Thom and Ilari,
TW> We should currently be using full HPKE, we're just wrapping it in TW> some KEM operations. But this is something I haven't looked at TW> too deeply either. Can I check what you mean here? Are you using the KEM by itself, HPKE with single-shot secret export, HPKE with single-shot encryption, or something else entirely? I'd assumed the first one based on the references to DHKEM. TW> The KEM used for authentication indeed needs to be IND-CCA secure, TW> but so does the KEM for ephemeral key exchange (IND-1CCA, at least). TW> The TLS key schedule should ensure that this all goes correctly, if TW> I recall the discussion on the concatenation of the secrets and TW> is-HKDF-a-dual-PRF discussion. IL> I thought key exchange only needs absolute minimum to avoid trivial IL> breakage (one-wayness)? TW> Surprisingly, it turns out that IND-CPA is not exactly sufficient. The TW> TLS 1.3 proof by Dowling et al. [1] established that you need PRF-ODH TW> for the ephemeral key exchange. Very similarly, in TLS 1.3 and KEMTLS, TW> in the indistinguishability experiment we need to be able to answer a TW> single decapsulation oracle query to properly answer the adversary's TW> queries: this is due to the fact that the server immediately uses the TW> encapsulated/DH shared secret to encrypt handshake messages. The argument that draft-tls-westerbaan-xyber768d00 should be fine is supported by the IND-CCA result from Petcher and Campagna [3]. However, this doesn't plug directly into [1] or [2] because the boundary of the KEM is different. In [1] and [2], the PRF-ODH/IND-CCA assumption ensures that the Handshake Secret is indistinguishable. With draft-tls-westerbaan-xyber768d00, the Handshake Secret will be distinguishable and [3] only guarantees that the various Traffic Secrets are indistinguishable (and indistinguishable from each other). This feels like it should be enough, but it would be reassuring if someone could go through the details. Something similar will be true for AuthKEM. With draft-westerbaan-cfrg-hpke-xyber768d00, [3] only guarantees that the Authenticated Traffic Secrets are indistinguishable (and indistinguishable from each other). I'm not familiar enough with the KEMTLS proofs to know how significant a change this is. Peter [1] Dowling, Fischlin, Günther and Stebila. "A cryptographic analysis of the TLS 1.3 handshake protocol candidates", https://eprint.iacr.org/2015/914. [2] Huguenin-Dumittan and Vaudenay. "On IND-qCCA security in the ROM and its applications: CPA security is sufficient for TLS 1.3", https://ia.cr/2021/844. [3] Petcher and Campagna. "Security of hybrid key establishment using concatenation", https://ia.cr/2023/972.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
