IETF Logo Mail Archive

[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt

Peter C <Peter.C@ncsc.gov.uk> Thu, 25 July 2024 22:19 UTC

Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46740C18DB88 for <tls@ietfa.amsl.com>; Thu, 25 Jul 2024 15:19:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3M64D7F-tjmL for <tls@ietfa.amsl.com>; Thu, 25 Jul 2024 15:19:10 -0700 (PDT)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2055.outbound.protection.outlook.com [40.107.121.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A67FC14F6A5 for <tls@ietf.org>; Thu, 25 Jul 2024 15:19:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=o0uAyBylFHDB5XCUVv6JoJE7gwoL0YtgeuY2JvwUudXlV3jMZFJH1V1iCKX/8GEi/JQYkNgE6O1QKWxJaBvs2mnyCuTy8FnF4Ouww+okPU6ZzmzktuJun5X4TPzNvSBKMhEzpgDFBkqcnO2eq6agHGMeqLVC8ZRDzU8B7j4pZT3/nqrQYManct5IuFrf8QIiyu/cFudJrfFlxbXifFsNNDx3WaObub1ZlwaWW+mrd1ydfAmaQL/EmKVNoPcxxs571BozdqHxT/Im5wp8qbB6tgIWRptutIQpah++MJCLKXrKbhXUQd4zsqX+EjJziI2Q6ozRvsMjg8MwOmnbKeG9nA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vewCYMj+89rBidIdIa2rsGSl3KF5h62Uv6okyVHTIVo=; b=uH3+ub8QY+ojsJ94CI30nj76iig7Mw2X9PvQoNP3HjCYyKG0zzH7h7WGEaIJWQQgWwEp5XAj8mWF1fMhBo3RHWp7ELJESf2l4lB13kTfHkGoM4UBcojPS1vUUk8bw15BhEImSpWMQi02UA4+SfRNvZyU5WDIa2rtve7+TiKfxZ5wFPJZxFYLfZ8ZWk+uf4N0OGbNAAO9CpgF4moaSQFoZ8yrJt0voGpTHgQe7i6ugVYX5Xz6yfzvAodJBVWxdr12rNSV7lyB+D1ZacjLPDTYyIFHsHIwduJDLvnvV9IJzjtjkHHMbyApx7RvRpPME7es8740tLbardDJi2xeWHDyYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vewCYMj+89rBidIdIa2rsGSl3KF5h62Uv6okyVHTIVo=; b=ie+7DUtUXTo4UwZgFRSkChjx/NUQE0j6cnu/ccPrgv4xdsLpCWp0tisanaNZ0dKmJWAYlMxV4moMevnWxIizV0k/St1DJ9PElmsOZZNqFU6/bLnnee2dsku5mTTvEXsW+IQ4Tbnvy7HZdjW0jKMNJmRXetctQ7IGYSBHE4Eo0SUhD8Al7h4rtFk0+FNT1M+lSALPiu8sE3vUkhkQ/OkJrYY+uQLKTnTCLhbUvRBtRclhNR+7rhulSWdBiPo/yLOnD6ukOWw/oNcqax/PLEIEOOpFC0IKWGbFeFxaDGqg1EtM9dAodUUC2tr243G68fF6QtinHZZCC1Fuyn9cGWTi6A==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by CWLP123MB7151.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:1de::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.28; Thu, 25 Jul 2024 22:19:07 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%5]) with mapi id 15.20.7784.020; Thu, 25 Jul 2024 22:19:06 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Douglas Stebila <dstebila@gmail.com>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-hybrid-design-10.txt
Thread-Index: AQHah5drLHX9J8z4mEaCIaPuemwyELIGdC3QgACVAACAACTPQIABbyaAgAALswA=
Date: Thu, 25 Jul 2024 22:19:06 +0000
Message-ID: <LO2P123MB7051E29B165EFEC592222197BCAB2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
References: <171234865099.12734.12883553523407106230@ietfa.amsl.com> <LO2P123MB70511E279A74AD16F80D4302BCAA2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <82F867E8-288F-43C2-8EB4-8187277862CD@gmail.com> <LO2P123MB7051576F64BB991B9969B799BCAB2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <79C26F7F-6C33-448F-BEAB-0758D014E960@gmail.com>
In-Reply-To: <79C26F7F-6C33-448F-BEAB-0758D014E960@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|CWLP123MB7151:EE_
x-ms-office365-filtering-correlation-id: 376bc6ac-ef96-4fc7-2bda-08dcacf7cc94
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|366016|38070700018;
