[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt

Felix Günther <mail@felixguenther.info> Tue, 13 August 2024 09:51 UTC

Return-Path: <SRS0=hLhM=PM=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22135C15153F for <tls@ietfa.amsl.com>; Tue, 13 Aug 2024 02:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgMCi4KozHOt for <tls@ietfa.amsl.com>; Tue, 13 Aug 2024 02:51:15 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D07E3C151099 for <tls@ietf.org>; Tue, 13 Aug 2024 02:51:13 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id 8B4A84F20B78; Tue, 13 Aug 2024 11:51:12 +0200 (CEST)
Received: from [9.241.146.25] (unknown [129.41.47.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id 4E71D4F20B1B; Tue, 13 Aug 2024 11:51:12 +0200 (CEST)
Message-ID: <1b418f8d-76fa-4656-9083-8730379c1308@felixguenther.info>
Date: Tue, 13 Aug 2024 11:51:12 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Peter C <Peter.C@ncsc.gov.uk>, Marc Fischlin <marc.fischlin@tu-darmstadt.de>
References: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de> <LO2P123MB705194B760C522BB24E37DAFBCB22@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <fd2e87d8-8376-47d4-af06-27a8ebd64504@felixguenther.info> <LO2P123MB705175FE3FDE2B08DFF8A1DABC852@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
From: Felix Günther <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsJ8BBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBAAoJEFKvAgDT 8XAOVSwAn0QmRYzMtqFZejCnMakizqsaWHJlAJ4jR3nDqw5h3Ct4Xyz1CEQrUdJgz87DTQRN OKpCEBAA9TNoDOa0PVCAWvt9tw06MUw+D0PoAhkl1jlNEzeNatLDQqf6YehHOgtjpgA8tpul DJUq/o3NN15JsUB1el6oQje644owqhEFD8V02Ns3ZK6hGgBRGupp6RKwg70F4z4ukKwCS789 rZdwaq8t+X37NRUP41Y537kgfN2R1BFLB0A19Qb52nsaneBUSgGLXu39bxDrHounoLjMitJa 10ATRcuRny8eJzAuXI8lCURNjCPWJVjXN3gs+z6sA/ebr2inLQT66WIQZi5Q31BNyPGeaai+ 7t7IbpfkhqnbHATDq6vtM8lCem+rsYc3MtN1W4jQZ59ACI3ieu3MouMoN4W5mp0bjB6oNiO1 TTYD3ZUYBeV7ITX47lag7A9MPzBwbRGdetAN1yU5HDv7mgadei/oFlwC4/hD18kYjuHEUxKi CookZZaPQEMTKjBpHhrphSslTXl/tWmMJBoVsgedghWyf39o8ZOTBsQQ1wHwhO9Dc+fwT/Q2 Bw6jdZSzwQVJG13hg/uC6HqxhYfiKHtsiMuqnb5OIM0qkWa3Q/XtRclokk8elTjHYIIM+HBd i2xjys8D+1gVPI8s4NwPRAjc5m/kAXyzbrbg+p+ZVe3IJTE4M/heShLzsoFrZoroE2T38rvT Wsido/8zJZCxJ+JLAR8p8BYKYBJel/pHsvRFwSYbOEMAAwYP/j905vAZ/MJlLrElQ6eVwU2X IBhFmsOtQcVmh3CZw0QuXMA1AQsQe3KLLJSfBEP8Ljz8/Y9mPNu8wmvhw04Px0o7Ns6yOEuv v4CyQzaZwJGvn0lI4UajS7y4mgGFkd1AmPi1/4el9Yp4my88VlOcSe/macm4+MCIAMDegNLx JzErZgOMQJVdSz4rVYaWToTE/DVvRFkuEZgZNnvIv8G46OCZtnnRFv1XQDouxap2tO8yGBQ+ BxBZXqrXtyeVz1weOBIVHycUxi9kGRQ5M99NfrZuInR1382W9YYhqiVgvmvWEsLZFRoGrh8w 1yVkyxw6IGikWlkwq8TLGVlAiqA8AENZZ9bJJVOn57ld6Dvz8c8UvHpvSpUbt3Y3jf0GJbDn lj4v3ZrIxcI3RmUIGf0CQDSpqrUHppgKwiBPSLLRRQruGw7jzLpMqu7ar+2fhNQB3GLSmygi kdYXROfmIIq0J5g/rZLSFQ1GZmL3S8pqS9sJQh0KZEUE+1PtzAoYUYp9btR5Jo3pbyAn6M/g SNlSNDUwa2Eai6fy3fBu1KT1AYgntLzVyJr2Q/Wd85MjF/a9GI5X8lmnvPSAJ/ofSI/bRjLq yNj6frKLrztFV9ucWhKQoQd4iE9qe284KYqdQq4BZUhO4J2nl2rWbEquoFe9ACdIVBIuRoCH EUrreMG0tdymwkkEGBECAAkFAk04qkICGwwACgkQUq8CANPxcA6jYACfYd8EkV8G70iuPkyA HMZZ8W8lWUoAoJElB4EzU8opYiwQw02HRvW/qYuJ
In-Reply-To: <LO2P123MB705175FE3FDE2B08DFF8A1DABC852@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Message-ID-Hash: DKNLY2RK3V3CHXL2DYS4PTXYYEQNLXUJ
X-Message-ID-Hash: DKNLY2RK3V3CHXL2DYS4PTXYYEQNLXUJ
X-MailFrom: SRS0=hLhM=PM=felixguenther.info=mail@cdc02.comdc.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NM45W_dQoLuwTbnWroOAyfxMQns>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Peter,

