IETF Logo Mail Archive

Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

Atul Luykx <Atul.Luykx@esat.kuleuven.be> Tue, 12 July 2016 19:50 UTC

Return-Path: <atul.luykx@esat.kuleuven.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44CE712D5F6 for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 12:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level:
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yb0OsB3jA-NF for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 12:50:11 -0700 (PDT)
Received: from cavuit02.kulnet.kuleuven.be (rhcavuit02.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C87B712D5CC for <tls@ietf.org>; Tue, 12 Jul 2016 12:50:10 -0700 (PDT)
X-KULeuven-Envelope-From: atul.luykx@esat.kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: 6BEAC12802D.A204B
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-2.cc.kuleuven.be (icts-p-smtps-2e.kulnet.kuleuven.be [134.58.240.34]) by cavuit02.kulnet.kuleuven.be (Postfix) with ESMTP id 6BEAC12802D for <tls@ietf.org>; Tue, 12 Jul 2016 21:50:03 +0200 (CEST)
Received: from hydrogen.esat.kuleuven.be (hydrogen.esat.kuleuven.be [134.58.56.153]) by icts-p-smtps-2.cc.kuleuven.be (Postfix) with ESMTP id 5C7B62003B; Tue, 12 Jul 2016 21:50:03 +0200 (CEST)
Received: from cobalt.esat.kuleuven.be (cobalt.esat.kuleuven.be [134.58.56.187]) by hydrogen.esat.kuleuven.be (Postfix) with ESMTP id 4D6C26002E; Tue, 12 Jul 2016 21:50:03 +0200 (CEST)
Received: from webmail.esat.kuleuven.be (localhost [127.0.0.1]) by cobalt.esat.kuleuven.be (Postfix) with ESMTP id 2810540; Tue, 12 Jul 2016 21:50:03 +0200 (CEST)
Received: from 94-224-67-16.access.telenet.be ([94.224.67.16]) by webmail.esat.kuleuven.be with HTTP (HTTP/1.1 POST); Tue, 12 Jul 2016 21:50:03 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Tue, 12 Jul 2016 21:50:03 +0200
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
In-Reply-To: <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com>
Message-ID: <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be>
X-Sender: aluykx@esat.kuleuven.be
User-Agent: ESAT webmail service, powered by Roundcube
X-Virus-Scanned: clamav-milter 0.99.2 at cobalt
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YSSPY5NGJAi84IkNj6MAefwtLqs>
Cc: tls@ietf.org
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 19:50:13 -0000

> To be clear, this probability is that an attacker would be able to
> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential
> (but incorrect) plaintext, and with probability 2^{-32}, be able to
> determine that this plaintext was not the one used for the ciphertext
> (and with probability 0.999999999767..., know nothing about whether
> his guessed plaintext was correct or not).

You need to be careful when making such claims. There are schemes for 
which when you reach the birthday bound you can perform partial key 
recovery.

The probabilities we calculated guarantee that there won't be any 
attacks (with the usual assumptions...). Beyond the bounds, there are no 
guarantees. In particular, you cannot conclude that one, for example, 
loses 1 bit of security once beyond the birthday bound.

Atul

On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote:
>> -----Original Message-----
>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk]
>> Sent: Tuesday, July 12, 2016 1:17 PM
>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla; 
>> tls@ietf.org
>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
>> 
>> Hi
>> 
>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>> 
>> >Hi Kenny,
>> >
>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
>> wrote:
>> >
>> >>Finally, you write "to come to the 2^38 record limit, they assume that
>> >>each record is the maximum 2^14 bytes". For clarity, we did not
>> >>recommend a limit of 2^38 records. That's Quynh's preferred number,
>> >>and is unsupported by our analysis.
>> >
>> >What is problem with my suggestion even with the record size being the
>> >maximum value?
>> 
>> There may be no problem with your suggestion. I was simply trying to 
>> make it
>> clear that 2^38 records was your suggestion for the record limit and 
>> not ours.
>> Indeed, if one reads our note carefully, one will find that we do not 
>> make any
>> specific recommendations. We consider the decision to be one for the 
>> WG;
>> our preferred role is to supply the analysis and help interpret it if 
>> people
>> want that. Part of that involves correcting possible misconceptions 
>> and
>> misinterpretations before they get out of hand.
>> 
>> Now 2^38 does come out of our analysis if you are willing to accept 
>> single key
>> attack security (in the indistinguishability sense) of 2^{-32}. So in 
>> that limited
>> sense, 2^38 is supported by our analysis. But it is not our 
>> recommendation.
>> 
>> But, speaking now in a personal capacity, I consider that security 
>> margin to be
>> too small (i.e. I think that 2^{-32} is too big a success 
>> probability).
> 
> To be clear, this probability is that an attacker would be able to
> take a huge (4+ Petabyte) ciphertext, and a compatibly sized potential
> (but incorrect) plaintext, and with probability 2^{-32}, be able to
> determine that this plaintext was not the one used for the ciphertext
> (and with probability 0.999999999767..., know nothing about whether
> his guessed plaintext was correct or not).
> 
> I'm just trying to get people to understand what we're talking about.
> This is not "with probability 2^{-32}, he can recover the plaintext"
> 
> 
>> 
>> Regards,
>> 
>> Kenny
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email