[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Peter C <Peter.C@ncsc.gov.uk> Tue, 20 August 2024 11:02 UTC
Return-Path: <Peter.C@ncsc.gov.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A17CEC151076 for <tls@ietfa.amsl.com>; Tue, 20 Aug 2024 04:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.453, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6IuaUtCSOwDB for <tls@ietfa.amsl.com>; Tue, 20 Aug 2024 04:02:15 -0700 (PDT)
Received: from GBR01-CWX-obe.outbound.protection.outlook.com (mail-cwxgbr01on2083.outbound.protection.outlook.com [40.107.121.83]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C947C14F70C for <tls@ietf.org>; Tue, 20 Aug 2024 04:02:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=cSifjf+y/28p/ilEuUcCYhJMnuBbyun+CIjT8memjlGw8cjpASybvogsPNUsJRb0X5JQ/MW3Gpj8EkBo5phZQ698lIpDknnL2NqiFB3cLCn4jF+IsBdZn70L8UPAf6sPl3699U5ye8y+odXR2xF1UeIuMWlfTpRw6ejDsJavRx3NM5u4md7uCwVzR7Av4fD/ZsYv5GX7dEUu1KbKdLgiP81Jep5vYmpM72Wo93B1dv4r2r9Ncj33+tsKwM4fxuSD4hYQJwbp1mpmwIRsy8HxdxU4I2PWctJbW7KtGpMtcQ5PTB6Te/lKOa2rTHKy4ZgzgBQT+psDfp9zfTg5DfaFWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OUMUDMe1r8jsxRTLA/MZ26J6kEAXcqRul+AGklpPezQ=; b=Q+JpL0pVKfxWZzkBsyOT2unoLj/W5Xk4V/10hQgCe7iX51NYFI5hGJrq0tM960x1V+rAHBxXIzPnJ6nyyEDGs7tO17N4SVzGlSu9ORrQBBPU7GSgc//8trDd53FO7O5JlzZyDV2eo8C/RfCaM5P7m+/dL1c8UZxCxWVhNxGuRcSUFDr/URxjiaOZK97ud/YQoLb7mxK+kC7NfZh3cHDm+CQ9NbUJrI9N+pBret1p1PMtZGP0wyOu0pax4kqgybjSzO0aIrRs3TrwdyKgfZ84MBwSY5i9W0DDr/i+pk+FnfQR4+56POJ8QO1z1GYmsGqdGH885gEE8TyAK4CyyRomag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OUMUDMe1r8jsxRTLA/MZ26J6kEAXcqRul+AGklpPezQ=; b=iRg19pkQ6dJU/bp+TrFYJ2LwyN9CDJKJ4kxX1JVB7BqKSOgD1lFcbMI8BOrYzzorCPI25LPgJo4rxazDg8ssQNkqj7gPL/2skTDgPgdrv66uWCdWtiv/l+nFQ6Mr1UBS65ONI/ieLhTOFdmypWtxf20qextIOpLun4jLz0EKo+brhCV0omOdVfFqyRM12ihpHwJhMl/H05OQ+qrGhJXa7JsEO0e/OAHj/KVvzpclC4qM5KFolo11SKUfhCGJJwi6G50rYxUJ37GIBuvgE0yEHjFsYipegSWDAmDzEIHqZgMpxD7JgmvWRD5iXIl/CvYyqk8pVdtH++lAY1vb798J/w==
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:31d::15) by CWLP123MB7451.GBRP123.PROD.OUTLOOK.COM (2603:10a6:400:1e1::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.25; Tue, 20 Aug 2024 11:02:11 +0000
Received: from LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0]) by LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM ([fe80::b9d:11d:61c5:dba0%4]) with mapi id 15.20.7897.014; Tue, 20 Aug 2024 11:02:11 +0000
From: Peter C <Peter.C@ncsc.gov.uk>
To: Felix Günther <mail@felixguenther.info>
Thread-Topic: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Thread-Index: AQHa41ohZxuLH2hwW0qzAG2ALo1VbrISHvQwgAHToACAD5ia8IABesYAgAr+oRA=
Date: Tue, 20 Aug 2024 11:02:11 +0000
Message-ID: <LO2P123MB7051E74F4B10EA5B7CA836A1BC8D2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
References: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de> <LO2P123MB705194B760C522BB24E37DAFBCB22@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <fd2e87d8-8376-47d4-af06-27a8ebd64504@felixguenther.info> <LO2P123MB705175FE3FDE2B08DFF8A1DABC852@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <1b418f8d-76fa-4656-9083-8730379c1308@felixguenther.info>