For a broken PQ KEM it could indeed be easy to have distinct ciphertexts 
decapsulate to the same shared secret. I don't think this affects the 
(EC)DH result holding up though, from how the proof would go in my head.

In the PRF-ODH/random oracle step of deriving HS from DHE and ss, the 
reduction embeds a DH challenge in DHE. It needs to check for DH shares 
trivially colliding with the DH challenge (unknown to the reduction), 
which it can do. For the shared secret input ss, it would perform KEM 
key generation and encapsulation itself (as there's no challenge to 
embed here), so it can compute ss itself.
Put differently: the reduction would indeed have access to the KEM 
private key, and hence can detect same shared secrets.

Best,
Felix

On 2024-08-12 14:03 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote:
> Felix,
> 
> I'm not completely sure I understand what you are suggesting,
> but I think it might not be quite as straightforward as that.
> 
> In general, if the PQ KEM is not secure then the HS can fail to be
> indistinguishable from random: fixing the ECDH components of
> the hybrid key shares and choosing distinct PQ KEM component
> ciphertexts that encapsulate the same PQ shared secret will give the
> same HS.  As an example, consider ML-KEM where the re-encryption
> check is skipped and malformed ciphertexts are never (implicitly)
> rejected.  In that case, it is trivial to modify ciphertexts without
> changing the encapsulated shared secret, but I suspect it would be
> hard to reliably detect equivalent ciphertexts without having access
> to the ML-KEM private key.
> 
> My guess is that this can be avoided if you assume that the PQ KEM
> satisfies something along the lines of ciphertext second preimage
> resistance from the X-Wing paper (https://ia.cr/2024/039)  It is also
> entirely possible that I'm missing something obvious and a different
> part of the proof rules this out.
> 
> Best,
> 
> Peter
> 
>> -----Original Message-----
>> From: Felix Günther <mail@felixguenther.info>
>> Sent: Friday, August 2, 2024 2:05 PM
>> To: Peter C <Peter.C@ncsc.gov.uk>; Marc Fischlin <marc.fischlin@tu-
>> darmstadt.de>
>> Cc: tls@ietf.org
>> Subject: Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
>>
>> [You don't often get email from mail@felixguenther.info. Learn why this is
>> important at https://aka.ms/LearnAboutSenderIdentification ]
>>
>> Hi Peter,
>>
>> If your question is about what assumption the PQ KEM you still need to
>> make in case it's not IND-CCA secure anymore and you want to fall back
>> to [DOWLING] for the (EC)DH result, I think the answer is: none.
>> (Beyond ensuring unambiguous encoding of KDF inputs, as the draft
>> mandates through fixed-length shared secrets etc.)
>>
>> You would then be treating HKDF.Extract as a random oracle (which for
>> PRF-ODH security is the take-away from [
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fia.cr%252
>> F2017%2F517&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7C56886bf3e45f4c
>> 711da808dcb2f3c83a%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%
>> 7C638582007420625450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>> wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7
