[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Peter C <Peter.C@ncsc.gov.uk> Thu, 01 August 2024 09:38 UTC
Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8AB9C1D4A63 for <tls@ietfa.amsl.com>; Thu, 1 Aug 2024 02:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YU-ZahJs1V1G for <tls@ietfa.amsl.com>; Thu, 1 Aug 2024 02:38:34 -0700 (PDT)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2061.outbound.protection.outlook.com [40.107.121.61]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4BEC1D4A72 for <tls@ietf.org>; Thu, 1 Aug 2024 02:38:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=xUoo/qDGCq7yFRnJ8mHqYKXh4J8RoruYXqce1NjMpTz//nSBQvb0jE105XodKItGDLVi/iClWZ3FrFMPSW7yGGNydfpzpp6F2a08sxzQzeVfj8sJ9HTxiu2NDYFsYtX5sljA4c5q2YsjDwmIUA51f5v1gAajzKQqi+4IBfUowOBtIOXu+wJFYLSrq0JWWQNMDdzNY7ejeeu0KhT/f4SscVISiYTVuz27IxDa7g28uF+QqawxYBjiItJUTHbeKFXluK5pfd9jJ+Ev8BoDxGveQgQZZANbsv611892DKAyolrAQKJkbZzTdiKrM37EEsYNA5Ki0dkIWefD0KpBLPBBKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2KgTf516A8lDiGBX888vni/6CI4d/5gxoFAU8DgIifM=; b=ir2fn27viktWDtsxW7PfPCzZyUPo8ZJpeXC8XTg7LgKXrRsX/CmfHDwouhu1GjJsHkGE4Xe8PvprXA0n3bMN0thyMbp91eNJiHQ+HzfNzhzCseYAeES33pQQd8VC2Ax6ln8jcvAENLSxJxiF4+SlYOiyP9eQyJp51P6EnqSmoHYv3GvqTskvfglWgFJGGOBO/brq3YdC7D5jnAlQGhhtsV7kChCIa3ytHfPQ/fWoTPe3ihozeTphcgVvQgNDnAg8Bqa0cTrCFTFk/xnLPZUontW1TxbO351htQil+oNnkla2NEPAlx1eUAJsSHOfujHxE/vdHIeiaK9DvQSFWTHnHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2KgTf516A8lDiGBX888vni/6CI4d/5gxoFAU8DgIifM=; b=jALcvrUpW8ioABdTAz8UhbLZXO6PS3H++Zzb7s2XK3WYiBwLiTg2V6TzuNpEfPp7SycyMQ8EQH9ZoOyIJG8QIAWPXWwIONZ1f05nYPZGMoeilrEk9MssCu7TeHGuk9GaTwEjRvV9F9whl4nvxI64VwrnQ14S0egg56jO+dFYkO61Zc68/D60cUFXU79ltDVI49tAJ8WtOZ7jOP1sw885ExYEy6SCbEuv3I8ePmCoSPIgAK3yB0mbRKLHp9fxskH0jhLrfeAIMgKI32sMOOS+kjNufUF1maj/Sh8GCMSFslYml5AQhQUP7Q9AFpm9tAE9WVFjjG2ZCJmJeqzoLI7p0g==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by CWXP123MB3446.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:81::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.23; Thu, 1 Aug 2024 09:38:30 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%4]) with mapi id 15.20.7828.021; Thu, 1 Aug 2024 09:38:30 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Marc Fischlin <marc.fischlin@tu-darmstadt.de>
Thread-Topic: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Thread-Index: AQHa41ohZxuLH2hwW0qzAG2ALo1VbrISHvQw
Date: Thu, 01 Aug 2024 09:38:30 +0000
Message-ID: <LO2P123MB705194B760C522BB24E37DAFBCB22@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
References: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de>
In-Reply-To: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|CWXP123MB3446:EE_
