean by collision probability and why you care about it. There are no collisions in the block cipher's outputs per se, because AES is a permutation for each choice of key. And collisions in the ciphertext blocks output by AES-GCM are irrelevant to its formal security analysis. On the other hand, when in the proof of IND-CPA security of AES-GCM one switches from a random permutation (which is how we model AES) to a random function (which is what we need to argue in the end that the plaintext is masked by a one-time pad, giving indistinguishability), then one needs to deal with the probability that collisions occur in the function's outputs but not in the permutation's. This ends up being the main contribution to the security bound in the proof for IND-CPA security. Is that what you are getting at? If so, then we are on the same page, and what remains is to decide whether a 2^{-32} bound is a good enough security margin. Regards, Kenny
- [Cfrg] Closing out tls1.3 "Limits on key usage" P… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Stanislav V. Smyshlyaev
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Paterson, Kenny
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Ilari Liusvaara
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Rene Struik
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Martin Thomson
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Andrey Jivsov
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Markulf Kohlweiss
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Tony Arcieri
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Atul Luykx
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Aaron Zauner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Paterson, Kenny
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Watson Ladd
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Martin Thomson
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Dang, Quynh (Fed)
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Brian Smith
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Hal Murray
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Andrey Jivsov
- Re: [Cfrg] [TLS] Closing out tls1.3 "Limits on ke… Yoav Nir
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Sean Turner
- Re: [Cfrg] Closing out tls1.3 "Limits on key usag… Russ Housley