[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Marc Fischlin <marc.fischlin@tu-darmstadt.de> Mon, 29 July 2024 15:40 UTC
Return-Path: <marc.fischlin@tu-darmstadt.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADAC6C14CE31 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2024 08:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxTretcnoFxv for <tls@ietfa.amsl.com>; Mon, 29 Jul 2024 08:40:27 -0700 (PDT)
Received: from mail-relay150.hrz.tu-darmstadt.de (mailout.hrz.tu-darmstadt.de [IPv6:2001:41b8:83f:1611::150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A69CCC169412 for <tls@ietf.org>; Mon, 29 Jul 2024 08:40:25 -0700 (PDT)
Received: from smtp.tu-darmstadt.de (mail-relay238.hrz.tu-darmstadt.de [IPv6:2001:41b8:83f:1610::238]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) client-signature RSA-PSS (2048 bits)) (Client CN "mail-relay238.hrz.tu-darmstadt.de", Issuer "Sectigo RSA Organization Validation Secure Server CA" (not verified)) by mail-relay150.hrz.tu-darmstadt.de (Postfix) with ESMTPS id 4WXjH817JKz43hX for <tls@ietf.org>; Mon, 29 Jul 2024 17:40:20 +0200 (CEST)
Message-ID: <c2c0d90e-2cbc-47d5-be85-e266d529c761@tu-darmstadt.de>
MIME-Version: 1.0
To: tls@ietf.org
From: Marc Fischlin <marc.fischlin@tu-darmstadt.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Header-TUDa: <2ZGAhWVVHWW6Sbt3ugzE4eHMEYvNpAUCyzt3zb43xhO92tW4Td80oAmsbkbfeF3EId05jQuJEU5NNP3hzoOaxuD9Ze.1722267620>
X-MailFrom: marc.fischlin@tu-darmstadt.de
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0
Message-ID-Hash: GGR636HFICMFXIEQKSW26FHLZFRYMA3I
X-Message-ID-Hash: GGR636HFICMFXIEQKSW26FHLZFRYMA3I
X-Mailman-Approved-At: Wed, 31 Jul 2024 07:57:23 -0700
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xZmD0J0WMAaQnJ8UzcLXS9y4bAI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Date: Mon, 29 Jul 2024 15:42:14 -0000
X-Original-Date: Mon, 29 Jul 2024 17:40:19 +0200
Dear all, Douglas and the other "TLS co-authors" discussed this briefly, but I think that Douglas is offline for the next couple of days and asked me if I could answer on behalf of the authors. It is indeed true that the PRF-ODH assumption, as stated, wouldn't be comaptible with the usage of the x-coordinate. One needs to be a little bit more careful in this case, disallowing the adversary to flip signs of curve points. This has been done for example in a paper about the security of Bluetooth which I co-authored, where the x-coordinate is also used to derive keys. There we adapted the definition accordingly (Section 4.1 in https://eprint.iacr.org/2021/1597.pdf of this Asiacrypt 2021 paper). I don't think that this makes the assumption less plausible, only more annoying to deal with in the proofs. We have also checked that with the modifcation above the TLS proofs goes through as before, one only needs to repeat the extracted key in executions which have the same x-coordinate (instead of the same DH values as so far). Hope this helps to clarify. Let me know if you need more details. Marc Fischlin
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-10… internet-drafts
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Marc Fischlin
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hyb… Felix Günther