In-Reply-To: <1b418f8d-76fa-4656-9083-8730379c1308@felixguenther.info>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ncsc.gov.uk;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LO2P123MB7051:EE_|CWLP123MB7451:EE_
x-ms-office365-filtering-correlation-id: bc4287a7-2f22-44bd-14be-08dcc1078abe
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|4022899009|1800799024|38070700018;
x-microsoft-antispam-message-info: fPP7qytm9rbwYgQfKkhqcnUS3b5AljkU7TS16wOaLy3cu5t5jvrDV7FPI7p2ZCm4e4b8fprVS3Ag4AYOG9BnEszABAhPJFwxefddTYjZNQunWv4iV3VaQm2xvlJbw73A71SUkK31d6mqOEzN2pFjqKfjNShDddmBzovT6aTf73+LfxpcP6Pulf6MtiWs5CGVY6cKHWrv5mTSg6IHUYwiZEsLcAjTLmtSkqTrMvJBF0izq49iON6ngn3w4fCWHPWFI1odnJqK0B8WwfMdEEUmzGWGatePOCz43qQJvc5Q95hz4dsq6mSjAIH+QiD8dlCbcvearafdsa6CxkT1M2n/juiNE0LMYvKEM6zvyDwCUOBS5xDt3AO+ISjBQ9dtLasrkTf+Pl1DF8F01KghQ0X35ET2eguAg7eCM87akCGEi/hkI7eRl6o6+x0Sr8K8LAD7yqmVBs9lmg5KGGEvjKsxpWQhVdw/7RSHTWEXxbv3KE+rBWlmmI/T4RTfRQEBhHCNo51DaNOdWLcuEowdCH0gUOQSFSd6uQZY1Nb6e4NkvksO54xdAO6jlurNpWAWk/3d4dxQeIRyftYgqu7cCFlxMr8FWPj277hpJ9uk6O/X0HgyBDaP6Uf9NMbEnh+mTuQfx0oPdcc/ASMyrzPK117kGUToGSYBVG0pATdL1iaOQ5FqI4NDlGMbrxkUI+ZjPhkQpkBQQx1/EcW8IUjEzLVfh6vlxZrADl8n3i3He/xg2ZMW8JTE77y5LdWATFuTOyYTKrNDQFALIQ4e6N9QTnnH/HeMinFtgmrs6eIQbT6z6aSr86TdJD1pzD83Nwl06o2RsgjWbJHhpPhMnyIwsGNHr8Y4P2y9PEA32xrJyXJCeYSrAaBNRcN8Gx+Rk63S46vWKCaj4Cr/JEr7yF4KZ/g9myPcdDfW25Cn3OoyQXMqitguJmiV9CDGRYnahKp6xa1deYaVSUlNRh2PaN9IMp0GQ5zSlnKviVao2WxcPzN9F092ZayfysNozTtB0uInsY7muLEGNhVQ4KS2roMfoyvwSTQ1iquJdLeaq/yMICC4LA7NqLbtI/l/NmMk2r3GjVBEhN7Jeu6JUK73U+PTEnS832OnhwB16+iDH3Ch6ptTPf+dd5UnERm35NcZBeVrDIriUwef6Y5Vv/WezMmJBFfrDzryLGd796XYOBjYpqhtuMtRBpu40jYGeyz1SmQ/7wj19Y+FWzwn0EFuw3VKO0N0Hr5IxwHOk/qYpzVP0QaF3yZ5Gv4bBMkuSIPsai7Con6z3NuVXYu1ggXEt3TW8RgQkLCZ71iLDcH0c23of1fj2+UdAI5BD54Fs9y9k0MBqrJ/03MMU2d8qncxnfEuL3GqMbydp3tiOCK3wOI9ZFbnptw=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(4022899009)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: PHt3HvT8HeXI/Dtyu3WEdtnjpwlmq6BVjqnGCwqRoq6mCj6lAhO5G5RUvBRj/gY6HzjSRiVtoSso/zHMVd9D+U4BDgfm7s4pFJhJbmmIAm5WH5q0j/KWikAwkSa0acH1XCa815tOnL979fbKniSWjeOi6NxfqB0XioNpWet9mIL9/kwNsuR0JmBzIDFiPDgJ/OwwsFLropgH9BqssNoxAgnj0tRDmpzpaJaYYa4y6dZj8ZP9rSizAQcBpBEUCZ4QmtCntXxYgIcd015m9GyyZvZzpXYncWyFVpa3wCUFT2J3ELWO+urxYVkfxidE56rWS7QbkP3TtUsVe5xzXTLetkPsyIrEfFExDOaotaUm6reIm0aLqn/UB+5gi+BGVjw4Y+kaqbh7yThjzPhRwNQ17kuls1KhJrIT4iVH9a9eLShBJr2q4hZqRBIWokw0LSz0dsUeA6+K/KyJQtWbo3G8RURYtTuiWKZB0sAGXjTnqiK/zaqLS070q+7D9wIKIr0LibPLtv4Dl+nnBwKQfgJA4HDMj+CCfY/VecL317dEFnj7T9zins0DDIKrUvLWjGw5yhbXq1nQsAQNs5vR5Xf+n6wfN9rM+qVX+XyuroRxncIJvDT79AG67EKDeLO0qwa/2tErr0quO88yClybZGc9LvoDM3ZgZdm6yvpm3D21pQIfZ8XzsMx1cIZBib8v/OzM8vVSptZrOl73D14WICAfF+qx0MjsGllf6i1yc/YrpLQ2tAk1dTqXhOF7OmgxSMHj8olqh1ml+mnPbqJOvpTANN3NWwvQg/7tvLQOPWluZ/XcLWK9g6GE2Tasl3b3IrTB7pu3DZmAXODKzC88sSktvaTwQJKBVREJRYw6w+xmQ2AgJprHXKl9A7UAewuZy4L058ubISgkBLGJMYLkR5og8FadNbh364t27oZs2kTEmyX15a4SFm2zIDjyMJVN1+kBADubmUglL1GcA0wGHwBJwabSUlCA9f40k3tseufrhjSsS2yab7QQ+eHCb9Ywd+7cj2hm/NB6/jtCXt2ihPpTb82XKgM9Rfl+Zazj313u7c9cVL5XSLvEMtZ+wQMU7zQC1goRXA5CKqLuHTxMgbOwD4abkNLadXAXGXOt635d8m/jQd0QNKc9Vj26+NDTdGmge2PsQzIi/M56uyDxHTcY1qMN3OWbi24Us0OT0JEzfcldvTt0mO0kuQOvkWrGOQr9BUekisjZTAwGfSjuJe27lkSXhX4aXabdGERX11HpdRvYEbPlNTea1N9u6I6a+OnoQJOC/pmO42nwZWQfe5aS/1Jol5c5d/j3Crvq+wAxITae/tF8kVJMSJZBG2VKGM+RaeQiNxDGriTDiLJcBsLdfY0Fx3lOxMJ6Ogw5C8gSBEQXRSe0EhjI5kJ/CscVAxKtNtMwMWA5KaT6kNO/uJbLOkmWiRpUVZmBV34uYdYyxxdgYfqc93WulupL+88ND9d0+XnWdqubpudpCf2TKLWR1lbyTl+TGSAkWkq/4zrGJNoJuTzPPLwJupxB/5f1Ht6dJ5/Ptdhj+ymeCB6h+wv3Jvcs7xapXzj8ewx7wbTmfVAfO6wFl6fg1K+xNAZ+7YTR
