Score:1

Why is SHA384 used in TLS cipher suites for AES_256_GCM instead of SHA256?

es flag

TLS cipher suites use SHA256 as the hash when using AES_128_GCM and CHACHA20_POLY1305, but SHA384 when using AES_256_GCM.

The TLS Cipher Suite Registry contains no cipher suites that use AES_256_GCM_SHA256 instead of AES_256_GCM_SHA384.

According to RFC 8446, this hash is "to be used with both the key derivation function and handshake message authentication code".

What could be the motivation for using SHA384 over SHA256 as the HMAC-Hash for HKDF when establishing an AES_256_GCM key?

kelalaka avatar
in flag
[To have alleged 128-bit quantum resistance](https://crypto.stackexchange.com/a/75241/18298)
knaccc avatar
es flag
@kelalaka Thanks, great link. Would you agree that when using AES_256_GCM, it's beneficial to upgrade to SHA384 for the handshake MAC part, but it would not be of extra benefit to upgrade to SHA384 for HKDF to derive the AES_256_GCM key?
kelalaka avatar
in flag
Isn't already uses cipher suites hash algorithm? [rfc8446#section-7.1](https://datatracker.ietf.org/doc/html/rfc8446#section-7.1) `The Hash function used by Transcript-Hash and HKDF is the cipher suite hash algorithm.`
knaccc avatar
es flag
@kelalaka I know it's used by both, and you can't use one hash for the transcript hash and a different hash for HKDF. What I mean is, would you agree that upgrading to SHA384 makes sense to make the transcript hash stronger, in order to upgrade its quantum resistance at the same time you upgrade the quantum resistance of the symmetric cipher. But, that use of SHA384 is a beneficial upgrade to the transcript hash, but not really beneficial as an upgrade to the HKDF part
knaccc avatar
es flag
@kelalaka To put it a simpler way: I'm asking if you agree that SHA384 helps as a quantum upgrade to prevent collisions for the handshake transcript MAC, but is not providing any benefit over SHA256 for the purposes of HKDF on the ECDHE shared secret to get the AES256GCM key.
kelalaka avatar
in flag
Well, AFAIK TLS 1.3 simplified things, instead of using two hash on the suite, use one...
knaccc avatar
es flag
@kelalaka I'm not sure if you agree or not with my last comment, but thanks for the quantum insight. I'll approve that as an answer if you wish to submit it.
knaccc avatar
es flag
@kelalaka Aha, perfect, thanks!
Score:1
in flag

Let assume that someone built a Cryptographic Quantum Computer (CQC) that specially can run Grover's algorithm. Grover's algorithm is asymptotically optimal that is one needs $\mathcal{O}(\sqrt{n})$-time for the $n$ bit security for pre-image attack or key search. That is one have 128-bit security from from 256-bit key space. This is the advertisement of the Grover' algorithm yes it has $\mathcal{O}(\log{n})$-space, however, this is not enough.

What generally missing is the $\mathcal{O}(\sqrt{n})$ call of the Grover's algorithm, consider that you want to break 128-bit then you need to run the Grover's algorithm $2^{64}$-time. If we assume that you can execute one Grover's algorithm in a machine in one nono seconds then you need $\approx 585$ years to find the key. This is quite optimistic in the sense that one can prepare a QCQ in one nano second.

Grover's Algorithm, like classical algorithm can be parallelized, too. Well, interestingly, for $k$ parallel Grover we don't have quadratic increase, we have $\sqrt{k}$ speed up. This doesn't scale up well.

This is all about the Grover's, now there is another work from Brassard et al. for hash functions for collision finding, has $\mathcal{O}(\sqrt[3]{2^{256}})$-time and $\approx \mathcal{O}(2^{85})$-space. That has still in the asymptotically optimal and this time we have 128-bit security from 384-bit hash function with $2^{128}$-space requirements.

With these we can argue that even 256-bit hash functions and even 128-bit block cipher are safe fro CQC. A more realistic calculation made from

Keeping the detail to the article, let stick the NIST and assume that we need $384$-bit hash function against CQC to have 128-bit collision resistance, the pre-image resistance is $192$-bit .

If we use 256-bit HKDF it will have 128-bit CQC pre-image resistance. This means that the 256-bit hash will enough.

Since TLS 1.3 simplified almost everything;

The Hash function used by Transcript-Hash and HKDF is the cipher suite hash algorithm.

The meaningful explanation is SHA-384 is chosen to have 128-bit collision resistance that fits 128-bit resistance of the AES-256. In a simplified manner one can say that AES_256_GCM_SHA384 has 128-bit security against Quantum adversaries.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.