>> C%7C&sdata=%2BRlEU5oghUgBNo4lKyP5qIjVaARVHCq69n2P%2B50ZDMo%3
>> D&reserved=0 ]),
>> where the IKM input is augmented with the (possibly
>> adversary-controlled) KEM shared secret. But the encoding would ensure
>> that the argument wrt. ECDH would still apply.
>>
>> Cheers,
>> Felix
>>
>>
>> PS: Sorry for the prior double posting; we were under the impression
>> that Marc's first email didn't get delivered to the list.
>>
>> On 2024-08-01 11:38 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote:
>>> Marc and Felix,
>>>
>>> Thank you both for your replies.
>>>
>>> I can see how this will work for NIST P-256 and X25519 - it is
>>> straightforward to detect the equivalent public and adjust the
>>> output of the simulator accordingly - and I also agree that it is
>>> not a significant change to the PRF-ODH assumption.
>>>
>>> Have you thought how this transfers across to the hybrid key
>>> exchange in draft-ietf-tls-hybrid-design?  Do you know what
>>> assumption, if any, you need to make on the PQ KEM to be
>>> able to reuse the argument in [DOWLING]?
>>>
>>> Thanks,
>>>
>>> Peter
>>>
>>>> -----Original Message-----
>>>> From: Marc Fischlin <marc.fischlin@tu-darmstadt.de>
>>>> Sent: Monday, July 29, 2024 4:40 PM
>>>> To: tls@ietf.org
>>>> Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
>>>>
>>>> [You don't often get email from marc.fischlin@tu-darmstadt.de. Learn why
>>>> this is important at https://aka.ms/LearnAboutSenderIdentification ]
>>>>
>>>> Dear all,
>>>>
>>>> Douglas and the other "TLS co-authors" discussed this briefly, but I
>>>> think that Douglas is offline for the next couple of days and asked me
>>>> if I could answer on behalf of the authors.
>>>>
>>>> It is indeed true that the PRF-ODH assumption, as stated, wouldn't be
>>>> comaptible with the usage of the x-coordinate. One needs to be a little
>>>> bit more careful in this case, disallowing the adversary to flip signs
>>>> of curve points. This has been done for example in a paper about the
>>>> security of Bluetooth which I co-authored, where the x-coordinate is
>>>> also used to derive keys. There we adapted the definition accordingly
>>>> (Section 4.1 in
>> https://eprint.i/
>> acr.org%2F2021%2F1597.pdf&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7C5
>> 6886bf3e45f4c711da808dcb2f3c83a%7C14aa5744ece1474ea2d734f46dda64a
>> 1%7C0%7C0%7C638582007420635222%7CUnknown%7CTWFpbGZsb3d8eyJ
>> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
>> C60000%7C%7C%7C&sdata=JMYMT3Tf5UyBBAFiV9fIQB3KKfMbmtBlubkPItW
>> YTZY%3D&reserved=0 of this Asiacrypt
>>>> 2021 paper). I don't think that this makes the assumption less
>>>> plausible, only more annoying to deal with in the proofs.
>>>>
>>>> We have also checked that with the modifcation above the TLS proofs goes
>>>> through as before, one only needs to repeat the extracted key in
>>>> executions which have the same x-coordinate (instead of the same DH
>>>> values as so far).
>>>>
>>>> Hope this helps to clarify. Let me know if you need more details.
>>>>
>>>> Marc Fischlin
>>>>
>>>> _______________________________________________
>>>> TLS mailing list -- tls@ietf.org
>>>> To unsubscribe send an email to tls-leave@ietf.org