Douglas, > > It's not exactly due to the point formats, at least for X25519. The RFC > > 7748 > > security considerations highlight that "for each public key, there are > > several > > publicly computable public keys that are equivalent to it, i.e., they > > produce > > the same shared secrets". Assuming the early secret doesn't change, this > > means equivalent public keys will produce the same handshake secrets and > > the same master secrets. The transcript hash does give you different > > handshake traffic secrets and application traffic secrets, but I think > > that's too > > late in the key schedule for [DOWLING].
> The proof in [DOWLING] only aims to prove that the handshake traffic secrets > and application traffic secrets are secure, not that the handshake secrets and > master secrets are secure, so for that purpose it should be okay that the > transcript hash is incorporated a little later in the key schedule. Sorry, I only meant that in Theorem 5.2 the dual-snPRF-ODH assumption is used in Game B.2 to replace the handshake secret with a uniformly random value which then allows the handshake traffic secrets to be replaced with uniformly random values in Game B.3 using the PRF assumption on HKDF.Expand and the fact that the labels are distinct. Equivalent public keys mean that the handshake secret is not indistinguishable from random and the proof fails at Game B.2. The distinct labels in Game B.3 only imply that the handshake traffic secrets will be different, not that they are indistinguishable. Peter _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org