Re: [quicwg/base-drafts] Reference "Nonces are Noticed" in the header protection analysis section (#3031)

Martin Thomson <notifications@github.com> Wed, 18 September 2019 01:29 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E28112012E for <quic-issues@ietfa.amsl.com>; Tue, 17 Sep 2019 18:29:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCNZNFz0fZXI for <quic-issues@ietfa.amsl.com>; Tue, 17 Sep 2019 18:29:53 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 459C012011E for <quic-issues@ietf.org>; Tue, 17 Sep 2019 18:29:53 -0700 (PDT)
Date: Tue, 17 Sep 2019 18:29:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1568770192; bh=8OxLlBQX7yV9KoN28ZJu3VWWjDeVTiYJQALNjMKxsyM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=XV0RTCSsqKIfh1eHIQqQ24PLxnrdLXwcG9hdoiH/5tOX2MM6ktuvpZT7u7lUDfUak yD53v+J51li9qwbmU7K9jdJbtHPnaikNtBVLQJHcOEKNGpZSIZOnUU3Z4eGkULa5So ZgX5NfV+ZLzDNiBSC3YWUI9dCcRpFvHzf95KTXVA=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK2PDLN6TX6LJWU35LV3R2WQBEVBNHHB22UPUM@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3031/review/289626822@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3031@github.com>
References: <quicwg/base-drafts/pull/3031@github.com>
Subject: Re: [quicwg/base-drafts] Reference "Nonces are Noticed" in the header protection analysis section (#3031)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5d818890923f7_4c833f97d8ecd95c7369a"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/2DW_wpQ52dH-T_rpWFcAqmPBctI>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 01:29:55 -0000

martinthomson commented on this pull request.

I think that we're still maybe talking past each other.

> @@ -84,7 +85,7 @@ informative:
       - ins: R. Ng
       - ins: B. Tackmann
     date: 2019-06-01
-    target: https://eprint.iacr.org/2019/624
+    target: "http://dx.doi.org/10.1007/978-3-030-26948-7_9"

With a DOI, you can just cite this as: `{{?NAN=DOI.10.1007/978-3-030-26948-7_9}}` and save all that typing.  Same for the above.

> @@ -1440,12 +1441,13 @@ Header protection uses the output of the packet protection AEAD to derive
 protected_field = field XOR PRF(hp_key, sample)
 ~~~
 
-Assuming hp_key is distinct from the packet protection key, this construction
-(HN1) achieves AE2 security and therefore guarantees privacy of `field`, the
-protected packet header. One important distinction between HN1 and the header
-protection construction in this document is that the latter uses an AEAD
-algorithm as the PRF. However, since the encrypted output of an AEAD is
-pseudorandom {{DefnAEAD}}, this achieves the properties desired from a PRF.
+As `hp_key` is distinct from the packet protection key, this construction
+(HN1) achieves AE2 security as defined in {{NAN}} and therefore guarantees
+privacy of `field`, the protected packet header. One important distinction
+between HN1 and the header protection construction in this document is that
+the latter uses an AEAD algorithm as the PRF. However, since the encrypted
+output of an AEAD is pseudorandom {{DefnAEAD}}, this achieves the properties
+desired from a PRF.

This last sentence doesn't wash well for me still.

The reason that we care about the AEAD output being pseudorandom is that this is the way we select the key we use for header protection.  But that is something that the Nonces are Noticed paper should worry about in its proofs.  The important factor for us here is that we are using the HN1 construction properly.  For that, we only need to show that we are using a PRF.  To support that we just need to say that both AES-ECB and ChaCha20 are PRFs.  If that claim needs support, that requires a different paper.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3031#pullrequestreview-289626822