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: bc4287a7-2f22-44bd-14be-08dcc1078abe
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2024 11:02:11.6082 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: snRsjSFsUWvUujrH7gAnvF2EOBIbKkyaP2xxTs0lMTIKroZvWFdNKBj2yNjAGThDFf6eIE26a4L78yXjVysrBA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP123MB7451
Message-ID-Hash: SLWH6YBBMTNSH3B5ELSQCIO45KVKBVPW
X-Message-ID-Hash: SLWH6YBBMTNSH3B5ELSQCIO45KVKBVPW
X-MailFrom: Peter.C@ncsc.gov.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Marc Fischlin <marc.fischlin@tu-darmstadt.de>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nKNfmHRUY9CUwGY1SZmGfRP7oRo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Felix, I definitely don't understand something here, so I have tried to abstract things slightly to try to illustrate why I think there might still be an issue. I'm reasonably (but not completely) confident that I haven't abstracted away anything significant. Apologies if I've missed something important. Consider the PQ/ECDH hybrid KEM where the KEM combiner is K = KDF(ss_pq || ss_ec). I think you are essentially arguing that an adversary A that breaks the IND-CCA2 security of the hybrid KEM can be converted into an adversary B that breaks something like PRF-ODH security for the ECDH component. IND-CCA2 is the usual notion. PRF-ODH might need a little explanation in this case. I think it needs to be along the following lines: - The adversary selects ss*_pq for the challenger. - The challenger chooses an ECDH key pair (sk*_ec, pk*_ec) and "ciphertext" ct*_ec, and computes K*_0 = KDF(ss*_pq || ss*_ec) with the corresponding ECDH shared secret ss*_ec. The challenger also chooses a random K*_1 and sets K* = K_b for a random bit b. - The adversary is given the public key pk*_ec, ciphertext ct*_ec, and key K*, and can query an oracle with (ss_pq, ct_ec) =/= (ss*_pq, ct*_ec) to get K = KDF(ss_pq || ss_ec). I agree that adversary B can embed a PRF-ODH challenge into an IND-CCA2 challenge for adversary A. B chooses a PQ key pair (sk*_pq, pk*_pq) and ciphertext ct*_pq, computes the PQ shared secret ss*_pq and uses ss*_pq to request pk*_ec, ct*_ec and K* from the PRF-ODH challenger. The corresponding IND-CCA2 challenge will be the public key (pk*_pq, pk*_ec), ciphertext (ct*_pq, ct*_ec) and key K*. I also agree that B can simulate (to some extent) the decapsulation oracle. Given a query (ct_pq, ct_ec) =/= (ct*_pq, ct*_ec) from A, B uses sk*_pq to compute the PQ shared secret ss_pq, queries the PRF-ODH oracle with (ss_pq, ct_ec) and returns the response to A. In the case of a query (ct_pq, ct*_ec) where ct_pq =/= ct*_pq but ss_pq = ss*_pq, B can indeed identify this and adjust, say, by returning the challenge key K*. I think the issue is that by handling invalid PRF-ODH queries in this way, adversary B may not be able to use adversary A to break PRF-ODH. If the PQ KEM is appropriately weak, then a perfectly reasonable approach to breaking IND-CCA2 for the hybrid KEM is to find a second PQ ciphertext ct_pq =/= ct*_pq that encapsulates the same PQ shared secret ss*_pq and query the decapsulation oracle with (ct_pq, ct*_ec) to see if it returns the challenge key K* or not. In the simulation above, it will always return K* and so A will always conclude that it is the real key, regardless of the PRF-ODH challenger's choice of b. The difference between this and X25519 equivalent public keys is that it is easy to identify the equivalent public keys so both the PRF-ODH and IND-CCA2 games can be adjusted to exclude their use in oracle queries. This is essentially the same as requiring public key validation. I don't believe it's possible to modify the IND-CCA2 game to block equivalent PQ ciphertexts in the same way and even if you could I think it would be a significant deviation from the usual security notion. Sorry for all the details. Hopefully, it's clear enough! Best, Peter > -----Original Message----- > From: Felix Günther <mail@felixguenther.info> > Sent: Tuesday, August 13, 2024 10:51 AM > To: Peter C <Peter.C@ncsc.gov.uk>; Marc Fischlin <marc.fischlin@tu- > darmstadt.de> > Cc: tls@ietf.org > Subject: Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt > > Hi Peter, > > For a broken PQ KEM it could indeed be easy to have distinct ciphertexts > decapsulate to the same shared secret. I don't think this affects the > (EC)DH result holding up though, from how the proof would go in my head. > > In the PRF-ODH/random oracle step of deriving HS from DHE and ss, the > reduction embeds a DH challenge in DHE. It needs to check for DH shares > trivially colliding with the DH challenge (unknown to the reduction), > which it can do. For the shared secret input ss, it would perform KEM > key generation and encapsulation itself (as there's no challenge to > embed here), so it can compute ss itself. > Put differently: the reduction would indeed have access to the KEM > private key, and hence can detect same shared secrets. > > Best, > Felix > > On 2024-08-12 14:03 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote: > > Felix, > > > > I'm not completely sure I understand what you are suggesting, > > but I think it might not be quite as straightforward as that. > > > > In general, if the PQ KEM is not secure then the HS can fail to be > > indistinguishable from random: fixing the ECDH components of > > the hybrid key shares and choosing distinct PQ KEM component > > ciphertexts that encapsulate the same PQ shared secret will give the > > same HS. As an example, consider ML-KEM where the re-encryption > > check is skipped and malformed ciphertexts are never (implicitly) > > rejected. In that case, it is trivial to modify ciphertexts without > > changing