[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt

Douglas Stebila <dstebila@gmail.com> Wed, 24 July 2024 20:58 UTC

Return-Path: <dstebila@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DFEC1840E0 for <tls@ietfa.amsl.com>; Wed, 24 Jul 2024 13:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MDL1K7uqOJuP for <tls@ietfa.amsl.com>; Wed, 24 Jul 2024 13:58:19 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B7DCC17C8B6 for <tls@ietf.org>; Wed, 24 Jul 2024 13:58:19 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-44953ab0e2bso1186611cf.0 for <tls@ietf.org>; Wed, 24 Jul 2024 13:58:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721854698; x=1722459498; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=gGQQkkc/H63kxLJBn9P1aj8EqVQdSohWc3a0tRcD3Q4=; b=cYNtM6Zh+x6+mofh5FhvSd8u8weVFVtc8zCzo4g49PoyiDvYvIbVaCGb9e0bLk2hmY nKF07NXy0dqFVk9hMcYMxFzvuFVvBMQg4H7QcPLmtPG1YyY6/dhNOi4UpOoObxboAPKx xTR520IXyn0KtF/2dJWf13LFthhgTFIbDaE0FX7MSjXQetbP03z/JFe60X8N4QiE1X8o /QCt6f9U9oAK989LW016ZGqXRgkctFnoLr7UUL+c14+p+iF5e5TIeaL8DItFGXv0GpUJ yRpbHR61TAccgH95goA1D4V5ve/jbyZyZVXzLJpVPG404vpU2gAxAeFBNMvsdY4nkIx2 Mm5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721854698; x=1722459498; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gGQQkkc/H63kxLJBn9P1aj8EqVQdSohWc3a0tRcD3Q4=; b=VsLb7kHpW1bTe6jGean5gvxQ3wM6f7K+Am4kkkqqZs7IJxeP+nI+i2K9ialPTZATsC /cszxZSvvaRQhLZY516E0M3OJaZrwGXLjH6rI+osou2ERmfF8Hgu9CTi3Ii6zBUiL4g6 6iYesZMF1YLApEcaoSSOk0nzrV5CUHuUR9jatvZjgeJNjWjT/tu93DtsNd7Y1hRGo5Zi RJrkCidQxr5ye4inBg/aNRAGP47V/glX8HB69phQhA1Xb6OeyAdzneX64v+m2RjIMHyH /PQgDTiew2MKvkwQ4oa9s8bHG67r7Ao9hznHIIsy8XV7/kotEgZzqLsJPWGd/49IK9bZ VLYw==
X-Gm-Message-State: AOJu0YwFW99dn5c3ctzMc7Olpzosu9RjKW7xiV26tC08solaVyrzgvxP J787efeD6RPbPqNN6406Ltm8Gd+DCZAzhuN3XKIUaWrB1c88P4MjrLSSyQ==
X-Google-Smtp-Source: AGHT+IGBg3oLDHwA1BOmfAH7Lyd0DdTDnFMc0GUVZ0dp5WIpT5mnr0XwSqS9rSEQxyjl2+3qgaFEHQ==
X-Received: by 2002:a05:622a:14cb:b0:44f:dfe1:e861 with SMTP id d75a77b69052e-44fe48ae35amr11029181cf.37.1721854698284; Wed, 24 Jul 2024 13:58:18 -0700 (PDT)
Received: from smtpclient.apple (colink06.math.uwaterloo.ca. [129.97.93.136]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-44f9cd007b8sm57900771cf.28.2024.07.24.13.58.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2024 13:58:17 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: Douglas Stebila <dstebila@gmail.com>
In-Reply-To: <LO2P123MB70511E279A74AD16F80D4302BCAA2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
Date: Wed, 24 Jul 2024 16:58:06 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <82F867E8-288F-43C2-8EB4-8187277862CD@gmail.com>
References: <171234865099.12734.12883553523407106230@ietfa.amsl.com> <LO2P123MB70511E279A74AD16F80D4302BCAA2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
To: Peter C <Peter.C@ncsc.gov.uk>
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: DBN26RYR5Q3PUORN7B5J7ARNFRWWJOLP
X-Message-ID-Hash: DBN26RYR5Q3PUORN7B5J7ARNFRWWJOLP
X-MailFrom: dstebila@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Tt2uejHHxuq7sjX8P6N2abRMCPE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Peter,

