[TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt

Felix Günther <mail@felixguenther.info> Thu, 05 September 2024 08:25 UTC

Return-Path: <SRS0=9GGD=QD=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86E4DC1519B6 for <tls@ietfa.amsl.com>; Thu, 5 Sep 2024 01:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.658
X-Spam-Level:
X-Spam-Status: No, score=-1.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgQGNxBV3bur for <tls@ietfa.amsl.com>; Thu, 5 Sep 2024 01:25:10 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B439C151524 for <tls@ietf.org>; Thu, 5 Sep 2024 01:25:09 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id 246D44F20B58; Thu, 5 Sep 2024 10:25:07 +0200 (CEST)
Received: from [9.241.146.25] (unknown [129.41.47.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id E62504F20B24; Thu, 5 Sep 2024 10:25:06 +0200 (CEST)
Message-ID: <d3228cc3-9948-48ea-b403-53c97459d7b0@felixguenther.info>
Date: Thu, 05 Sep 2024 10:25:06 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Peter C <Peter.C@ncsc.gov.uk>
References: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de> <LO2P123MB705194B760C522BB24E37DAFBCB22@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <fd2e87d8-8376-47d4-af06-27a8ebd64504@felixguenther.info> <LO2P123MB705175FE3FDE2B08DFF8A1DABC852@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <1b418f8d-76fa-4656-9083-8730379c1308@felixguenther.info> <LO2P123MB7051E74F4B10EA5B7CA836A1BC8D2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
From: Felix Günther <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsJ8BBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBAAoJEFKvAgDT 8XAOVSwAn0QmRYzMtqFZejCnMakizqsaWHJlAJ4jR3nDqw5h3Ct4Xyz1CEQrUdJgz87DTQRN OKpCEBAA9TNoDOa0PVCAWvt9tw06MUw+D0PoAhkl1jlNEzeNatLDQqf6YehHOgtjpgA8tpul DJUq/o3NN15JsUB1el6oQje644owqhEFD8V02Ns3ZK6hGgBRGupp6RKwg70F4z4ukKwCS789 rZdwaq8t+X37NRUP41Y537kgfN2R1BFLB0A19Qb52nsaneBUSgGLXu39bxDrHounoLjMitJa 10ATRcuRny8eJzAuXI8lCURNjCPWJVjXN3gs+z6sA/ebr2inLQT66WIQZi5Q31BNyPGeaai+ 7t7IbpfkhqnbHATDq6vtM8lCem+rsYc3MtN1W4jQZ59ACI3ieu3MouMoN4W5mp0bjB6oNiO1 TTYD3ZUYBeV7ITX47lag7A9MPzBwbRGdetAN1yU5HDv7mgadei/oFlwC4/hD18kYjuHEUxKi CookZZaPQEMTKjBpHhrphSslTXl/tWmMJBoVsgedghWyf39o8ZOTBsQQ1wHwhO9Dc+fwT/Q2 Bw6jdZSzwQVJG13hg/uC6HqxhYfiKHtsiMuqnb5OIM0qkWa3Q/XtRclokk8elTjHYIIM+HBd i2xjys8D+1gVPI8s4NwPRAjc5m/kAXyzbrbg+p+ZVe3IJTE4M/heShLzsoFrZoroE2T38rvT Wsido/8zJZCxJ+JLAR8p8BYKYBJel/pHsvRFwSYbOEMAAwYP/j905vAZ/MJlLrElQ6eVwU2X IBhFmsOtQcVmh3CZw0QuXMA1AQsQe3KLLJSfBEP8Ljz8/Y9mPNu8wmvhw04Px0o7Ns6yOEuv v4CyQzaZwJGvn0lI4UajS7y4mgGFkd1AmPi1/4el9Yp4my88VlOcSe/macm4+MCIAMDegNLx JzErZgOMQJVdSz4rVYaWToTE/DVvRFkuEZgZNnvIv8G46OCZtnnRFv1XQDouxap2tO8yGBQ+ BxBZXqrXtyeVz1weOBIVHycUxi9kGRQ5M99NfrZuInR1382W9YYhqiVgvmvWEsLZFRoGrh8w 1yVkyxw6IGikWlkwq8TLGVlAiqA8AENZZ9bJJVOn57ld6Dvz8c8UvHpvSpUbt3Y3jf0GJbDn lj4v3ZrIxcI3RmUIGf0CQDSpqrUHppgKwiBPSLLRRQruGw7jzLpMqu7ar+2fhNQB3GLSmygi kdYXROfmIIq0J5g/rZLSFQ1GZmL3S8pqS9sJQh0KZEUE+1PtzAoYUYp9btR5Jo3pbyAn6M/g SNlSNDUwa2Eai6fy3fBu1KT1AYgntLzVyJr2Q/Wd85MjF/a9GI5X8lmnvPSAJ/ofSI/bRjLq yNj6frKLrztFV9ucWhKQoQd4iE9qe284KYqdQq4BZUhO4J2nl2rWbEquoFe9ACdIVBIuRoCH EUrreMG0tdymwkkEGBECAAkFAk04qkICGwwACgkQUq8CANPxcA6jYACfYd8EkV8G70iuPkyA HMZZ8W8lWUoAoJElB4EzU8opYiwQw02HRvW/qYuJ
In-Reply-To: <LO2P123MB7051E74F4B10EA5B7CA836A1BC8D2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Message-ID-Hash: CL63XLORXTLWNIG7TI37GKEJUIAJFI6Q
X-Message-ID-Hash: CL63XLORXTLWNIG7TI37GKEJUIAJFI6Q
X-MailFrom: SRS0=9GGD=QD=felixguenther.info=mail@cdc02.comdc.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Marc Fischlin <marc.fischlin@tu-darmstadt.de>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WsFuHOYkdmDYwfa5GDTBjVeGz1Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hi Peter,