x-microsoft-antispam-message-info: 5dVp4S+BL15YYVBVWHmBJeO/aOzbKDWPZXmbQx9Q36+i+jAeQ0yDY2zCltHRCvpGJS5ZUvN95iJZfyC3xdFl+An8Wft/PuohXIuWW8WS+ex12p5BbbAWN3jVSPprQQ9zXk/iwygdlfi12w++CWNcfIXqbIHkAsYZahEunBDYjp5B1t5AbxdJyOE+PEjqvp0jt80y8GOaFyfmGoaaIdHI3MfV9KiQZViKUVJ/gyF3/xDnIKJ9XLigO1x/QMRJWpOEa17vsdeI5xoYAHwCVH99YBDI2DUY868jiw4VImG2CSgdipS5ILMseUBUCVMwJf+HkD/UwZXVQNNETvQdgbDW6f2S+udVAdk6xpO67lJyWCs+oTfv7bc3Qj2zwt78SPniBcvHxGE91TxAY5jDBiBzV1fzXqKL3cbmDZU3sAiwH52RWSrsl8KzC72IbOTSn5K/LqkwmFP5lR3ZCwz+Zt24aCCQEQXXlyMWWvtCNu/R6AAk/hpEnGtUnaR62A5Je5Q6vY5a+Ge2Fj5MW/rnraWj9bRlVO6WjDv6fHKcofn17mVtJBHGjYm9LUMOJLjfvFum59VRaZlvj9jir2xTHapRmdZMgFrrMB+yTc9qNrdiHMZxnzskZindzoV98/S0Zhi2qtJ5rx+ULCDDaBhEqUYIktcW6Ngx7FnvL5A40YzSlN0B5PqhCrH8tm5UxIbazsKbqBtEuS9q/aEgK1VqlUPiGZqnb/vdQjlYwTdxIJqsJtBIVMgMrJI3y4owDwiYYrwRXO3q+/ORxfwUYLyUXhlO/pJ0TG87R/G2v7uIh9PnQUZWk8rwmtuJIYm7e+fzyQ5mFZ/nt0pfMsm8wOEd5O7VBPT7cuL683DxVsO0qhIQNTNWGrDLIrESR59SeZWjO782wY/B4DDkyyZkpYnvoBBNWIauZdQmjOH5AWwxPTRH5Gnbc/IOVVb6XV87TeBIWbdveSL/6R8iZNAjCu8QMXvST9SIkhz1hl3N18EMyi8i9Knxru3Ww3xynuLILqmX7FWCk/hvsbnFEHlHVSd4Hj7+L271fT3Um740jkku8nhCSJ03drJL8s7uEj+4ALVTEfYYvtQESX1jtN6wAkkM83RyU0juROAwqcb0MIRr1l1D35JTFm6l9F+0nK/W6lZjg2VnroBrOw0gXVWOVDNpIyF4tqBfv1D05JcMli4Qc84wQ5IMTU8M+r7Fn1KvO55q41GlS72Z9b/+tOIQFUP9T/WQALfKDRqQv5qpw7wN+VWpv03SyuqsF3OaGwElLRQlYVFNOgcWo2nWyHR7nWnz0kGQm5tMMl18FCZakASjE2djNya+wZEJsWg583/LFh2MmpSiKq+iCRlXHbgBUE/iQEHLLvK2jJx7xeuVAc/nY4C5yxET6EgtKDBzrY8g31vrrf5rjBUtVpCQB7HvTE7lFk61ww==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: D9bUvsSlwnGIOhJsK5/Z6i3qQGqAPA3QTXA7vd0cx2c9dkqNvfiF455I9oIflXd3a44chd9SLyhcLgKWypsdu0kjS6s2dxyy1pX+Qf9rHNDnUuUGWGjdd8/lwunR3N2Ms1j702PLHT7Yk5AQoeRdUQr2TRz5rG6KU4IOLJ8h79bCeb/5Wg7plP2gYvKUUt5jdb9gv1f7VVnhkGx9l3EqRUp6yOj+ninL99shEqpt8gCTCCrePg1JRT4Db8+lkaQ0DQl9H7uqKCJ07WWzJmRwMVtuiYuQrhvrB0/Ld65+eTQsgENRRurLrObL/kpb1dDuxUEFvZDuyV03P8CqrZI7XGUtsXOXhPl/laXdK5S14i1rtYNv950/mBF8kvYhA1KJ+E/UYFjMXlqvdQ5av1hs65Z8gzcI/J3goKhhAuOcBUQImiqT45IicyQ+uTNvkAjXQyqVGEJxsD5056xw3PILg2BCK7doBwtgl9Q1kxYZqjvtg+gwdrV6AwH1r5BaG0FCiJAB885pwjijcX6MM45VD/nfb8b4ANtQ1frS9uplRQKNL4YqGTou5Smivfuq/KHyAwXBzLyFgRe49aBoMHZtB18t0YSsD8nr+ojaIB58OMlwSsk2aHZpLhOBxWisHaUrxjH12/6LwqrVlh82ge5OY9GA/zY1Xp4+GSjsOErRq1aX3ppqh96A6IrsQLXOfrGkjJlqR5xSnp7Gz9ASvZ526jZMvRxq0U498dc7I8yNilCFVELiaAZC7VBNMAnPUksJqR6FgcEJNWY73Vt/vKHzJPeDBcs4HrZcstKwDFEdK4jUjz8BQkf0nyP18DTZTuv0QCam2vRpCw+F7Ncxx8+ubj3wBXL9kyqD5n958Gtcv8x8NiqGJcYby2kZ5Eh3RmA+mJkdzAKny+ZqZWBnzj2megptwjqBTNlSNYEnt2Ez1jIu5fZgJcTuTbDU31uyEF1nslkNfos0SPvMhjMZfo4LDO5esx0KwYzJuuILHXIgwWysbYJPU5tYR/Ecod3r6G/E1jie5n/omN3rEU+IN9Plof+4e2GAF+yoIenfNECFsr+9pHApbFhnA6NqFcV+tKP9HmSa5OmwgqXMGAuqQFA+fXgAnOns3o2eZeElDq1do1HOnUk3J73E5g1YByhgJY5WF+i1FDvS5UUl1mvDaekw8kgA5VZSNM5HTR1ttJpcp0GymOo99B5Q+gp7NY0B1TqdinFEkCQnasEQZTghHd3zQ09EMhU4CbH+6E1YEqyeqR0lsNyBBMxLVPFdswh9DwwsnCPDq+MRErQttSrc8tJtmfMbVPQ9XG2bKOlDwXyZsbtfE8qKgySYWy130MR7Z7VjHocI+amU/en5wpgoU1DbWiJK5WvI/9XHbZwAWvyI1ReBdIzS+zZQCzEx+mh7WSPCz/RBlfQ97bJ0Y0/ovu5SHn/eaTuiFpAl/HqtQPtmxL+18E5N+0ilzcwy6SX3c5afOTS8cjkW2PqU7Il8eKjTCqv9Vsjef2LX1/MV8sPk/JLmf/PplWMHdZjRGOrSoUR584Y4Fp2KuBLpEY6kb8ZxUl88nsk6hhFP9RlNTVEivw5c1o/VQnmNiivF4AzS3MoU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 376bc6ac-ef96-4fc7-2bda-08dcacf7cc94
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2024 22:19:06.8786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pfsmT27pzabmOxbVCdZCtsvFkiC4YdDGLEXL99cALQJYHUKZbFIsJGcVJ6UeQC9mw1B/hB+8j6ew4AbpkVeaVg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP123MB7151
Message-ID-Hash: VARJJOH4WP3NRRXRFR5NU2CUYHXFWW33
X-Message-ID-Hash: VARJJOH4WP3NRRXRFR5NU2CUYHXFWW33
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1tKu0Xj-tAzID78qdkktOr0q28I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Douglas,

