[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Felix Günther <mail@felixguenther.info> Fri, 02 August 2024 13:05 UTC
Return-Path: <SRS0=K0bh=PB=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71052C14F695 for <tls@ietfa.amsl.com>; Fri, 2 Aug 2024 06:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.657
X-Spam-Level:
X-Spam-Status: No, score=-6.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 54DzHPSvT4R7 for <tls@ietfa.amsl.com>; Fri, 2 Aug 2024 06:05:32 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22F70C14F693 for <tls@ietf.org>; Fri, 2 Aug 2024 06:05:29 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id 91DEE4F20B20; Fri, 2 Aug 2024 15:05:27 +0200 (CEST)
Received: from [172.18.190.72] (ip-185-104-138-50.ptr.icomera.net [185.104.138.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id 28A624F20B06; Fri, 2 Aug 2024 15:05:27 +0200 (CEST)
Message-ID: <fd2e87d8-8376-47d4-af06-27a8ebd64504@felixguenther.info>
Date: Fri, 02 Aug 2024 15:05:26 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Peter C <Peter.C@ncsc.gov.uk>, Marc Fischlin <marc.fischlin@tu-darmstadt.de>
References: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de> <LO2P123MB705194B760C522BB24E37DAFBCB22@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
From: Felix Günther <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsJ8BBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBAAoJEFKvAgDT 8XAOVSwAn0QmRYzMtqFZejCnMakizqsaWHJlAJ4jR3nDqw5h3Ct4Xyz1CEQrUdJgz87DTQRN OKpCEBAA9TNoDOa0PVCAWvt9tw06MUw+D0PoAhkl1jlNEzeNatLDQqf6YehHOgtjpgA8tpul DJUq/o3NN15JsUB1el6oQje644owqhEFD8V02Ns3ZK6hGgBRGupp6RKwg70F4z4ukKwCS789 rZdwaq8t+X37NRUP41Y537kgfN2R1BFLB0A19Qb52nsaneBUSgGLXu39bxDrHounoLjMitJa 10ATRcuRny8eJzAuXI8lCURNjCPWJVjXN3gs+z6sA/ebr2inLQT66WIQZi5Q31BNyPGeaai+ 7t7IbpfkhqnbHATDq6vtM8lCem+rsYc3MtN1W4jQZ59ACI3ieu3MouMoN4W5mp0bjB6oNiO1 TTYD3ZUYBeV7ITX47lag7A9MPzBwbRGdetAN1yU5HDv7mgadei/oFlwC4/hD18kYjuHEUxKi CookZZaPQEMTKjBpHhrphSslTXl/tWmMJBoVsgedghWyf39o8ZOTBsQQ1wHwhO9Dc+fwT/Q2 Bw6jdZSzwQVJG13hg/uC6HqxhYfiKHtsiMuqnb5OIM0qkWa3Q/XtRclokk8elTjHYIIM+HBd i2xjys8D+1gVPI8s4NwPRAjc5m/kAXyzbrbg+p+ZVe3IJTE4M/heShLzsoFrZoroE2T38rvT Wsido/8zJZCxJ+JLAR8p8BYKYBJel/pHsvRFwSYbOEMAAwYP/j905vAZ/MJlLrElQ6eVwU2X IBhFmsOtQcVmh3CZw0QuXMA1AQsQe3KLLJSfBEP8Ljz8/Y9mPNu8wmvhw04Px0o7Ns6yOEuv v4CyQzaZwJGvn0lI4UajS7y4mgGFkd1AmPi1/4el9Yp4my88VlOcSe/macm4+MCIAMDegNLx JzErZgOMQJVdSz4rVYaWToTE/DVvRFkuEZgZNnvIv8G46OCZtnnRFv1XQDouxap2tO8yGBQ+ BxBZXqrXtyeVz1weOBIVHycUxi9kGRQ5M99NfrZuInR1382W9YYhqiVgvmvWEsLZFRoGrh8w 1yVkyxw6IGikWlkwq8TLGVlAiqA8AENZZ9bJJVOn57ld6Dvz8c8UvHpvSpUbt3Y3jf0GJbDn lj4v3ZrIxcI3RmUIGf0CQDSpqrUHppgKwiBPSLLRRQruGw7jzLpMqu7ar+2fhNQB3GLSmygi kdYXROfmIIq0J5g/rZLSFQ1GZmL3S8pqS9sJQh0KZEUE+1PtzAoYUYp9btR5Jo3pbyAn6M/g SNlSNDUwa2Eai6fy3fBu1KT1AYgntLzVyJr2Q/Wd85MjF/a9GI5X8lmnvPSAJ/ofSI/bRjLq yNj6frKLrztFV9ucWhKQoQd4iE9qe284KYqdQq4BZUhO4J2nl2rWbEquoFe9ACdIVBIuRoCH EUrreMG0tdymwkkEGBECAAkFAk04qkICGwwACgkQUq8CANPxcA6jYACfYd8EkV8G70iuPkyA HMZZ8W8lWUoAoJElB4EzU8opYiwQw02HRvW/qYuJ
In-Reply-To: <LO2P123MB705194B760C522BB24E37DAFBCB22@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Message-ID-Hash: 2BL252RD3IUNXKG7GUV6HTBVD4CEBUNT
X-Message-ID-Hash: 2BL252RD3IUNXKG7GUV6HTBVD4CEBUNT