I think there's a misunderstanding. My response to your original 
question on what assumption one needs to make on the PQ KEM to be able 
to reuse the argument in [DOWLING] was "none", in the following sense: 
If you're _only_ after the classic security shown in [DOWLING], then 
there's no additional assumption needed. That is, I think the [DOWLING] 
result can be adapted to hold, assuming the DH component is strong.

Note that this argument is _not_ via IND-CCA security of some combiner 
KEM, but following the current proof. That is, relying directly on 
PRF-ODH and then key derivation (which includes the transcript, and 
hence also the possibly modified PQ KEM ciphertext), ensuring separated 
keys.


It seems you understood my response as "the [DOWLING] results hold with 
a combiner KEM". That's indeed _not_ the case, in particular because 
this result doesn't use a KEM/IND-CCA type assumption, so one can't hope 
to just plug in such assumption for the result to still go through.

And I agree with your assessment, that a K = KDF(ss_pq || ss_ec) KEM 
combiner step would itself not achieve IND-CCA security. As you write, 
one could modify the PQ ciphertext without changing ss_pq, violating 
that property. (This is in line with [GIACON] including the ciphertexts 
in the key derivation.) Even then, the raw ss_ec is not an IND-CCA KEM 
secret. So showing results based on KEM assumptions here requires 
working out more analysis details.

I hope this clarifies things a little?