I agree that if you assume that the PQ KEM is broken, then [GIACON] and [BINDEL] don't apply since ECDH-as-a-KEM is not IND-CCA2 secure.  I don't fully follow your argument on why it's not possible to fall back on [DOWLING] -- in other words, just resort back to the original security proof of ECDH in TLS 1.3.  

I did see your subsequent email about the tweaking that one can do for NIST P-256 and X25519 due to compressed formats leading to mathematically equivalent points.  If it was the case that this tweakability resulted in hybrid key exchange having a problem (either a security problem or just a proof problem) when the PQ KEM is broken, then I think that would also imply that this tweakability leads to a problem in plain old ECDH key exchange in TLS 1.3.  In other words, I think your argument implies that the [DOWLING] proof doesn't apply to TLS 1.3 ECDH key exchange because the point encodings used for X25519 and NIST P-256 don't satisfy dual-snPRF-ODH.  Which may be true, but it would imply a bigger scope of concerns than just hybrid key exchange.

Now, it is the case that the HKDF.Expand portions of the key schedule include the transcript hash and thus the ECDH public keys, so any of these tweaks would, at the HKDF.Expand point, lead to different hash values.  This suggests to me that if one needed to adapt the proof, I'd start by treating HKDF.Extract and HKDF.Expand as a single monolithic operation involving the shared secrets and the transcripts.  In the random oracle model, this results in hashing everything in, which I guess would provide enough rigidity to prevent any such attacks, similar to the argument in X-Wing.

So if I am correctly interpreting your argument about point formats leading to a proof doubt, I think the path forward would be to revisit the original [DOWLING] proof in light of groups that don't satisfy dual-snPRF-ODH due to tweakability of point formats, possibly addressing this by treating HKDF.Extract and HKDF.Expand monolithically, and try to cover both the original ECDH and the hybrid questions at the same time.

