[TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
Felix Günther <mail@felixguenther.info> Wed, 31 July 2024 07:37 UTC
Return-Path: <SRS0=z/jW=O7=felixguenther.info=mail@cdc02.comdc.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28DFAC14F706 for <tls@ietfa.amsl.com>; Wed, 31 Jul 2024 00:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.656
X-Spam-Level:
X-Spam-Status: No, score=-1.656 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wL0qVgptzuMj for <tls@ietfa.amsl.com>; Wed, 31 Jul 2024 00:37:24 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de [136.243.4.87]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD6DC1519B6 for <tls@ietf.org>; Wed, 31 Jul 2024 00:37:22 -0700 (PDT)
Received: from cdc02.comdc.de (cdc02.comdc.de.local [127.0.0.1]) by cdc02.comdc.de (Postfix) with ESMTP id C2D454F20B68 for <tls@ietf.org>; Wed, 31 Jul 2024 09:37:20 +0200 (CEST)
Received: from [172.18.190.72] (ip-185-104-138-53.ptr.icomera.net [185.104.138.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mail@felixguenther.info) by cdc02.comdc.de (Postfix) with ESMTPSA id 4B7614F20B5E for <tls@ietf.org>; Wed, 31 Jul 2024 09:37:15 +0200 (CEST)
Message-ID: <8eae8404-deeb-435a-87cb-a52d256b27c9@felixguenther.info>
Date: Wed, 31 Jul 2024 09:37:07 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
References: <171234865099.12734.12883553523407106230@ietfa.amsl.com> <LO2P123MB70511E279A74AD16F80D4302BCAA2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <82F867E8-288F-43C2-8EB4-8187277862CD@gmail.com> <LO2P123MB7051576F64BB991B9969B799BCAB2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM> <79C26F7F-6C33-448F-BEAB-0758D014E960@gmail.com> <LO2P123MB7051E29B165EFEC592222197BCAB2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
From: Felix Günther <mail@felixguenther.info>
Autocrypt: addr=mail@felixguenther.info; keydata= xsDiBE04qkIRBADtFenVz1DuqethtPkoKAazBeKjyrr5Znbi8mQT1gOrkuli6i0/umf2uJ9V uI6NgjR0uM68UFGIHZlAoWk5Nfo8BTkYsdXl4R08pePmwRwwtq9LALZrGkeLeQtOFdLJt7G2 iQgqq2XpZc9AXW3/+j0I6MmsWMQKCkCA1s6IRLtH+wCgk85oP1adRYaEpi82Z3oG7vztEOkE AMccj8RgnjWcbB13HxxRk2C/4mgLEmCBWO3nmcCPZP5t/5GZSe7Kt5HQoygjxxcro/2e+9wF YsYwLUpHKMOjyvtcU0jLtIv0m6I+GQ3HOz89erVpa7G7EUoEsbQ7FEuyW4mVEaQZ3XE1Mxvp /3Ca1rBJjoxXhxKaDJYWsc5fdO6RA/44xXLdiE2f6NDoTJY7Z97VXUnJskpDNnwePOJyX4GT DwII2kl6JSYOAmkcOpINOSVsS0XDLZpBuKqsibUF/t53BkNfR/aF/BzIUJ5dykqrHvi75aQb ltSum1+kIo8Q6ZI+MzAAwmbqLfuRHZP5y0fjxdHLhfMrvacrNHnaoUWrVc0oRmVsaXggR8O8 bnRoZXIgPG1haWxAZmVsaXhndWVudGhlci5pbmZvPsJ8BBMRAgA8AhsjBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgBYhBCuuSm95RkYbcAFhs1KvAgDT8XAOBQJdE93OAhkBAAoJEFKvAgDT 8XAOVSwAn0QmRYzMtqFZejCnMakizqsaWHJlAJ4jR3nDqw5h3Ct4Xyz1CEQrUdJgz87DTQRN OKpCEBAA9TNoDOa0PVCAWvt9tw06MUw+D0PoAhkl1jlNEzeNatLDQqf6YehHOgtjpgA8tpul DJUq/o3NN15JsUB1el6oQje644owqhEFD8V02Ns3ZK6hGgBRGupp6RKwg70F4z4ukKwCS789 rZdwaq8t+X37NRUP41Y537kgfN2R1BFLB0A19Qb52nsaneBUSgGLXu39bxDrHounoLjMitJa 10ATRcuRny8eJzAuXI8lCURNjCPWJVjXN3gs+z6sA/ebr2inLQT66WIQZi5Q31BNyPGeaai+ 7t7IbpfkhqnbHATDq6vtM8lCem+rsYc3MtN1W4jQZ59ACI3ieu3MouMoN4W5mp0bjB6oNiO1 TTYD3ZUYBeV7ITX47lag7A9MPzBwbRGdetAN1yU5HDv7mgadei/oFlwC4/hD18kYjuHEUxKi CookZZaPQEMTKjBpHhrphSslTXl/tWmMJBoVsgedghWyf39o8ZOTBsQQ1wHwhO9Dc+fwT/Q2 Bw6jdZSzwQVJG13hg/uC6HqxhYfiKHtsiMuqnb5OIM0qkWa3Q/XtRclokk8elTjHYIIM+HBd i2xjys8D+1gVPI8s4NwPRAjc5m/kAXyzbrbg+p+ZVe3IJTE4M/heShLzsoFrZoroE2T38rvT Wsido/8zJZCxJ+JLAR8p8BYKYBJel/pHsvRFwSYbOEMAAwYP/j905vAZ/MJlLrElQ6eVwU2X IBhFmsOtQcVmh3CZw0QuXMA1AQsQe3KLLJSfBEP8Ljz8/Y9mPNu8wmvhw04Px0o7Ns6yOEuv v4CyQzaZwJGvn0lI4UajS7y4mgGFkd1AmPi1/4el9Yp4my88VlOcSe/macm4+MCIAMDegNLx JzErZgOMQJVdSz4rVYaWToTE/DVvRFkuEZgZNnvIv8G46OCZtnnRFv1XQDouxap2tO8yGBQ+ BxBZXqrXtyeVz1weOBIVHycUxi9kGRQ5M99NfrZuInR1382W9YYhqiVgvmvWEsLZFRoGrh8w 1yVkyxw6IGikWlkwq8TLGVlAiqA8AENZZ9bJJVOn57ld6Dvz8c8UvHpvSpUbt3Y3jf0GJbDn lj4v3ZrIxcI3RmUIGf0CQDSpqrUHppgKwiBPSLLRRQruGw7jzLpMqu7ar+2fhNQB3GLSmygi kdYXROfmIIq0J5g/rZLSFQ1GZmL3S8pqS9sJQh0KZEUE+1PtzAoYUYp9btR5Jo3pbyAn6M/g SNlSNDUwa2Eai6fy3fBu1KT1AYgntLzVyJr2Q/Wd85MjF/a9GI5X8lmnvPSAJ/ofSI/bRjLq yNj6frKLrztFV9ucWhKQoQd4iE9qe284KYqdQq4BZUhO4J2nl2rWbEquoFe9ACdIVBIuRoCH EUrreMG0tdymwkkEGBECAAkFAk04qkICGwwACgkQUq8CANPxcA6jYACfYd8EkV8G70iuPkyA HMZZ8W8lWUoAoJElB4EzU8opYiwQw02HRvW/qYuJ
To: tls@ietf.org
In-Reply-To: <LO2P123MB7051E29B165EFEC592222197BCAB2@LO2P123MB7051.GBRP123.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