X-MailFrom: SRS0=K0bh=PB=felixguenther.info=mail@cdc02.comdc.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/d4a87DJZTVWLOKtBW8DwAKv-oxs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Peter, If your question is about what assumption the PQ KEM you still need to make in case it's not IND-CCA secure anymore and you want to fall back to [DOWLING] for the (EC)DH result, I think the answer is: none. (Beyond ensuring unambiguous encoding of KDF inputs, as the draft mandates through fixed-length shared secrets etc.) You would then be treating HKDF.Extract as a random oracle (which for PRF-ODH security is the take-away from [ https://ia.cr/2017/517 ]), where the IKM input is augmented with the (possibly adversary-controlled) KEM shared secret. But the encoding would ensure that the argument wrt. ECDH would still apply. Cheers, Felix PS: Sorry for the prior double posting; we were under the impression that Marc's first email didn't get delivered to the list. On 2024-08-01 11:38 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote: > Marc and Felix, > > Thank you both for your replies. > > I can see how this will work for NIST P-256 and X25519 - it is > straightforward to detect the equivalent public and adjust the > output of the simulator accordingly - and I also agree that it is > not a significant change to the PRF-ODH assumption. > > Have you thought how this transfers across to the hybrid key > exchange in draft-ietf-tls-hybrid-design? Do you know what > assumption, if any, you need to make on the PQ KEM to be > able to reuse the argument in [DOWLING]? > > Thanks, > > Peter > >> -----Original Message----- >> From: Marc Fischlin <marc.fischlin@tu-darmstadt.de> >> Sent: Monday, July 29, 2024 4:40 PM >> To: tls@ietf.org >> Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt >> >> [You don't often get email from marc.fischlin@tu-darmstadt.de. Learn why >> this is important at https://aka.ms/LearnAboutSenderIdentification ] >> >> Dear all, >> >> Douglas and the other "TLS co-authors" discussed this briefly, but I >> think that Douglas is offline for the next couple of days and asked me >> if I could answer on behalf of the authors. >> >> It is indeed true that the PRF-ODH assumption, as stated, wouldn't be >> comaptible with the usage of the x-coordinate. One needs to be a little >> bit more careful in this case, disallowing the adversary to flip signs >> of curve points. This has been done for example in a paper about the >> security of Bluetooth which I co-authored, where the x-coordinate is >> also used to derive keys. There we adapted the definition accordingly >> (Section 4.1 in https://eprint.iacr.org/2021/1597.pdf of this Asiacrypt >> 2021 paper). I don't think that this makes the assumption less >> plausible, only more annoying to deal with in the proofs. >> >> We have also checked that with the modifcation above the TLS proofs goes >> through as before, one only needs to repeat the extracted key in >> executions which have the same x-coordinate (instead of the same DH >> values as so far). >> >> Hope this helps to clarify. Let me know if you need more details. >> >> Marc Fischlin >> >> _______________________________________________ >> TLS mailing list -- tls@ietf.org >> To unsubscribe send an email to tls-leave@ietf.org
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-10… internet-drafts
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Marc Fischlin
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hyb… Felix Günther