the encapsulated shared secret, but I suspect it would be > > hard to reliably detect equivalent ciphertexts without having access > > to the ML-KEM private key. > > > > My guess is that this can be avoided if you assume that the PQ KEM > > satisfies something along the lines of ciphertext second preimage > > resistance from the X-Wing paper > (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fia.cr%25 > 2F2024%2F039&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cb7ce7a0ed243 > 413e0cd008dcbb7d77c7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C > 0%7C638591394753320161%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL > jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C% > 7C&sdata=1UMZm9CTSN8uN%2BZGGYk15U3WPiXpz26qBJ50jv48Eko%3D&res > erved=0). It is also > > entirely possible that I'm missing something obvious and a different > > part of the proof rules this out. > > > > Best, > > > > Peter > > > >> -----Original Message----- > >> From: Felix Günther <mail@felixguenther.info> > >> Sent: Friday, August 2, 2024 2:05 PM > >> To: Peter C <Peter.C@ncsc.gov.uk>; Marc Fischlin <marc.fischlin@tu- > >> darmstadt.de> > >> Cc: tls@ietf.org > >> Subject: Re: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt > >> > >> [You don't often get email from mail@felixguenther.info. Learn why this is > >> important at https://aka.ms/LearnAboutSenderIdentification ] > >> > >> Hi Peter, > >> > >> If your question is about what assumption the PQ KEM you still need to > >> make in case it's not IND-CCA secure anymore and you want to fall back > >> to [DOWLING] for the (EC)DH result, I think the answer is: none. > >> (Beyond ensuring unambiguous encoding of KDF inputs, as the draft > >> mandates through fixed-length shared secrets etc.) > >> > >> You would then be treating HKDF.Extract as a random oracle (which for > >> PRF-ODH security is the take-away from [ > >> > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fia.cr%252 > 52 > >> > F2017%2F517&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7C56886bf3e45f4c > >> > 711da808dcb2f3c83a%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0% > >> > 7C638582007420625450%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA > >> > wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C60000%7C%7 > >> > C%7C&sdata=%2BRlEU5oghUgBNo4lKyP5qIjVaARVHCq69n2P%2B50ZDMo%3 > >> D&reserved=0 ]), > >> where the IKM input is augmented with the (possibly > >> adversary-controlled) KEM shared secret. But the encoding would ensure > >> that the argument wrt. ECDH would still apply. > >> > >> Cheers, > >> Felix > >> > >> > >> PS: Sorry for the prior double posting; we were under the impression > >> that Marc's first email didn't get delivered to the list. > >> > >> On 2024-08-01 11:38 +0200, Peter C <Peter.C@ncsc.gov.uk> wrote: > >>> Marc and Felix, > >>> > >>> Thank you both for your replies. > >>> > >>> I can see how this will work for NIST P-256 and X25519 - it is > >>> straightforward to detect the equivalent public and adjust the > >>> output of the simulator accordingly - and I also agree that