Message-ID-Hash: ID4PCHTRZASOL5Q4NHPHXVRM3UAYG74S
X-Message-ID-Hash: ID4PCHTRZASOL5Q4NHPHXVRM3UAYG74S
X-MailFrom: SRS0=z/jW=O7=felixguenther.info=mail@cdc02.comdc.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design-10.txt
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xueinDVUvcThgzjApnd_44sVJKg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Hi Peter, We discussed this among the [DOWLING] authors; Douglas asked me to chime in here as he's offline the next couple of days. It is indeed true that the PRF-ODH assumption, as stated in [DOWLING] and https://ia.cr/2017/517, wouldn't be compatible when using the x-coordinate only, or with clamping. One needs to be a little bit more careful in these cases, disallowing the PRF-ODH adversary to make queries on trivially colliding points (e.g., by flipping signs, or adding small-order points). This has been done for example in a paper about the security of Bluetooth by Fischlin (co-author of [DOWLING]) and Sanina [ https://ia.cr/2021/1597 ], where the x-coordinate is also used to derive keys. There, they adapted the PRF-ODH definition accordingly (Section 4.1). We don't think that this makes the assumption less plausible, only a bit more tedious to define and deal with in the proofs. Concretely for TLS 1.3, the reduction to sn-PRF-ODH for Theorem 5.2 in Game B.2 would perform the relevant collision checks upon a modified g^v' received by the partner session, and use the same uniform random string as in the test session for such collisions. (The session hash in later key derivation steps still ensures they'll derive independent keys.) This matches the PRF-ODH assumption with the restricted modifications as mentioned above; the TLS proof then goes through as before. As for the PQ3 protocol also brought up in this, from a quick glance similar arguments seem to apply: the PRF-ODH reductions already check whether "the same V" is received, hence the collision check can be added there, too. Hope this helps to clarify. We plan to update the eprint version https://ia.cr/2020/1044 of [DOWLING] accordingly. Let us know if you need more details. Best, Felix (with Ben, Douglas, Marc) On 2024-07-26 00:19 +0200, Peter C <Peter.C=40ncsc.gov.uk@dmarc.ietf.org> wrote: > Douglas, > >>> It's not exactly due to the point formats, at least for X25519. The RFC 7748 >>> security considerations highlight that "for each public key, there are several >>> publicly computable public keys that are equivalent to it, i.e., they produce >>> the same shared secrets". Assuming the early secret doesn't change, this >>> means equivalent public keys will produce the same handshake secrets and >>> the same master secrets. The transcript hash does give you different >>> handshake traffic secrets and application traffic secrets, but I think that's too >>> late in the key schedule for [DOWLING]. > >> The proof in [DOWLING] only aims to prove that the handshake traffic secrets >> and application traffic secrets are secure, not that the handshake secrets and >> master secrets are secure, so for that purpose it should be okay that the >> transcript hash is incorporated a little later in the key schedule. > > Sorry, I only meant that in Theorem 5.2 the dual-snPRF-ODH assumption is used > in Game B.2 to replace the handshake secret with a uniformly random value which > then allows the handshake traffic secrets to be replaced with uniformly random > values in Game B.3 using the PRF assumption on HKDF.Expand and the fact that > the labels are distinct. Equivalent public keys mean that the handshake secret > is not indistinguishable from random and the proof fails at Game B.2. The distinct > labels in Game B.3 only imply that the handshake traffic secrets will be different, > not that they are indistinguishable. > > Peter > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org
- [TLS] I-D Action: draft-ietf-tls-hybrid-design-10… internet-drafts
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Deirdre Connolly
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Marc Fischlin
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Douglas Stebila
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Felix Günther
- [TLS]Re: I-D Action: draft-ietf-tls-hybrid-design… Peter C
- [TLS] Re: [TLS]Re: I-D Action: draft-ietf-tls-hyb… Felix Günther