Best,
Felix

On 2024-08-20 13:02 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote:
> Felix,
> 
> I definitely don't understand something here, so I have tried to abstract
> things slightly to try to illustrate why I think there might still be an issue.
> I'm reasonably (but not completely) confident that I haven't abstracted
> away anything significant.  Apologies if I've missed something important.
> 
> Consider the PQ/ECDH hybrid KEM where the KEM combiner is
> K = KDF(ss_pq || ss_ec).  I think you are essentially arguing that an
> adversary A that breaks the IND-CCA2 security of the hybrid KEM can
> be converted into an adversary B that breaks something like PRF-ODH
> security for the ECDH component.
> 
> IND-CCA2 is the usual notion.  PRF-ODH might need a little explanation
> in this case.  I think it needs to be along the following lines:
> 
>    - The adversary selects ss*_pq for the challenger.
> 
>    - The challenger chooses an ECDH key pair (sk*_ec, pk*_ec) and
>      "ciphertext" ct*_ec, and computes K*_0 = KDF(ss*_pq || ss*_ec) with
>      the corresponding ECDH shared secret ss*_ec.  The challenger also
>      chooses a random K*_1 and sets K* = K_b for a random bit b.
> 
>    - The adversary is given the public key pk*_ec, ciphertext ct*_ec, and
>      key K*, and can query an oracle with (ss_pq, ct_ec) =/= (ss*_pq, ct*_ec)
>      to get K = KDF(ss_pq || ss_ec).
> 
> I agree that adversary B can embed a PRF-ODH challenge into an IND-CCA2
> challenge for adversary A.  B chooses a PQ key pair (sk*_pq, pk*_pq) and
> ciphertext ct*_pq, computes the PQ shared secret ss*_pq and uses ss*_pq
> to request pk*_ec, ct*_ec and K* from the PRF-ODH challenger.  The
> corresponding IND-CCA2 challenge will be the public key (pk*_pq, pk*_ec),
> ciphertext (ct*_pq, ct*_ec) and key K*.
> 
> I also agree that B can simulate (to some extent) the decapsulation oracle.
> Given a query (ct_pq, ct_ec) =/= (ct*_pq, ct*_ec) from A, B uses sk*_pq to
> compute the PQ shared secret ss_pq, queries the PRF-ODH oracle with
> (ss_pq, ct_ec) and returns the response to A.  In the case of a query
> (ct_pq, ct*_ec) where ct_pq =/= ct*_pq but ss_pq = ss*_pq, B can indeed
> identify this and adjust, say, by returning the challenge key K*.
> 
> I think the issue is that by handling invalid PRF-ODH queries in this way,
> adversary B may not be able to use adversary A to break PRF-ODH.  If the
> PQ KEM is appropriately weak, then a perfectly reasonable approach to
> breaking IND-CCA2 for the hybrid KEM is to find a second PQ ciphertext
> ct_pq =/= ct*_pq that encapsulates the same PQ shared secret ss*_pq
> and query the decapsulation oracle with (ct_pq, ct*_ec) to see if it returns
> the challenge key K* or not.  In the simulation above, it will always return
> K* and so A will always conclude that it is the real key, regardless of the
> PRF-ODH challenger's choice of b.
> 
> The difference between this and X25519 equivalent public keys is that
> it is easy to identify the equivalent public keys so both the PRF-ODH and
> IND-CCA2 games can be adjusted to exclude their use in oracle queries.
> This is essentially the same as requiring public key validation.  I don't
> believe it's possible to modify the IND-CCA2 game to block equivalent
> PQ ciphertexts in the same way and even if you could I think it would be
> a significant deviation from the usual security notion.
> 
> Sorry for all the details.  Hopefully, it's clear enough!
> 
> Best,
> 
> Peter
> 
> 
>> -----Original Message-----
>> From: Felix Günther <mail@felixguenther.info>
>> Sent: Tuesday, August 13, 2024 10:51 AM
>> To: Peter C <Peter.C@ncsc.gov.uk>; Marc Fischlin <marc.fischlin@tu-
>> darmstadt.de>
>> Cc: tls@ietf.org
>> Subject: Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
>>
>> Hi Peter,
>>
>> For a broken PQ KEM it could indeed be easy to have distinct ciphertexts
>> decapsulate to the same shared secret. I don't think this affects the
>> (EC)DH result holding up though, from how the proof would go in my head.
>>
>> In the PRF-ODH/random oracle step of deriving HS from DHE and ss, the
>> reduction embeds a DH challenge in DHE. It needs to check for DH shares
>> trivially colliding with the DH challenge (unknown to the reduction),
>> which it can do. For the shared secret input ss, it would perform KEM
>> key generation and encapsulation itself (as there's no challenge to
>> embed here), so it can compute ss itself.
>> Put differently: the reduction would indeed have access to the KEM
>> private key, and hence can detect same shared secrets.
>>
>> Best,
>> Felix
>>
>> On 2024-08-12 14:03 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote:
>>> Felix,
>>>
>>> I'm not completely sure I understand what you are suggesting,
>>> but I think it might not be quite as straightforward as that.
>>>
>>> In general, if the PQ KEM is not secure then the HS can fail to be
>>> indistinguishable from random: fixing the ECDH components of
>>> the hybrid key shares and choosing distinct PQ KEM component
>>> ciphertexts that encapsulate the same PQ shared secret will give the
>>> same HS.  As an example, consider ML-KEM where the re-encryption
>>> check is skipped and malformed ciphertexts are never (implicitly)
>>> rejected.  In that case, it is trivial to modify ciphertexts without
>>> changing the encapsulated shared secret, but I suspect it would be
>>> hard to reliably detect equivalent ciphertexts without having access
>>> to the ML-KEM private key.
>>>
>>> My guess is that this can be avoided if you assume that the PQ KEM
>>> satisfies something along the lines of ciphertext second preimage
>>> resistance from the X-Wing paper