> > It's not exactly due to the point formats, at least for X25519.  The RFC 7748
> > security considerations highlight that "for each public key, there are several
> > publicly computable public keys that are equivalent to it, i.e., they produce
> > the same shared secrets".  Assuming the early secret doesn't change, this
> > means equivalent public keys will produce the same handshake secrets and
> > the same master secrets.  The transcript hash does give you different
> > handshake traffic secrets and application traffic secrets, but I think that's too
> > late in the key schedule for [DOWLING].

> The proof in [DOWLING] only aims to prove that the handshake traffic secrets
> and application traffic secrets are secure, not that the handshake secrets and
> master secrets are secure, so for that purpose it should be okay that the
> transcript hash is incorporated a little later in the key schedule.

Sorry, I only meant that in Theorem 5.2 the dual-snPRF-ODH assumption is used
in Game B.2 to replace the handshake secret with a uniformly random value which
then allows the handshake traffic secrets to be replaced with uniformly random
values in Game B.3 using the PRF assumption on HKDF.Expand and the fact that
the labels are distinct.  Equivalent public keys mean that the handshake secret
is not indistinguishable from random and the proof fails at Game B.2.  The distinct
labels in Game B.3 only imply that the handshake traffic secrets will be different,
not that they are indistinguishable.

Peter

v2.35.0 | Report a Bug | By Email | System Status