Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
"Dang, Quynh (Fed)" <quynh.dang@nist.gov> Wed, 13 July 2016 11:14 UTC
Return-Path: <quynh.dang@nist.gov>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91AD112D79D for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 04:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cJe4TXwOvXg for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 04:14:42 -0700 (PDT)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0095.outbound.protection.outlook.com [23.103.200.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBF0B12DDE3 for <tls@ietf.org>; Wed, 13 Jul 2016 04:14:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=lu1GjsSb6KueibSCaT1el8cIfuy0JF7mp1UJFq8h30k=; b=ue3Y/6U4hX3I1B+fxQE6HVydZeL+qWKWbogRhY1rYJH+OiQTnwtWNQSLsiRIhiXbcKVVqAx1nTRFkDEEFJdWSFjTFijkKi6kTqjcOr+1/EUqRT9Hpr9gseXqfcOVWUyuafqq8zB8c2wzRK5K24Zw8kOcRWWbQPmdsHy24mBTlUo=
Received: from BN1PR09MB0171.namprd09.prod.outlook.com (10.255.192.149) by BN1PR09MB0169.namprd09.prod.outlook.com (10.255.192.147) with Microsoft SMTP Server (TLS) id 15.1.534.14; Wed, 13 Jul 2016 11:14:14 +0000
Received: from BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) by BN1PR09MB0171.namprd09.prod.outlook.com ([10.255.192.149]) with mapi id 15.01.0534.023; Wed, 13 Jul 2016 11:14:14 +0000
From: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
To: Atul Luykx <Atul.Luykx@esat.kuleuven.be>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
Thread-Topic: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Thread-Index: AQHR26erSXFdspEwbEKLZA1rqxpGgqAUgWIAgABTxYD//9AKAIAATFUAgAANRgD//8XVgIAARoOAgAANwgCAABz0gIAAvyMA
Date: Wed, 13 Jul 2016 11:14:13 +0000
Message-ID: <D3AB99DD.27C8B%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com> <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be>
In-Reply-To: <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [129.6.105.150]
x-ms-office365-filtering-correlation-id: ff66d80f-14c6-4f1a-fdb7-08d3ab0ed2b0
x-microsoft-exchange-diagnostics: 1; BN1PR09MB0169; 6:ZSC1YR8eE9zAsykvQFVWLIzBaz/jd+1VzeniRTRjymivnuD+t15pQDMIFteN8s8FCWoUMS6qx+fIp9Z0P5pHlU8lji30AOJ8NfGtSlE9L7rVVufFX44Ftvq0ifb2tBG5ldrQzEaY2kCe4pgfWVudp1Y0M8vMF3yHrI/HNXt7Yp+TiLeU8k5Iiybci3Kr8ugJ+uAiIkbMs9XpDG7a08pFwe0nBYTWNjJ8+C21/JVSplebd4cU6wk4Y0zWwBjNvqtfjpeso3IEj31QQTOBuQhghZP5tfPFdDrzvxJ3yYIG8uOwh70Fw/f3n5eJr8JTvYMjGhK9TfiF1tbWtr904AhaLQ==; 5:IZmv9q02JieJNJQd/Zchoagt0uGLhyXkV4IuA6jqZDXRkk+QlMEjBc+DhJEXLvwpTkLWJlMAd8ViPCu7rz6AlykeptGEPNlTGANRoFm7OVRZ69LHCPNxKjwvW+YY6T1Gn/BWWf8y134gaFnUkEA3sA==; 24:pZcfZ9Ssl2e2JQDeFZVvqO310ABQEE2O6mVUNIoQj9q/eUL/yOWcaprafH+JUbpZ9Yy4AMTcjcakmaOSFtGjgJ/STGHUtTpuB4Al0FNJJR4=; 7:5us34OX1ddmCsTYbfmd32jJE53u+53+9xgZbw4403ei8BtJ7O6drJ4evajSPXHy6lFxk+CWW9aZqFxURaWhUmuWuOemYssqgMFJM4pZ270DoHAWCH1TvbjJjUOqLqm1W4HTCXMfb7xDZIitXomZa6j51wyOhtCPpEDMQ8fwFWPJ+b948opt32swVsh02Ugt9PMqt6cxGtJtfv4lhd5dnVIc8G4EX9CQncx5+oruYUtgcaK/+ZumvnysZvhrp4XhH
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR09MB0169;
x-microsoft-antispam-prvs: <BN1PR09MB0169BFD0D630EC921677B29DF3310@BN1PR09MB0169.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:BN1PR09MB0169; BCL:0; PCL:0; RULEID:; SRVR:BN1PR09MB0169;
x-forefront-prvs: 000227DA0C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(51444003)(24454002)(199003)(13464003)(377424004)(377454003)(189002)(105586002)(102836003)(77096005)(36756003)(2900100001)(5002640100001)(10400500002)(6116002)(106356001)(2950100001)(4326007)(50986999)(101416001)(2906002)(8936002)(189998001)(106116001)(76176999)(15975445007)(230783001)(3846002)(54356999)(99286002)(4001350100001)(11100500001)(97736004)(5001770100001)(68736007)(92566002)(87936001)(66066001)(19580405001)(305945005)(122556002)(8666005)(7846002)(19580395003)(83506001)(586003)(93886004)(8676002)(81166006)(3660700001)(86362001)(81156014)(3280700002)(7736002)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BN1PR09MB0169; H:BN1PR09MB0171.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3D1D9F8278902E4EA57F9A81294AB739@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2016 11:14:13.9427 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR09MB0169
