IETF Logo Mail Archive

Re: [TLS] [Technical Errata Reported] RFC7905 (5251)

Xavier Bonnetain <xavier.bonnetain@inria.fr> Tue, 13 February 2018 00:22 UTC

Return-Path: <xavier.bonnetain@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F7C12708C for <tls@ietfa.amsl.com>; Mon, 12 Feb 2018 16:22:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9hZy_wneipY for <tls@ietfa.amsl.com>; Mon, 12 Feb 2018 16:22:45 -0800 (PST)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08625126DFF for <tls@ietf.org>; Mon, 12 Feb 2018 16:22:44 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.46,504,1511823600"; d="scan'208,217";a="254558689"
Received: from zmbs6.inria.fr ([128.93.142.19]) by mail3-relais-sop.national.inria.fr with ESMTP; 13 Feb 2018 01:22:42 +0100
Date: Tue, 13 Feb 2018 01:22:42 +0100
From: Xavier Bonnetain <xavier.bonnetain@inria.fr>
To: Adam Langley <agl@google.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Wan-Teh Chang <wtc@google.com>, Nikos Mavrogiannopoulos <nmav@redhat.com>, Joachim Strömbergson <joachim@secworks.se>, Simon Josefsson <simon@josefsson.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Joseph Salowey <joe@salowey.net>, sean+ietf@sn3rd.com, tls@ietf.org
Message-ID: <1245150098.5877048.1518481362605.JavaMail.zimbra@inria.fr>
In-Reply-To: <CAL9PXLxUNZHeMZYUSEsmT5YBOg6AReFbqxPozOmStY_+L1VUSg@mail.gmail.com>
References: <20180201135947.77809B819EE@rfc-editor.org> <CAL9PXLxUNZHeMZYUSEsmT5YBOg6AReFbqxPozOmStY_+L1VUSg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_5877047_470151573.1518481362603"
X-Originating-IP: [89.3.82.105]
X-Mailer: Zimbra 8.0.9_GA_6191 (ZimbraWebClient - FF58 (Linux)/8.0.9_GA_6191)
Thread-Topic: RFC7905 (5251)
Thread-Index: G+tE9ts2TJRuTVNv+K8w/FZbuHsHBA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JLG4E6ljqAOnX6UoM-Sm7zzkvAA>
X-Mailman-Approved-At: Mon, 12 Feb 2018 22:22:29 -0800
Subject: Re: [TLS] [Technical Errata Reported] RFC7905 (5251)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 00:35:38 -0000

----- Mail original -----

> De: "Adam Langley" <agl@google.com>
> À: "RFC Errata System" <rfc-editor@rfc-editor.org>
> Cc: "Wan-Teh Chang" <wtc@google.com>, "Nikos Mavrogiannopoulos"
> <nmav@redhat.com>, "Joachim Strömbergson" <joachim@secworks.se>, "Simon
> Josefsson" <simon@josefsson.org>, "Kathleen Moriarty"
> <Kathleen.Moriarty.ietf@gmail.com>, "Eric Rescorla" <ekr@rtfm.com>, "Joseph
> Salowey" <joe@salowey.net>, sean+ietf@sn3rd.com, "xavier bonnetain"
> <xavier.bonnetain@inria.fr>, tls@ietf.org
> Envoyé: Mardi 13 Février 2018 00:30:11
> Objet: Re: [Technical Errata Reported] RFC7905 (5251)

> On Thu, Feb 1, 2018 at 5:59 AM, RFC Errata System < rfc-editor@rfc-editor.org
> > wrote:

> > Original Text
> 
> > -------------
> 
> > Poly1305 is designed to ensure that forged messages are rejected with
> 
> > a probability of 1-(n/2^107), where n is the maximum length of the
> 
> > input to Poly1305. In the case of (D)TLS, this means a maximum
> 
> > forgery probability of about 1 in 2^93.
> 

> > Corrected Text
> 
> > --------------
> 
> > Poly1305 is designed to ensure that forged messages are rejected with
> 
> > a probability of 1-(n/2^106), where n is the maximum length of the
> 
> > input to Poly1305. In the case of (D)TLS, this means a maximum
> 
> > forgery probability of about 1 in 2^92.
> 

> I'm not sure that this errata report is correct.

> The full formula is beyond email HTML to express, but see the "Security
> Guarantee" section of https://cr.yp.to/mac/poly1305-20050329.pdf

> The section seems to be talking about blind forgeries, so C = 0. D = 1
> because this is a per-attempt measure. Then we have 8*L/16 on the top of the
> fraction, which is 1/2 * L (where L = byte length of a message). If we
> multiply top and bottom by two, we get L / 2^107. For (D)TLS, with a maximum
> encrypted plaintext length of ~2^14, that gives 2^{-93}.

> Cheers

> AGL

If we are in the situation C = 0, D = 1 and L=2^{14} for (D)TLS, the forgery probability may indeed not be affected (and may even be smaller). However, the explanation "Poly1305 is designed to ensure that forged messages are rejected with a probability of 1-(n/2^107), where n is the maximum length of the input to Poly1305." is presenting Poly1305 as slightly stronger than it really is (and there is an attack with success probability 2^{-106} with C=1, D=1, L=1, as the hashing key r has 106 effective bits). 

Regards, 
Xavier

v2.23.0 | Report a Bug | By Email