Douglas


> On Jul 24, 2024, at 09:39, Peter C <Peter.C@ncsc.gov.uk> wrote:
> 
> Douglas,
> 
> The agenda for the TLS session is looking packed, and this is a very in-the-weeds comment, so I hope you don't mind me posting it to the list.  Happy to take any discussion off-list, if you'd prefer.
> 
> The draft-ietf-tls-hybrid-design security considerations currently say:
> 
>    The shared secrets computed in the hybrid key exchange should be
>    computed in a way that achieves the "hybrid" property: the resulting
>    secret is secure as long as at least one of the component key
>    exchange algorithms is unbroken. See [GIACON] and [BINDEL] for an
>    investigation of these issues.
> 
> If you assume the PQ KEM is IND-CCA2 secure, then I agree that [GIACON] and [BINDEL] imply that the derived traffic secrets will be indistinguishable from random and from each other.  The same is true if the KEM is only OW-CCA2 secure by Petcher-Campagna (https://ia.cr/2023/972)
> 
> If you assume the PQ KEM is broken, however, then [GIACON] and [BINDEL] do not apply since ECDH-as-a-KEM is not IND-CCA2 secure.  Similarly, Petcher-Campagna does not apply because ECDH is not OW-CCA2 secure.  Nor do I think it's possible to fall back on [DOWLING] since X25519 and NIST P-256 (as they are used in RFC 8446) do not satisfy the dual-snPRF-ODH assumption for any choice of KDF.  In this case, I don't believe the derived traffic secrets are guaranteed to be indistinguishable from random.
> 
> Flo raised similar points a couple of years ago which I don't think were fully addressed at the time.  I suspect this is just a security proof issue - the inclusion of the ciphertexts in the transcript hash should still protect against any actual attacks - and it's entirely possible that I've missed more recent results covering all of this.  If not, one easy solution might be to adopt the X-Wing approach and use
> 
>    concatenated_ss = pqkem_ss || ecdh_ss || ecdh_ct || ecdh_pk,
> 
> although this currently only works with ML-KEM.
> 
> Best,
> 
> Peter
> 
> 
>> -----Original Message-----
>> From: TLS <tls-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
>> Sent: Friday, April 5, 2024 9:24 PM
>> To: i-d-announce@ietf.org
>> Cc: tls@ietf.org
>> Subject: [TLS] I-D Action: draft-ietf-tls-hybrid-design-10.txt
>> 
>> Internet-Draft draft-ietf-tls-hybrid-design-10.txt is now available. It is a
>> work item of the Transport Layer Security (TLS) WG of the IETF.
>> 
>>   Title:   Hybrid key exchange in TLS 1.3
>>   Authors: Douglas Stebila
>>            Scott Fluhrer
>>            Shay Gueron
>>   Name:    draft-ietf-tls-hybrid-design-10.txt
>>   Pages:   24
>>   Dates:   2024-04-05
>> 
>> Abstract:
>> 
>>   Hybrid key exchange refers to using multiple key exchange algorithms
>>   simultaneously and combining the result with the goal of providing
>>   security even if all but one of the component algorithms is broken.
>>   It is motivated by transition to post-quantum cryptography.  This
>>   document provides a construction for hybrid key exchange in the
>>   Transport Layer Security (TLS) protocol version 1.3.
>> 
>>   Discussion of this work is encouraged to happen on the TLS IETF
>>   mailing list tls@ietf.org or on the GitHub repository which contains
>>   the draft:
>> https://github/.
>> com%2Fdstebila%2Fdraft-ietf-tls-hybrid-
>> design&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cec161933c97947c8a7e0
>> 08dc55ae8cd7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C6384
>> 79455373796379%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
>> CJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata
>> =qNBE50aYk4woYCLUj6Rq1wMeFur63hP1MnHXDGihg80%3D&reserved=0.
>> 
>> The IETF datatracker status page for this Internet-Draft is:
>> https://datatra/
>> cker.ietf.org%2Fdoc%2Fdraft-ietf-tls-hybrid-
>> design%2F&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cec161933c97947c8
>> a7e008dc55ae8cd7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C
>> 638479455373796379%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&s
>> data=kVBR6kDc19NDTnC1fRgVqJmTnZOQggzmWk7wHHcVKbI%3D&reserved=
>> 0
>> 
>> There is also an HTML version available at:
>> https://www.ie/
>> tf.org%2Farchive%2Fid%2Fdraft-ietf-tls-hybrid-design-
>> 10.html&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cec161933c97947c8a7e
>> 008dc55ae8cd7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C638
>> 479455373796379%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAi
>> LCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdat
>> a=dcjY38cicBXU6ab7hnMalN1WTWqtQdhblMYu7xdzVT8%3D&reserved=0
>> 
>> A diff from the previous version is available at:
>> https://author/
>> -tools.ietf.org%2Fiddiff%3Furl2%3Ddraft-ietf-tls-hybrid-design-
>> 10&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cec161933c97947c8a7e008d
>> c55ae8cd7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C6384794
>> 55373952646%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
>> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3ll
>> ZNYcqaixqUpU%2BhzzNOigFmuDlrA6CxCrIvyiG5HI%3D&reserved=0
>> 
>> Internet-Drafts are also available by rsync at:
>> rsync.ietf.org::internet-drafts
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ie/
>> tf.org%2Fmailman%2Flistinfo%2Ftls&data=05%7C02%7CPeter.C%40ncsc.gov.u
>> k%7Cec161933c97947c8a7e008dc55ae8cd7%7C14aa5744ece1474ea2d734f46
>> dda64a1%7C0%7C0%7C638479455373952646%7CUnknown%7CTWFpbGZsb3
>> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
>> 3D%7C0%7C%7C%7C&sdata=rFzF%2BExBIX03adggpWV4uxzcgfHR6Z0zCLamc
>> GZIX9o%3D&reserved=0