Douglas,

> > It's not exactly due to the point formats, at least for X25519.  The RFC 
> > 7748
> > security considerations highlight that "for each public key, there are 
> > several
> > publicly computable public keys that are equivalent to it, i.e., they 
> > produce
> > the same shared secrets".  Assuming the early secret doesn't change, this
> > means equivalent public keys will produce the same handshake secrets and
> > the same master secrets.  The transcript hash does give you different
> > handshake traffic secrets and application traffic secrets, but I think 
> > that's too
> > late in the key schedule for [DOWLING].

> The proof in [DOWLING] only aims to prove that the handshake traffic secrets
> and application traffic secrets are secure, not that the handshake secrets and
> master secrets are secure, so for that purpose it should be okay that the
> transcript hash is incorporated a little later in the key schedule.

Sorry, I only meant that in Theorem 5.2 the dual-snPRF-ODH assumption is used
in Game B.2 to replace the handshake secret with a uniformly random value which
then allows the handshake traffic secrets to be replaced with uniformly random
values in Game B.3 using the PRF assumption on HKDF.Expand and the fact that
the labels are distinct.  Equivalent public keys mean that the handshake secret
is not indistinguishable from random and the proof fails at Game B.2.  The 
distinct
labels in Game B.3 only imply that the handshake traffic secrets will be 
different,
not that they are indistinguishable.

Peter
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org

Reply via email to