Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
Atul Luykx <Atul.Luykx@esat.kuleuven.be> Wed, 13 July 2016 12:30 UTC
Return-Path: <atul.luykx@esat.kuleuven.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD2412D7A4 for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 05:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level:
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KK-MqgnKWH4N for <tls@ietfa.amsl.com>; Wed, 13 Jul 2016 05:30:35 -0700 (PDT)
Received: from cavuit01.kulnet.kuleuven.be (rhcavuit01.kulnet.kuleuven.be [IPv6:2a02:2c40:0:c0::25:129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D40412DDC4 for <tls@ietf.org>; Wed, 13 Jul 2016 05:30:34 -0700 (PDT)
X-KULeuven-Envelope-From: atul.luykx@esat.kuleuven.be
X-KULeuven-Scanned: Found to be clean
X-KULeuven-ID: CB1C5138034.A270A
X-KULeuven-Information: Katholieke Universiteit Leuven
Received: from icts-p-smtps-1.cc.kuleuven.be (icts-p-smtps-1e.kulnet.kuleuven.be [134.58.240.33]) by cavuit01.kulnet.kuleuven.be (Postfix) with ESMTP id CB1C5138034 for <tls@ietf.org>; Wed, 13 Jul 2016 14:30:26 +0200 (CEST)
Received: from hydrogen.esat.kuleuven.be (hydrogen.esat.kuleuven.be [134.58.56.153]) by icts-p-smtps-1.cc.kuleuven.be (Postfix) with ESMTP id 66521403B; Wed, 13 Jul 2016 14:30:25 +0200 (CEST)
Received: from cobalt.esat.kuleuven.be (cobalt.esat.kuleuven.be [134.58.56.187]) by hydrogen.esat.kuleuven.be (Postfix) with ESMTP id 63B426002E; Wed, 13 Jul 2016 14:30:25 +0200 (CEST)
Received: from webmail.esat.kuleuven.be (localhost [127.0.0.1]) by cobalt.esat.kuleuven.be (Postfix) with ESMTP id 6008D40; Wed, 13 Jul 2016 14:30:25 +0200 (CEST)
Received: from marckloff.esat.kuleuven.be ([10.33.137.112]) by webmail.esat.kuleuven.be with HTTP (HTTP/1.1 POST); Wed, 13 Jul 2016 14:30:25 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Wed, 13 Jul 2016 14:30:25 +0200
X-Kuleuven: This mail passed the K.U.Leuven mailcluster
From: Atul Luykx <Atul.Luykx@esat.kuleuven.be>
To: "Dang, Quynh (Fed)" <quynh.dang@nist.gov>
In-Reply-To: <D3AB99DD.27C8B%qdang@nist.gov>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <D3AA5BD6.27AC0%qdang@nist.gov> <D3AAB674.709EA%kenny.paterson@rhul.ac.uk> <D3AA7549.27B09%qdang@nist.gov> <d1f35d74e93b4067bf17f587b904ebff@XCH-RTP-006.cisco.com> <D3AAD721.70A11%kenny.paterson@rhul.ac.uk> <D3AA9B01.27B9F%qdang@nist.gov> <D3AAE2B7.70A78%kenny.paterson@rhul.ac.uk> <ede4e2ffadd142f781e7a9c04081c825@XCH-RTP-006.cisco.com> <0ad33f70cbe2aabba1f16f4cac876b0f@esat.kuleuven.be> <D3AB99DD.27C8B%qdang@nist.gov>
Message-ID: <553ea052cc05b4f7315e19c943b0c2b0@esat.kuleuven.be>
X-Sender: aluykx@esat.kuleuven.be
User-Agent: ESAT webmail service, powered by Roundcube
X-Virus-Scanned: clamav-milter 0.99.2 at cobalt
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u1y5Nf4_lFkFWild4E-iMeoNVHE>
Cc: tls@ietf.org
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 12:30:38 -0000
Hey Quynh, > How can one use the distinguishing attack with the data complexity > bound I > suggested for recovering 1 bit of the encryption key in the context of > TLS > ? You cannot recover any bits of the encryption key unless you attack AES. No-one, as far as I know, has analyzed what kind of attacks one can perform against GCM around and beyond the birthday bound (except for the forgery attacks, which require repeated nonces or known forgeries). However, for CTR mode, the underlying encryption of GCM, David McGrew typed up a document describing an attack one could perform to recover information about the plaintext: http://eprint.iacr.org/2012/623 He describes it for 64 bit block ciphers, but the attacks work equally well for 128 bit block ciphers, at a higher data complexity of course. Basically, there are a lot of unknowns, and it could be that the bounds you recommend will be good enough in practice. However, it's important to be clear about the risks involved in venturing into unknown territory. Atul On 2016-07-13 13:14, Dang, Quynh (Fed) wrote: > Hi Atul, > > On 7/12/16, 3:50 PM, "Atul Luykx" <Atul.Luykx@esat.kuleuven.be> wrote: > >>> To be clear, this probability is that an attacker would be able to >>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized >>> potential >>> (but incorrect) plaintext, and with probability 2^{-32}, be able to >>> determine that this plaintext was not the one used for the ciphertext >>> (and with probability 