Hi all, I'm reading draft-ietf-tls-hybrid-design-16 and would like clarification on the claim in Section 6:
"Under the assumption that shared secrets are fixed length once the combination is fixed, the construction from Section 3.3 corresponds to the dual-PRF combiner of [BINDEL] which is shown to preserve security under the assumption that the hash function is a dual-PRF." Section 3.3 uses a concatenation-based combined secret that feeds directly into the TLS 1.3 key schedule, i.e.: concatenated_shared_secret = ss1 || ss2 HandshakeSecret = HKDF-Extract(derived_secret, concatenated_shared_secret) My concern is about the meaning of "corresponds to the dual-PRF combiner of [BINDEL]". Bindel's dual-PRF combiner is typically expressed as PRF(dPRF(k1,k2), c1||c2), where dPRF is the dual PRF function. By contrast, in the TLS construction above, both secrets are placed into the IKM/message input of HKDF-Extract, while the HKDF-Extract salt is derived_secret. Formally, if HKDF-Extract is viewed as dPRF, this looks like dPRF(derived_secret, ss1||ss2) rather than dPRF(ss1,ss2). Could you clarify what exact correspondence is intended here? How does the security of dPRF(k1,k2) (from Bindel paper) imply the security of dPRF(derived_secret, ss1||ss2)? [1] Nina Bindel, Jacqueline Brendel, Marc Fischlin, Brian Goncalves, and Douglas Stebila, "Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange," 2018, 2018/903. Available: https://eprint.iacr.org/2018/903 Thanks, Jiawei
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