it is > >>> not a significant change to the PRF-ODH assumption. > >>> > >>> Have you thought how this transfers across to the hybrid key > >>> exchange in draft-ietf-tls-hybrid-design? Do you know what > >>> assumption, if any, you need to make on the PQ KEM to be > >>> able to reuse the argument in [DOWLING]? > >>> > >>> Thanks, > >>> > >>> Peter > >>> > >>>> -----Original Message----- > >>>> From: Marc Fischlin <marc.fischlin@tu-darmstadt.de> > >>>> Sent: Monday, July 29, 2024 4:40 PM > >>>> To: tls@ietf.org > >>>> Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt > >>>> > >>>> [You don't often get email from marc.fischlin@tu-darmstadt.de. Learn > why > >>>> this is important at https://aka.ms/LearnAboutSenderIdentification ] > >>>> > >>>> Dear all, > >>>> > >>>> Douglas and the other "TLS co-authors" discussed this briefly, but I > >>>> think that Douglas is offline for the next couple of days and asked me > >>>> if I could answer on behalf of the authors. > >>>> > >>>> It is indeed true that the PRF-ODH assumption, as stated, wouldn't be > >>>> comaptible with the usage of the x-coordinate. One needs to be a little > >>>> bit more careful in this case, disallowing the adversary to flip signs > >>>> of curve points. This has been done for example in a paper about the > >>>> security of Bluetooth which I co-authored, where the x-coordinate is > >>>> also used to derive keys. There we adapted the definition accordingly > >>>> (Section 4.1 in > >> > https://eprint.i/ > %2F&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7Cb7ce7a0ed243413e0cd00 > 8dcbb7d77c7%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C63859 > 1394753339561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC > JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=r > IjaJxk4fNPxrvrW8%2FqEu15ej2G518Nve6iaNCiywhs%3D&reserved=0 > >> > acr.org%2F2021%2F1597.pdf&data=05%7C02%7CPeter.C%40ncsc.gov.uk%7C5 > >> > 6886bf3e45f4c711da808dcb2f3c83a%7C14aa5744ece1474ea2d734f46dda64a > >> > 1%7C0%7C0%7C638582007420635222%7CUnknown%7CTWFpbGZsb3d8eyJ > >> > WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7 > >> > C60000%7C%7C%7C&sdata=JMYMT3Tf5UyBBAFiV9fIQB3KKfMbmtBlubkPItW > >> YTZY%3D&reserved=0 of this Asiacrypt > >>>> 2021 paper). I don't think that this makes the assumption less > >>>> plausible, only more annoying to deal with in the proofs. > >>>> > >>>> We have also checked that with the modifcation above the TLS proofs > goes > >>>> through as before, one only needs to repeat the extracted key in > >>>> executions which have the same x-coordinate (instead of the same DH > >>>> values as so far). > >>>> > >>>> Hope this helps to clarify. Let me know if you need more details. > >>>> > >>>> Marc Fischlin > >>>> > >>>> _______________________________________________ > >>>> TLS mailing list -- tls@ietf.org > >>>> To unsubscribe send an email to tls-leave@ietf.org
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-10… internet-drafts
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Marc Fischlin
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hyb… Felix Günther