x-ms-office365-filtering-correlation-id: 85fb1a98-0427-487d-a9b0-08dcb20db43b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: 834qNlckHhBgzphh8C68mBoL1uY5y+FozTSpQYw9+Jj7bgwG9HxWV8Lmz/OlH4G9dAF3dCXsF01fsFPCnLDqEZ54GYSNkMnQ2FUFalxhTlzD37wjUNeV9ZihwUJ9uaZjIo+AlLddLJ8MDuS+ljjfOSMI1dBU1iNFbkYc3Wgzd6Y3PtSXxY8FIMr5hFh5ki+wLmjXMonJrvr8ir9BipkFYtgrILWbIylAWKbKomcNQvpqWvK/AWiNGhfpm4DLfaP0LaZr+Sis47WUCja9oEx0ueJbhqOII2R3nifYCfJyCG/xePivcYNLO3fCh/LGhdtGRe3EJGlYdbyAI58+DQJn5myYIkQ8kqoJTFAgjkEHyge93/ObKQwDcZ+d/0GHryzRxU1LGB2m9lKU1iMm+WuZO50KAkg7zbfviIGYir9vaQEe8iaPUEMpbQPa6/4DrGRJEPq4t+3MuolzXLW5AxtI05hlxkzjoTd4a5unjlqOidWw019mtOWIoqhlpf24P1uP9yMJkN8lLB14nnGvYz32fM0Echfh+y419kdsYDK3/M6p+KqyN6I/anByrvBjTnBLMG9zWRS1AtW0Ljfg1/wOB2OG4ycEhb3CaXanfwc8+LZu4doxXi38gzZNKHEHJQotk8BH32MrkdAWn31fOtl+MIV/T7u4akjJ5ygWcxIoy0wg//Yez2EoFOg3XsE0iV/I71d3InxXmJADQOZ8RJ+PlrxcdzcRFu9SEPvKRDD60NirXKr4Xzr+dly69c4+W1fJWeSmEzSwWYNeOdtshyfD1HRr+Ny1k1TDEc8QLGybN+Gy0YPISFgOg+26KHo5O5nHeQJToKu44Dn9nTpMqkKE4siICoaN9uLwHPNcrPVwtkl/Mddqoxiuwb0BMN4T80eB/xNApVePhmGnhomVoOK9Odzu5tEGF5NLipnhQKZxoA/ASMuL6fL1Ne5XinAgJJD9AjODN2hXzvSz7KhZfG/I4b6m8q+BqSOuRNbHf1yhiws+VN3Ywho+CuX70jxr1srxW8gt/Z1ZR5wyvRoGuYP9kNjIVJRYIaJxhrkJNimVtr1hahOklId7okb8monHQOXJ3eAbGYzGhL3DcndkRXJtTpldHHzGtV55h/3+qRAHBpWBT0q0hVJ30O+wpuPf+fyNZ6IrtfTsvjimqJO7kOTVZvul5ZaxuWDdoUZ1rN38dAK1jbM1zK4NmcC/llcmD9ykFfRz3eTIQJfCqTrso/vBzHGYpImg7VaEQli1XhUKp4dCa/qAieBCpSvFtrJRbWnRO0s02WKOvHD6dMcsGR416gKN6lKiVYAB0BGi9tVfVxbE5L0yYM6Lv2E5S3laWTI6YZ/m9cFvWxfPsOwWMHjnxVVwpLFFYZsPHNEQv95AJIA=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: U8OCLTLzEhWn2YICSqAtZN98lDbhc0uK5B1/D1WihwQpLohMfXba9enysSZ0Pt2H88j6I3lP9Bkdw2Lf9CtZHCLhoDxTNNRYWT67P2DAq9JQpMawk6ZYqJ8iVctT+hhzkuUBTLAIWg3N2ystDMIU6Bl2a11EIpgD2z4UgwwAZf3NeaPHZafEAkvktX9FErvsdbIyH7XrXOR1m3dgrF7VHRy6ejGQu7uy93xK4OcBDavdiLQ48NT52wemG+bnR/RZK0u/EvUUAuzXgJrpaC0NZl39e9Km0Zes96xv8+9C0AzomRdwQjR3wqAm7AHvu4RycQ8IhsZTJXbxwwcqUhKIAllazFbYgDqjRhEHRwarhMsTmSpw0usVajMVPFY2vyTz4suuFmrv+ZBolroftK6Z+/CYXWJfm+ZaqyiJNcs7Xo//XRcqh7o6bPqHv25giKaBXxw0wKqh+qLhsp40W61B3jFgxFa2fxXjLIttqvHKTXhhQBK0vmRo+0xLt55Uc4Y7oeyi4rvre1K8hbScoozBgmLaT3Rf1ZRGxbWPwgjyj0Qm0sQGoUa29Q2WBQeU+BTj+VqxIpJtfm3FSq/9F4peT9QKGhPx6SooK+X0WpeAUIbs67WBXjZWknJC9VBd+gB/Y5o+DZUtPRL6QCjFhR+kJCdN3LxOgInONILXanEuVtMGogS2P0U6MNsgXfyAlyonHqLPxixwCiF0B2do1Hlp1d/poiZBCPiAT+3YcxFgw2G4qNzB3ej6HAlqGvn0KXTyasE8io/mkieh1CiTX9qHLqemkIckH2+ChNdHtz2zTIMy+EtM1wgkCOzlD1rVez7dZKlOpej5RpgivdB+s7tIDLufjjmwDIOUAEqp5PFdBpJp8+IX0wS2w/OmtLE71xN1bzLSi4E1wj0dnlN43Pj+n8vfhe4miytXJpRvowGzqcFV9szclvbE+DiA4HbOc/H4Wll/WuwdDb1YM6TViFr2Gm2OYByIe3wUOwdB/6kOE5y9PwHxHE3cNpgG4/kpaq1/NmhGkbxqm2s7E44ZIofEHZEkERSecmVaLPHeGRi5ABhnlHHCellxInITsGjJbJiM0XjzN3uXL+Hn2Wgp4aUq0peam4xLV5kHVJ6lPCuatKCb0e7sKss48s0gH64mqj8YlZEs3DMFExCRu+LaNazE4rv9IM0W+oT6SHF0w3G77+FCsLdKTJfMW5r0FbJvPpqz4MS+H9TbrO4zoXW2soyyKMc+F2r5y4O+QYq/twTOf6aKsqXcwbGZjLSCH0+kRnd2+vOGqrVs3iTG6nHHbnKfPR0RrQwVuSDEvPpGF3EpLSy474Bv/mMGhatBOyLn5nt42BGWavddh8mQGN4+DcpujcFYmsOtITZYAFuLHXCOFCn05Mmup/L+ki37L9gZSzqM4qxkevx9qWMexY0ILlHiuPedLSlOeRemVDIpIGh92I8P0ZGT2OqR45MOBvNRX1Biwhx/jCMlbdwBUEjAf6qoRSolb8W3h0hB24kF0DxtgcmF9GMb5a4rCWJPpKPDrzfOJdwSmMearUHsQjVyE+IQCLrS3zUuuGPr/GQgt56W6AfbTWjt6y9wVMNect1L+FiD