>> (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fia.cr%25
>> 2F2024%2F039&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cb7ce7a0ed243
>> 413e0cd008dcbb7d77c7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C
>> 0%7C638591394753320161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
>> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%
>> 7C&sdata=1UMZm9CTSN8uN%2BZGGYk15U3WPiXpz26qBJ50jv48Eko%3D&res
>> erved=0).  It is also
>>> entirely possible that I'm missing something obvious and a different
>>> part of the proof rules this out.
>>>
>>> Best,
>>>
>>> Peter
>>>
>>>> -----Original Message-----
>>>> From: Felix Günther <mail@felixguenther.info>
>>>> Sent: Friday, August 2, 2024 2:05 PM
>>>> To: Peter C <Peter.C@ncsc.gov.uk>; Marc Fischlin <marc.fischlin@tu-
>>>> darmstadt.de>
>>>> Cc: tls@ietf.org
>>>> Subject: Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
>>>>
>>>> [You don't often get email from mail@felixguenther.info. Learn why this is
>>>> important at https://aka.ms/LearnAboutSenderIdentification ]
>>>>
>>>> Hi Peter,
>>>>
>>>> If your question is about what assumption the PQ KEM you still need to
>>>> make in case it's not IND-CCA secure anymore and you want to fall back
>>>> to [DOWLING] for the (EC)DH result, I think the answer is: none.
>>>> (Beyond ensuring unambiguous encoding of KDF inputs, as the draft
>>>> mandates through fixed-length shared secrets etc.)
>>>>
>>>> You would then be treating HKDF.Extract as a random oracle (which for
>>>> PRF-ODH security is the take-away from [
>>>>
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fia.cr%252
>> 52
>>>>
>> F2017%2F517&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7C56886bf3e45f4c
>>>>
>> 711da808dcb2f3c83a%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%
>>>>
>> 7C638582007420625450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
>>>>
>> wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7
>>>>
>> C%7C&sdata=%2BRlEU5oghUgBNo4lKyP5qIjVaARVHCq69n2P%2B50ZDMo%3
>>>> D&reserved=0 ]),
>>>> where the IKM input is augmented with the (possibly
>>>> adversary-controlled) KEM shared secret. But the encoding would ensure
>>>> that the argument wrt. ECDH would still apply.
>>>>
>>>> Cheers,
>>>> Felix
>>>>
>>>>
>>>> PS: Sorry for the prior double posting; we were under the impression
>>>> that Marc's first email didn't get delivered to the list.
>>>>
>>>> On 2024-08-01 11:38 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote:
>>>>> Marc and Felix,
>>>>>
>>>>> Thank you both for your replies.
>>>>>
>>>>> I can see how this will work for NIST P-256 and X25519 - it is
>>>>> straightforward to detect the equivalent public and adjust the
>>>>> output of the simulator accordingly - and I also agree that it is
>>>>> not a significant change to the PRF-ODH assumption.
>>>>>
>>>>> Have you thought how this transfers across to the hybrid key
>>>>> exchange in draft-ietf-tls-hybrid-design?  Do you know what
>>>>> assumption, if any, you need to make on the PQ KEM to be
>>>>> able to reuse the argument in [DOWLING]?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Peter
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Marc Fischlin <marc.fischlin@tu-darmstadt.de>
>>>>>> Sent: Monday, July 29, 2024 4:40 PM
>>>>>> To: tls@ietf.org
>>>>>> Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
>>>>>>
>>>>>> [You don't often get email from marc.fischlin@tu-darmstadt.de. Learn
>> why
>>>>>> this is important at https://aka.ms/LearnAboutSenderIdentification ]
>>>>>>
>>>>>> Dear all,
>>>>>>
>>>>>> Douglas and the other "TLS co-authors" discussed this briefly, but I
>>>>>> think that Douglas is offline for the next couple of days and asked me
>>>>>> if I could answer on behalf of the authors.
>>>>>>
>>>>>> It is indeed true that the PRF-ODH assumption, as stated, wouldn't be
>>>>>> comaptible with the usage of the x-coordinate. One needs to be a little
>>>>>> bit more careful in this case, disallowing the adversary to flip signs
>>>>>> of curve points. This has been done for example in a paper about the
>>>>>> security of Bluetooth which I co-authored, where the x-coordinate is
>>>>>> also used to derive keys. There we adapted the definition accordingly
>>>>>> (Section 4.1 in
>>>>
>> https://eprint.i/
>> %2F&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cb7ce7a0ed243413e0cd00
>> 8dcbb7d77c7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C63859
>> 1394753339561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
>> JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=r
>> IjaJxk4fNPxrvrW8%2FqEu15ej2G518Nve6iaNCiywhs%3D&reserved=0
>>>>
>> acr.org%2F2021%2F1597.pdf&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7C5
>>>>
>> 6886bf3e45f4c711da808dcb2f3c83a%7C14aa5744ece1474ea2d734f46dda64a
>>>>
>> 1%7C0%7C0%7C638582007420635222%7CUnknown%7CTWFpbGZsb3d8eyJ
>>>>
>> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7
>>>>
>> C60000%7C%7C%7C&sdata=JMYMT3Tf5UyBBAFiV9fIQB3KKfMbmtBlubkPItW
>>>> YTZY%3D&reserved=0 of this Asiacrypt
>>>>>> 2021 paper). I don't think that this makes the assumption less
>>>>>> plausible, only more annoying to deal with in the proofs.
>>>>>>
>>>>>> We have also checked that with the modifcation above the TLS proofs
>> goes
>>>>>> through as before, one only needs to repeat the extracted key in
>>>>>> executions which have the same x-coordinate (instead of the same DH
>>>>>> values as so far).
>>>>>>
>>>>>> Hope this helps to clarify. Let me know if you need more details.
>>>>>>
>>>>>> Marc Fischlin
>>>>>>
>>>>>> _______________________________________________
>>>>>> TLS mailing list -- tls@ietf.org
>>>>>> To unsubscribe send an email to tls-leave@ietf.org