0.999999999767..., know nothing about whether >>> his guessed plaintext was correct or not). >> >> You need to be careful when making such claims. There are schemes for >> which when you reach the birthday bound you can perform partial key >> recovery. >> >> The probabilities we calculated guarantee that there won't be any >> attacks (with the usual assumptions...). Beyond the bounds, there are >> no >> guarantees. In particular, you cannot conclude that one, for example, >> loses 1 bit of security once beyond the birthday bound. > > How can one use the distinguishing attack with the data complexity > bound I > suggested for recovering 1 bit of the encryption key in the context of > TLS > ? > > > Regards, > Quynh. > > > > >> >> Atul >> >> On 2016-07-12 20:06, Scott Fluhrer (sfluhrer) wrote: >>>> -----Original Message----- >>>> From: Paterson, Kenny [mailto:Kenny.Paterson@rhul.ac.uk] >>>> Sent: Tuesday, July 12, 2016 1:17 PM >>>> To: Dang, Quynh (Fed); Scott Fluhrer (sfluhrer); Eric Rescorla; >>>> tls@ietf.org >>>> Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt >>>> >>>> Hi >>>> >>>> On 12/07/2016 18:04, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> >>>> wrote: >>>> >>>> >Hi Kenny, >>>> > >>>> >On 7/12/16, 12:33 PM, "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> >>>> wrote: >>>> > >>>> >>Finally, you write "to come to the 2^38 record limit, they assume >>>> that >>>> >>each record is the maximum 2^14 bytes". For clarity, we did not >>>> >>recommend a limit of 2^38 records. That's Quynh's preferred number, >>>> >>and is unsupported by our analysis. >>>> > >>>> >What is problem with my suggestion even with the record size being the >>>> >maximum value? >>>> >>>> There may be no problem with your suggestion. I was simply trying to >>>> make it >>>> clear that 2^38 records was your suggestion for the record limit and >>>> not ours. >>>> Indeed, if one reads our note carefully, one will find that we do >>>> not >>>> make any >>>> specific recommendations. We consider the decision to be one for the >>>> WG; >>>> our preferred role is to supply the analysis and help interpret it >>>> if >>>> people >>>> want that. Part of that involves correcting possible misconceptions >>>> and >>>> misinterpretations before they get out of hand. >>>> >>>> Now 2^38 does come out of our analysis if you are willing to accept >>>> single key >>>> attack security (in the indistinguishability sense) of 2^{-32}. So >>>> in >>>> that limited >>>> sense, 2^38 is supported by our analysis. But it is not our >>>> recommendation. >>>> >>>> But, speaking now in a personal capacity, I consider that security >>>> margin to be >>>> too small (i.e. I think that 2^{-32} is too big a success >>>> probability). >>> >>> To be clear, this probability is that an attacker would be able to >>> take a huge (4+ Petabyte) ciphertext, and a compatibly sized >>> potential >>> (but incorrect) plaintext, and with probability 2^{-32}, be able to >>> determine that this plaintext was not the one used for the ciphertext >>> (and with probability 0.999999999767..., know nothing about whether >>> his guessed plaintext was correct or not). >>> >>> I'm just trying to get people to understand what we're talking about. >>> This is not "with probability 2^{-32}, he can recover the plaintext" >>> >>> >>>> >>>> Regards, >>>> >>>> Kenny >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Peter Gutmann
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt David McGrew
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Watson Ladd
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Hubert Kario
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Benjamin Kaduk
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Atul Luykx
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- [TLS] TLS 1.3 signature algorithms in TLS 1.2 David Benjamin
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Scott Fluhrer (sfluhrer)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- [TLS] New draft: draft-ietf-tls-tls13-14.txt Eric Rescorla
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dave Garrett
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Ilari Liusvaara
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Dang, Quynh (Fed)
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny
- Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt Paterson, Kenny