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 85fb1a98-0427-487d-a9b0-08dcb20db43b
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2024 09:38:30.7658 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gQpUT1Arq1t6ntJAIYQA6VFteBdCawBAn0LmPvCJZZumYrQFUy8bdMgeYMv+avFgIm/Dai/vSy168ckalY69Og==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP123MB3446
Message-ID-Hash: CDVOWOMCRFSSQT42FIJKU5LSKT63I2FL
X-Message-ID-Hash: CDVOWOMCRFSSQT42FIJKU5LSKT63I2FL
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/e7sHXFhfzWClGDO7X5AkRsYw-RY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Marc and Felix, Thank you both for your replies. I can see how this will work for NIST P-256 and X25519 - it is straightforward to detect the equivalent public and adjust the output of the simulator accordingly - and I also agree that it is not a significant change to the PRF-ODH assumption. Have you thought how this transfers across to the hybrid key exchange in draft-ietf-tls-hybrid-design? Do you know what assumption, if any, you need to make on the PQ KEM to be able to reuse the argument in [DOWLING]? Thanks, Peter > -----Original Message----- > From: Marc Fischlin <marc.fischlin@tu-darmstadt.de> > Sent: Monday, July 29, 2024 4:40 PM > To: tls@ietf.org > Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt > > [You don't often get email from marc.fischlin@tu-darmstadt.de. Learn why > this is important at https://aka.ms/LearnAboutSenderIdentification ] > > Dear all, > > Douglas and the other "TLS co-authors" discussed this briefly, but I > think that Douglas is offline for the next couple of days and asked me > if I could answer on behalf of the authors. > > It is indeed true that the PRF-ODH assumption, as stated, wouldn't be > comaptible with the usage of the x-coordinate. One needs to be a little > bit more careful in this case, disallowing the adversary to flip signs > of curve points. This has been done for example in a paper about the > security of Bluetooth which I co-authored, where the x-coordinate is > also used to derive keys. There we adapted the definition accordingly > (Section 4.1 in https://eprint.iacr.org/2021/1597.pdf of this Asiacrypt > 2021 paper). I don't think that this makes the assumption less > plausible, only more annoying to deal with in the proofs. > > We have also checked that with the modifcation above the TLS proofs goes > through as before, one only needs to repeat the extracted key in > executions which have the same x-coordinate (instead of the same DH > values as so far). > > Hope this helps to clarify. Let me know if you need more details. > > Marc Fischlin > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-10… internet-drafts
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Marc Fischlin
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hyb… Felix Günther