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Si9xpM_u8A9RaIe5QBWGuByeOjY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 11:14:45 -0000
Hi Atul, On 7/12/16, 3:50 PM, "Atul Luykx" <Atul.Luykx@esat.kuleuven.be> wrote: >> To be clear, this probability is that an attacker would be able to >> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential >> (but incorrect) plaintext, and with probability 2^{-32}, be able to >> determine that this plaintext was not the one used for the ciphertext >> (and with probability 0.999999999767..., know nothing about whether >> his guessed plaintext was correct or not). > >You need to be careful when making such claims. There are schemes for >which when you reach the birthday bound you can perform partial key >recovery. > >The probabilities we calculated guarantee that there won't be any >attacks (with the usual assumptions...). Beyond the bounds, there are no >guarantees. In particular, you cannot conclude that one, for example, >loses 1 bit of security once beyond the birthday bound. How can one use the distinguishing attack with the data complexity bound I suggested for recovering 1 bit of the encryption key in the context of TLS ? Regards, Quynh. > >Atul > >On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote: >>> -----Original Message----- >>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk] >>> Sent: Tuesday, July 12, 2016 1:17 PM >>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla; >>> tls@ietf.org >>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt >>> >>> Hi >>> >>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote: >>> >>> >Hi Kenny, >>> > >>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> >>> wrote: >>> > >>> >>Finally, you write "to come to the 2^38 record limit, they assume >>>that >>> >>each record is the maximum 2^14 bytes". For clarity, we did not >>> >>recommend a limit of 2^38 records. That's Quynh's preferred number, >>> >>and is unsupported by our analysis. >>> > >>> >What is problem with my suggestion even with the record size being the >>> >maximum value? >>> >>> There may be no problem with your suggestion. I was simply trying to >>> make it >>> clear that 2^38 records was your suggestion for the record limit and >>> not ours. >>> Indeed, if one reads our note carefully, one will find that we do not >>> make any >>> specific recommendations. We consider the decision to be one for the >>> WG; >>> our preferred role is to supply the analysis and help interpret it if >>> people >>> want that. Part of that involves correcting possible misconceptions >>> and >>> misinterpretations before they get out of hand. >>> >>> Now 2^38 does come out of our analysis if you are willing to accept >>> single key >>> attack security (in the indistinguishability sense) of 2^{-32}. So in >>> that limited >>> sense, 2^38 is supported by our analysis. But it is not our >>> recommendation. >>> >>> But, speaking now in a personal capacity, I consider that security >>> margin to be >>> too small (i.e. I think that 2^{-32} is too big a success >>> probability). >> >> To be clear, this probability is that an attacker would be able to >> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential >> (but incorrect) plaintext, and with probability 2^{-32}, be able to >> determine that this plaintext was not the one used for the ciphertext >> (and with probability 0.999999999767..., know nothing about whether >> his guessed plaintext was correct or not). >> >> I'm just trying to get people to understand what we're talking about. >> This is not "with probability 2^{-32}, he can recover the plaintext" >> >> >>> >>> Regards, >>> >>> Kenny >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Peter Gutmann
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Watson Ladd
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Hubert Kario
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dave Garrett
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny