HMAC is a Randomness Extractor and Applications to TLS

Transcription

1 HMAC is a Randomness Extractor and Applications to TLS Pierre-Alain Fouque, David Pointceval, Sébastien Zimmer To cite tis version: Pierre-Alain Fouque, David Pointceval, Sébastien Zimmer. HMAC is a Randomness Extractor and Applications to TLS. M. Abe and V. Gligor. Proceedings of te 3rd ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS 08), 2008, Tokyo, Japon, Japan. ACM Press, pp.21 32, <inria > HAL Id: inria ttps://al.inria.fr/inria Submitted on 22 Sep 2009 HAL is a multi-disciplinary open access arcive for te deposit and dissemination of scientific researc documents, weter tey are publised or not. Te documents may come from teacing and researc institutions in France or abroad, or from public or private researc centers. L arcive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recerce, publiés ou non, émanant des établissements d enseignement et de recerce français ou étrangers, des laboratoires publics ou privés.

2 Tis extended abstract appeared in Proceedings of te 2008 ACM Symposium on Information, computer and communications security (AsiaCCS 08) (Marc 18 20, 2008, Tokyo, Japan), pages 21 32, ACM Press, New York, NY, USA. HMAC is a Randomness Extractor and Applications to TLS Pierre-Alain Fouque 1, David Pointceval 2, and Sébastien Zimmer 3 1 ENS CNRS INRIA, Paris, France fouque@di.ens.fr 2 CNRS ENS INRIA, Paris, France pointceval@di.ens.fr 3 ENS CNRS INRIA, Paris, France zimmer@di.ens.fr Abstract. In tis paper, we study te security of a practical randomness extractor and its application in te tls standard. Randomness extraction is te first stage of key derivation functions since te secret sared between te entities does not always come from a uniformly distributed source. More precisely, we wonder if te Hmac function, used in many standards, can be considered as a randomness extractor? We sow tat wen te sared secret is put in te key space of te Hmac function, tere are two cases to consider depending on weter te key is larger tan te block-lengt of te as function or not. In bot cases, we provide a formal proof tat te output is pseudorandom, but under different assumptions. Neverteless, all te assumptions are related to te fact tat te compression function of te underlying as function beaves like a pseudo-random function. Tis analysis allows us to prove te tls randomness extractor for Diffie-Hellman and RSA key excange. Of independent interest, we study a computational analog to te leftover as lemma for computational almost universal as function families: any pseudo-random function family matces te latter definition. 1 Introduction Randomness extraction is te first stage of key derivation mecanisms. After te key excange protocol, entities sare a secret element of a distribution, called source in te sequel, but te entropy of tis source is not maximal in general. Tis means tat it is not a uniformly distributed bit string. For example, te Decisional Diffie-Hellman assumption guarantees tat a Diffie-Hellman element is a uniformly distributed element in te group but its binary representation is not a uniformly distributed bit string in {0,1} n (were n is te bit-size of te element). Consequently, te secret element cannot be just plugged as a secret key in a symmetric sceme. To transform tis ig entropy source into a bit string wit maximal entropy, or at least indistinguisable from a maximal entropy bit string, randomness extractors come to play. Tis transformation condenses te entropy source by generating a bit string smaller tan te input source. Even if tey are not designed toward tis security goal, many standards use as functions or MACs (see for example [9, 10, 18, 19]) also for tis task since tey are already implemented in cryptograpic products and so do not require to implement oter functions. Te reason wy tey ave been considered for tis is tat MAC functions are usually tougt as being good pseudo-random functions and tat tey condense teir input. Here, we study te Hmac function as a randomness extractor. Te main application we target is te proof of te randomness extractor of te new draft-version of tls standard, namely tls v.1.2 [11]. In tis standard, Hmac is an intermediate function used in te randomness extraction function, and it is not difficult to see tat te security of tis function as a randomness extractor reduces to te security of Hmac as a randomness extractor. Te key generation in te new tls version 1.2 is not very different from te key generation in te previous tls version 1.1 owever we focus ere in te emerging version. Tere is a small difference in te derivation function used, but te main difference relies on te specific as functions c ACM Permission to make digital or ard copies of all or part of tis work for personal or classroom use is granted witout fee provided tat copies are not made or distributed for profit or commercial advantage and tat copies bear tis notice and te full citation on te first page. To copy oterwise, to republis, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

3 2 in used and some of our results could be adapted but one as to be careful on te output size of te as functions. 1.1 Related works Tere is some well-known extractor, te Leftover Has Lemma [15], wic can be applied on any source wit ig entropy. Suc an extractor is particularly interesting since it can be built under standard assumption. Te use of tis lemma on te Diffie- Hellman source as been proposed by Gennaro et al. in [14]. But, for tis particular source, tere also exists simple and efficient extractor provided te group size is sufficiently large. For instance, in [8], Cevassut et al. sow tat for safe prime numbers, a simple extractor on te group of squares can be done wose output is perfect. Later, Fouque et al. in [13], extended tis result to large subgroups by simply taking te ig or low order bits of te group elements. Tis result is acieved using caracters and exponential sums as proposed by Canetti et al. in [6, 7]. Suc constructions are very simple but not so efficient as te Leftover Has Lemma since te subgroup is always very large. Consequently, te key excange is not very efficient in practice. In [12], Dodis et al. were te first to consider randomness extraction as an important stage of key derivation mecanisms. Tey study ow classical cryptograpic primitives, suc as MACs or as functions, beave as randomness extractors. More precisely, tey reduce te security of randomness extraction to te assumption tat te compression function beaves like a good randomness extractor, namely like an almost universal as function family. One widely used MAC function is te Hmac function, as-based Message Autentication Code, proposed by Bellare, Canetti and Krawczyk in [3]. In [2] Bellare sows tat Hmac is a pseudo-random function under te wole assumption tat te compression function is a pseudo-random function. Finally, te tls key excange as been studied by Jonsson and Kaliski in [17], for te security of RSA Encryption in te random oracle model. Tey prove tat te key excange in tls is an IND-CCA2 tagged key encapsulation mecanism, wit te assistance of a partial-rsa decision oracle, under te assumptions tat bot te key extraction and derivation functions are random functions and tat RSA is ard to invert. Here we focus on a security proof of te key extraction function in te standard model. 1.2 Our Results In tis paper, we study te situation were te common secret is used as te secret key of Hmac. We sow tat in tis case, for any input of Hmac, te output is indistinguisable from a random bit string, namely it is a pseudorandom string. Tis construction is used in tls and terefore is of practical interest. More precisely, we give teoretical security results on tis construction for Hmac and ten reformulate tese results for te particular case of tls. We focus on te practical security of te tls extraction function wen sa-384 is used and prove tat in tis case we can obtain a 124-bit security wit RSA and Diffie-Hellman key excange. Te construction we study is different from te one studied in [12]. In [12], tere is a proof for Hmac as a randomness extractor but wen te source is injected in te message space, wit a random but known key. Wereas our construction is used in te tls key extraction, te latter construction is used in te IPSec standard. In te IPSec construction, te sared key lengt can be larger tan te block lengt. For

4 example, in Hmac-sa-1 te block-size is 512 bits and a sared Diffie-Hellman element is at least 1024-bit long, terefore it is splitted over at least two blocks. Consequently, te as function must be iterated and te results of [12] require ig conditional min-entropy of at least one block. Tat means tat, in our example, te entropy of te most significant bits of te Diffie-Hellman element is ig, even wen te least significant bits are given. Tis result can be acieved following result of [13] but it requires a large subgroup. Wit our tecnique, we avoid tis drawback and, as in te Leftover Has Lemma, we require only tat some entropy is present in te group element. We are always able to extract te entropy diluted in te wole bit string. Terefore, we can use groups wit rater small prime order subgroups, wic allows muc more efficient key excange protocols. In tis work, we use some computational assumptions, notably te classical assumption in cryptograpy tat te compression function is a pseudo-random function. Tis assumption as also been done by Bellare et al. in [3, 2]. In [2], Bellare introduced te notion of computationally almost universal as function. We extend tis notion and prove a computational analog of te famous Leftover Has Lemma, wic allows to extract entropy easily. Since any pseudo-random function (prf) is also computationally almost universal, terefore a strong key (i.e. computationally indistinguisable from a true random bit string) is derived from any good entropy source using a good prf. Te only restriction is on te size of te output on te prf: te latter sould be smaller tan te prf key size, oterwise te advantage of te prf is not small enoug to be used wit te Leftover Has Lemma. Tis means tat tis result as a practical impact for truncated iterated as functions, as sa-384 or Hmac-sa-384. Tis justifies, wit reasonable computational assumptions, te use of tese as functions in practice to derive keys. Finally, te Hmac standard imposes tat if te key is larger tan te block-lengt, Hmac begins by asing te secret to reduce it, and ten te result is put as te key of Hmac. Terefore, to be complete, tere are actually two cases to consider depending on weter te key is larger tan te block-lengt of te as function or not. If te common secret is larger tan te block-lengt, we sow tat asing te secret key allows us to extract entropy wose distribution is indistinguisable from a random bit-string. Ten, we use te recent results of Bellare [2] at Crypto 2006, to sow tat te output of Hmac is pseudo-random. As far as we know, we are te first to study tis particular case. If te sared secret is smaller tan te block size, two bit strings are generated and ten used to key an intermediate pseudorandom function Nmac. As pointed out by Bellare [2], assuming tat tese keys are cosen independently is not true for Hmac since tey are derived from a single bit string. Instead, we sow tat tese strings are computationally indistinguisable from two random bit strings. Note tat te bot cases may append in practice: te Diffie-Hellman key excange over Z p (wit p a prime) generates a key of at least 1024 bits, wic is greater tan te 512-bit Hmac-sa-1 key size, wereas te elliptic curve Diffie-Hellman key excange generates a key of generally exactly 512 bits Organization of te Paper In section 2, we give useful notations and security definitions. Ten, we give te main security results for Hmac, tearing apart te case wen te key is smaller tan te block-lengt and te case wen it is longer. Finally, we apply te metod presented in

5 4 section 3 to give teoretical and practical security results for te tls key extraction function. 2 Notations and Definitions Notations. If X is a random variable taking values in X and drawn according to te distribution D ten X D X denotes te coice of X in X according to D and X $ X denotes te coice of X wen X is uniformly distributed in X. Te uniform distribution on {0,1} κ is denoted by U κ. Wen an adversary A can interact wit an oracle O and at te end of te interaction outputs b, it is denoted by A O b. If B and C are two events, te probability tat te event B occurs, knowing te event C is denoted by Pr[B: C]. Wen an adversary is involved in an event, te probability is considered upon te adversary random coins. Min-Entropy, Universal Has Family and Randomness Extractor. Let X be a random variable wit values in a set X. Te guessing probability of X, denoted by γ(x), is te probability max x X (Pr[X = x]). Te min entropy of X denoted H (X) is equal to log 2 (γ(x)). Let D 1 and D 2 be two distributions on te same set X. Te statistical distance between D 1 and D 2 is: SD(D 1, D 2 ) = 1 2 Pr x X X D 1 X [X = x] Pr X D 2 X [X = x]. Let Ext be a function family from {0,1} d {0,1} n into {0,1} l. Let i be a uniform random variable in {0,1} d and U l denote a random variable uniformly distributed in {0,1} l. Te function family Ext is an (ε,m)-strong extractor if for all random variables X over {0,1} n of min entropy at least m, wit U l, i and X independent: SD ( i,ext i (X), i,u l ) < ε. Presumably, te most famous way of extracting entropy is provided by te Leftover Has Lemma presented in [15, 16]. A variant of tis lemma introduced by Dodis et al. [12] is presented below. Let H : {0,1} d {0,1} n {0,1} l be a family of efficiently computable as functions. Te family H is called an ε-almost universal as (ε-au) function family if for every x y in {0,1} n, Pr i {0,1} d[h i (x) = H i (y)] 1/2 l + ε. Teorem 1 (Leftover Has Lemma). Let H be an ε-au function family from {0,1} d {0,1} n to {0,1} l. Let i denote a random variable uniformly distributed in {0,1} d, U l a random variable uniformly distributed in {0,1} l, and A a random variable taking values in {0,1} n, wit i, A, U l mutually independent. Ten: SD( i,h i (A), i,u l ) 2 l (2 H (A) + ε)/2. Computational Randomness Extractor. A computational randomness extractor (cre) is an extension of randomness extractor were te output is computationally indistinguisable from te uniform variable. Tis notion as also been implicitly used in [15, 12]. It is a function family cext from {0,1} d {0,1} n Dom to {0,1} l tat satisfies te following game. At te beginning, te callenger cooses uniformly at

6 random a bit b and a random d-bit string i. According to te value of b, e assigns ext to a random function taken in F (n,l), te set of all functions from {0,1} n to {0,1} l, or to te randomness extractor cext i. Ten te adversary sends to te callenger an efficiently samplable probability distribution D over {0,1} n wose min-entropy is greater tan m and possibly a label label Dom. Te callenger cooses x according to te distribution D and sends to te adversary (i,ext(x,label)). Finally, te adversary outputs a random bit b for er guess of b. Her advantage, denoted adv cre cext (A), is: Pr[A ext 1: ext $ cext] Pr[A ext 1: ext $ F (n,l) ] Tis notion directly implies te semantic security, against a passive adversary, of a key generated wit a computational randomness extractor from a ig-entropy random source. Indeed, if an adversary is able to attack te semantic security of te key, ten it is able to distinguis tis computational randomness extractor from a perfectly random function. Terefore, if a good computational randomness extractor is used to generate te key, te semantic security of te key is guaranteed. If autentication tecniques are used, te key excange security against an active adversary reduces to te security against a passive adversary and terefore te semantic security of te key is guaranteed even against an active adversary. Computational Almost Universality. Let F : Keys Dom Rng be a function family. We generalize ere te definition of [2]. Te goal of a m-au adversary A is to generate an efficiently samplable distribution D over Dom 2 wit min-entropy at least m suc tat, for a random key K and a random couple (M 1,M 2 ) cosen according to D in Dom 2, F K (M 1 ) and F K (M 2 ) collision wit ig probability. Her m-au-advantage, denoted adv m au F (A), is: [ ] F(K,M Pr 1 ) = F(K,M 2 ) : A D; K $ Keys M 1 M 2 (M 1,M 2 ) D. Dom 2 Note tat Bellare s definition is te particular case wen m, te min-entropy of D, equals 0. Wen m 1, tis is a weaker notion tan te original one, because every m-au adversary can be turned into a 0-au adversary wit te same running-time and te same advantage (te 0-au adversary runs te m-au adversary, cooses (M 1,M 2 ) according to D and sends it to te callenger). Pseudo-Random Function. Let F : Keys Dom Rng be a function family. We denote by F = F (Dom,Rng) all te functions from Dom to Rng. Te goal of a prf-adversary A, wic runs in time T, against F is to guess te value of b in te following game. Te callenger cooses a bit b at random; if b = 1 e assigns f to a random function from F oterwise e cooses a random key K in Keys and assigns f to F(K, ). Te adversary can interact wit f making up to q queries x i and receives f(x i ). Te prf-advantage of A, denoted adv prf F (A), is: [ ] Pr A F(K, ) 1: K $ Keys Pr [ A f 1: f F]. Prefix-freeness. Let S be a set of bit strings and let x and x be a couple of bit string from S, we denote by x x te fact tat x is a prefix of x. A distribution D over S is] prefix-free if for all couple (x,x ) S 2 suc tat Pr [(X,X ) = (x,x ): X D S,X D S > 0, x x implies x = x. Te set S is prefix-free if for all couples (x,x ) S 2, x x implies tat x = x. An adversary is said prefix-free if te set of its queries form a prefix-free set and if it outputs only prefix-free distributions. 5

7 6 3 Hmac Security as a Key Derivation Function 3.1 Description of Hmac Te cascade construction Te cascade construction is te construction used for iterated as functions. We denote by H : {0,1} κ {0,1} {0,1} κ suc a as function and by : {0,1} κ {0,1} b {0,1} κ te so-called compression function. Te cascade construction of is te function : {0,1} κ ( {0,1} b) {0,1} κ, defined by: y 0 = a, y i = (y i 1,x i ) and (a,x) = y n were x = (x 1,...,x n ) is a n b bit string and a {0,1} κ. To construct H, a way to pad messages to an exact multiple of b bits needs to be defined. In practice tis padding is a function of te lengt of te input x, x. We denote by pad( x ) te function induced by te padding and by x pad = x pad( x ). Te function H is defined by H(a,x) = (a,x pad ). Let 1 t κ be an integer. In te following, for any function wit range {0,1} κ, we denote F te function F for wic te κ t least significant bits of te output are truncated, tat is if msb t ( ) denote te t most significant bits of a bit string, for every input x, F(x) = msb t (F(x)). We mostly use tis notation for and H (te reader may tink about sa-384 wic is a truncated iterated as function for wic t = 384 and κ = 512). Nmac Nmac is a as function family from {0,1} κ {0,1} κ {0,1} to {0,1} c. It is constructed from a (possibly truncated) iterated as function Has from {0,1} κ {0,1} to {0,1} c. If (k 1,k 2 ) ({0,1} κ ) 2 is a couple of keys and x {0,1} te input, te definition of Nmac is: Nmac Has (k 1,k 2,x) = Has(k 2,Has(k 1,x)). (1) Te as function family Has can be eiter a classical or a truncated iterated as function family, tat is Has = H and c = κ or Has = H and c = t. In tese cases equation (1) becomes: Nmac H (k 1,k 2,x) = ( k 2, (k 1,x pad ) pad ) = (k 2, (k 1,x pad ) pad ), Nmac H (k 1,k 2,x) = ( k 2, (k 1,x pad ) pad ) = ( k 2, (k 1,x pad ) pad ). From now on, we assume tat te padded message obtained from any κ-bit query is never larger ten b bits (it is te case in practice). Tis explains te last equality of te equations above. Hmac Hmac is a as function from {0,1} {0,1} to {0,1} κ. Let ipad and opad be two b-bit strings and IV be a κ-bit string. If te key k is a bit string from {0,1} b, ten Hmac Has (ipad,opad;k,x) is equal to: IV ( Has IV, [ k opad ] Has ( IV,[k ipad] x )). (2)

8 Te bit strings opad, ipad and IV are constants defined in te Hmac standard [5], but in te following we assume tat ipad and opad could vary and are cosen uniformly at random. In practice, tese variables were cosen at random once for all wen te standard was defined. Te consequences of tis assumption in practice are discussed in details in subsection 4.2. In te following we denote as index of Hmac te fixed value IV and we put between te brackets variables ipad and opad wic are cosen randomly. If k is a b-bit string, in te cases wen Has = H and Has = H, definition (2) can be restated using Nmac, and ten Hmac H IV (ipad,opad;k,x) and HmacH IV (ipad,opad;k,x) are respectively equal to: Nmac H ((IV,k ipad),(iv,k opad),x), Nmac H ((IV,k ipad),(iv,k opad),x). Note tat tese equations are not exactly true because te padding is not exactly te same in Hmac and in Nmac: in Hmac one block key is concatenated to te message and tis canges te lengt of te as function input and ten canges te associated padding. However, to simplify te notations, we can omit tis particularity since it does not alterate te results. If k is not a b-bit string, ten it is first transformed into a b-bit string. If k is smaller tan b bits, ten it is first padded wit as many 0 as needed to obtain a b-bit string ; te resulting bit string is used as a key, as defined in (2). If k is longer tan b bits, as we explain in te introduction, te Hmac standard [5] imposes to first as k using Has to obtain a c key digest ; since c b in practice, te key digest is padded wit b c 0 and te resulting b-bit string is used as a key, as defined in (2). 7 Te key extraction construction In tis paper we study te following construction used for key derivation: let pmk denote a ig entropy s-bit string called te premastersecret, label some bit string possibly adversarily generated, opad te fixed bit string as described in te Hmac standard [5] and mk te master-key generated by tis construction. Te variables ipad and opad are cosen uniformly at random and mk is computed as follows: mk = Hmac Has IV (ipad,opad;pmk,label). We sow tat tis construction is a good computational randomness extractor tat is tat te triplet (ipad, opad; mk) is indistinguisable from a random bit string. As te definition of Hmac depends on te size of te pmk, our proof is also pmk dependent: te proof metod is not exactly te same if pmk is smaller tat te block size or if it is longer. 3.2 Wen te Sared Key is Smaller Tan te Block Lengt Te study of tis case is motivated by te use in practice of elliptic curve Diffie- Hellman key excange. Te premaster-secret pmk generated is ten presumably 512- bit long, and is smaller tan te block-lengt. We directly sow tat Hmac is a randomness extractor wen it is used wit H and H.

9 8 Hmac wit H Firstly we sow tat, for a key smaller tan te block size, Hmac is a good randomness extractor wen it is used wit H. For te proof see te appendix A. We underline tat in tis teorem we assume tat ipad and opad are cosen uniformly at random, tat (k, ) is a prf wen k is te key, and tat (IV, k) is a prf wen k is te key. Teorem 2. Let IV be a fixed κ-bit string and let be a function family from {0,1} κ {0,1} b to {0,1} κ, were te key is te first input on κ bits. Let be te as function defined by IV (pad, ) = (IV, pad) were te key is pad. Let A be a cre-adversary against te construction tat as time-complexity at most T, generates labels of at most l blocks and a key of at most 1 block and min-entropy m. Ten tere exist one prf-adversary A 1 against and two prf-adversaries A 2 and A 3 against suc tat adv cre (A) is upper bounded by: Hmac H ( ) 2 2κ 2 m + 2 adv prf (A 1 ) κ + adv prf (A 2 ) + 2l adv prf (A 3 ) were A 1 makes two queries wit time-complexity T + 2T, A 2 makes one query wit time-complexity T and A 3 makes at most 2 queries wit time-complexity O(l T ), were T is te time for one computation of. Te main ideas of te proof is to sow tat te two bitstrings k 1 = (IV,ipad k) and k 2 = (IV,opad k) are pseudorandom and independent and ten to use tem to key Nmac as a prf. Firstly, contrary to [4] were it is assumed tat k 1 and k 2 are computationally independent, we prove it using te following as function family: F = ((IV, ipad) (IV, opad)) (ipad,opad) wic is a prf and terefore it is cau. More precisely, tere exists a prf-adversary A 1 against suc tat te advantage of te cau-adversary against F is upper bounded by 2adv prf (A 1 ) + 1/2 2κ. Ten we can apply a computational variant of te Leftover Has Lemma to F to extract te entropy of te key and tus sow tat te output is indistinguisable from a random bit string. Te computational Leftover Has Lemma is te following: Lemma 3 (computational LHL). Let H be a family of functions from {0,1} k Dom to {0,1} t suc tat for every au-adversary B, running in time T and producing a distribution over Dom Dom of min-entropy at least 2m, adv cau H (B) 1/2t +ε. Ten for every adversary A running in time O(T) producing a distribution of min-entropy at least m: adv cre H (A) 2 t (2 m + ε). Te proof of tis lemma is in appendix C. Note tat if ε were greater tan 2 2κ, we would ave 2 2κ ε 1 and te upper bound would be meaningless. We need tat ε 2 2κ, tat is wy we make ipad and opad vary and not only IV as we would ave preferred to ave one assumption on. Indeed, making te IV vary is equivalent to consider as a prf wen te key is IV. Yet, te exaustive searc prf-adversary against as a prf-advantage wic is equal to O(2 κ ). It means te better prfadversary against as an advantage better tan O(2 κ ), were κ is te key size.

10 Terefore, assuming tat is a prf is not enoug, wereas, since ipad and opad are large, security level may be sufficient. In te previous step of te proof, we ave generated wit F, two (concatenated) computationally pseudorandom and independent κ-bit strings wic can be used to key Nmac. Tus, we can use te fact tat Nmac is a prf. Wen Nmac is used wit a classical iterated as function, tis fact was proved by Bellare [2]: Lemma 4. Let : {0,1} κ {0,1} b {0,1} κ be a family of functions. Let A Nmac H be a prf-adversary against Nmac H tat makes at most q oracle queries, eac of at most l blocks, and as time-complexity T. Ten tere exist prf-adversaries A 1 and A 2 against suc tat adv prf ( ) ANmac Nmac H H is upper bounded by: adv prf (A 1 ) + ( )[ q 2l adv prf 2 (A 2 ) + 1 ] 2 κ. Furtermore, A 1 as time-complexity at most T and makes at most q oracle queries wile A 2 as time-complexity at most O(l T ) and makes at most 2 oracle queries, were T is te time for one computation of. 9 Hmac wit H Secondly we sow tat, for a key smaller tan te block size, Hmac used wit H is a good randomness extractor. Teorem 5. Let IV be a fixed κ-bit string and let be a function family from {0,1} κ {0,1} b to {0,1} κ, were te key is te first input on κ bits. Let be te as function defined by IV (pad, ) = (IV, pad) were te key is pad. Let A be a cre-adversary against te construction tat as time-complexity at most T, generates labels of at most l blocks and a key of at most 1 block and min-entropy m. Ten tere exist one prf-adversary A 1 against and two prf-adversaries A 2 and A 3 against suc tat adv cre (A) is upper bounded by: Hmac H ( ) 2 2κ 2 m + 2 adv prf (A 1 ) t + adv prf 2 (A 2 ) + 2l adv prf (A 3 ) were A 1 makes two queries wit time-complexity T + 2T, A 2 makes one query wit time-complexity T and A 3 makes at most 2 queries wit time-complexity O(l T ), were T is te time for one computation of. Te proof of tis teorem, wic can be found in appendix A, is similar to te proof of teorem 2, but Bellare s result cannot be applied directly to Nmac used wit H: te output of H is muc smaller tan te output of H and due to it, is proof as to be adapted. We obtain te following result: Lemma 6. Let : {0,1} κ {0,1} b {0,1} κ be a family of functions. Let A Nmac H be a pf-prf-adversary against Nmac H tat makes at most q oracle queries, eac of at most l blocks, and as time-complexity T. Ten ( tere) exist prf-adversaries A 1 and A 2 against suc tat te advantage adv pf prf A Nmac H Nmac H is upper bounded by: ( )[ adv prf q (A 1 ) + 2l adv prf 2 (A 2 ) + 1 ] 2 t.

11 10 Furtermore, A 1 as time-complexity at most T and makes at most q oracle queries wile A 2 as time-complexity at most O(lT ) and makes at most 2 oracle queries, were T is te time for one computation of. Tis lemma can be establised wit a proof similar to te one for Hmac wit H, tat can be found in [2], except tat te tests are made upon te t most significant bits of te output of H and tat te adversary is constrained to output prefix-free messages. 3.3 Wen te Sared Key is larger tan te block lengt As explain in section 3.1, if te key is larger tan te block size, ten it is first ased and padded wit 0 bits to obtain a b-bit string. Tis case is rarely studied in Hmac security analysis and requires tat we study wat is te impact of te key asing. However it is of practical interest since te Diffie-Hellman key excange over Z p (were p is a prime) generates a premaster-secret of at least 1024 bits, wic is greater tan te 512-bit Hmac-sa-1 key size. In tis section, we focus on Hmac used wit a truncated as function H. We first give te security results and ten give te intermediate lemmas used in te proof, in particular we study te cascade mode as a randomness extractor. Results for Hmac Te asing of te premaster-secret as two main consequences on our proof. Te output is a t-bit string and as a first consequence we ave to sow tat a lot of te entropy of te input is preserved: if te output ad low entropy, an exaustive searc could allow to guess te few possible values of te key. We are more precise and sow tat te output of te asing is indistinguisable from te uniform wen Hmac is used wit H. Te oter consequence of te asing is tat Hmac is keyed wit a key wit te b t least significant bits equal to 0. We ave to sow tat even in tese circumstances it is still a good prf, wic guarantees tat te output of Hmac is indistinguisable from te uniform. To tis end, we consider te related key attacks against wen te input and te output are reversed. From te function family : {0,1} κ {0,1} b {0,1} κ we define te family of functions ĥ: {0,1}t {0,1} κ {0,1} κ defined by ĥ(x,y) = (y,x 0b t ). A related-key attack on a family of functions ĥ: {0,1}t {0,1} κ {0,1} κ is parametrized by a set Φ F (t,t) of key-derivation functions (were F (t,t) is te set of all functions from {0,1} t to {0,1} t ). In te rka game, a callenger cooses a random bit b and a random key K. If b = 1 it cooses a random function G from te set of all te functions from {0,1} t {0,1} κ to {0,1} κ and uses G(K, ). If b = 0, it uses ĥ(k, ). Te goal of te rka-adversary is to guess te value of b. Se may make an oracle query of te form φ,x were φ Φ and x {0,1} κ and te oracle returns G(φ(K),x) if b = 1 and ĥ(φ(k),x) oterwise. Her rka-advantage is defined by: [ ] advb rka,φ (A) = Pr A b 1 Pr [ A G 1 ]. For any string str {0,1} t let str : {0,1} t {0,1} t be defined by str (K) = K str. Teorem 7. Let be a function family from {0,1} κ {0,1} b to {0,1} κ. Let ipad and opad be two b-bit strings and let Φ = { ipad, opad }. Let A be a pf-cre-adversary against te construction tat as time-complexity at most t, generate labels of at most

12 l blocks and a key of s 2 blocks and min-entropy m. Ten tere exist a rka-adversary A 2 against ĥ and tree prf-adversaries A 1, A 3, A 4 suc tat adv pf cre (A) is upper H Hmac bounded by: ( ) 2 t 3 2 m + 2s adv prf (A 1 ) + advb rka (A 2 ) +adv prf (A 3 ) + 2l adv prf (A 4 ) t were A 1 and A 2 make at most 2 queries and ave time-complexity t, A 3 makes one query wit time-complexity t and A 4 makes at most 2 queries wit time-complexity O(l T ). To sow tis teorem, we first apply a prefix-free computational variant of te Leftover Has Lemma to te cascade construction. Tis result is stated in lemma 8 below. Tis way we sow tat te output of te asing is a random looking t-bit string. Since, were input and key are reversed and were te key is restricted to te t first bits, is a prf resistant to rka, and since te output k of te asing is random looking, te output of (IV,ipad k 0 b t ) (IV,opad k 0 b t ) is indistinguisable from te uniform. Terefore we key wit two random looking bit strings and since Nmac is a prf, its output seems to be uniformly distributed. All te precise proofs of te results of tis section are in appendix B. Note tat in tis proof we assume tat IV is cosen at random at te beginning of te game. On te oter and, we do not use te fact tat ipad and opad are cosen at random at te beginning of te game. Tis assumption is indeed not useful in tis particular context. 11 Te cascade mode is a good pf-cre In tis section we sow tat te cascade mode is a good extractor of entropy, if te compression function is a prf. Te main result of tis part is te following lemma, used in te proof of teorem 7: Lemma 8. Let A be a pf-cre-adversary against wic as a time-complexity at most T and produces a distribution of min-entropy at least m, wit messages of at most l blocks. Ten tere is a prf-adversary A wit running-time at most O(T) and messages at most l-block long suc tat: adv pf-cre (A) 2 t (3 2 m + 2l adv prf (A )). Tis lemma is a direct consequence of te two lemmas 9 and 10 below. Lemma 9. Let A be a pf-au-adversary against wic generates messages of at most l blocks. Ten tere is a prf-adversary A against suc tat: adv pf-au (A ) 2l adv prf (A) t and A makes at most 2 queries and as about te same time-complexity as A. Lemma 10 (pf computational LHL). Let H be a family of functions from {0,1} k Dom to {0,1} t suc tat for every au-adversary B, running in time T and producing a distribution over Dom Dom of min-entropy at least 2m 2, adv pf cau H (B) 1/2 t +ε. Ten for every adversary A running in time O(T) producing a distribution of minentropy at least m: adv pf-cre H (A) 2 t (3 2 m + ε)

13 12 Remark tat ε 2 κ tat is wy te output of te as function as to be smaller tan te key, tat is t < κ. Indeed, consider te following prf-adversary wit running time T and wic makes two queries: se cooses at random (x 1,x 2 ) {0,1} b, sends it to te callenger wic returns (y 1,y 2 ). Ten se cooses T = T/T f keys K and tests for all key if (K,x 1 ) is equal to y 1. If it is te case, se cecks if (K,x 2 ) equals y 2 and if it is also te case, ten se returns 1, else se returns 0 at te end. Her prf-advantage is greater tan 2 κ, terefore ε 2 κ. Tis adversary is called te exaustive searc adversary. 4 Applications to te Key Derivation Function of TLS In tis section we apply te metods and te results of previous section to te new draft-version of tls v.1.2 [11]. We give security proofs for te key-extraction function described in te standard, function wic is very similar to te one used in previous versions of tls. Besides, te new tls standard promotes te use of at least sa-256 or a stronger standard as function. In tis paper, we focus on sa-384 and give security results addressing te specific case of a truncated iterated as function. 4.1 Brief Description of TLS Key Extraction Function In tls te key extraction is performed te following way. Firstly te client and te server excange two random 256-bit strings rand s and rand c wit 224 random bits in eac. Ten te client and te server excange a premaster key. In te RSA key excange, te client generates a 368-bit random string, concatenates it to te latest version of te protocol supported, encoded on 16 bits, and encrypts tem under te server s RSA public key. Te latter 384-bit string is te premaster-secret. It is a 384-bit value, but tere are only 368 random bits of entropy (te 16 most significant bits are fixed). In te Diffie-Hellman key excange, te client and te server use a group G, in wic te DDH assumption olds, and ten perform a DH protocol to obtain a common random element of G. Te binary representation of tis element is te premastersecret. Note tat tis binary representation is not a uniformly distributed bit string. In bot cases, we denote by pmk te premaster-secret. Ten, te so-called mastersecret, denoted by mk is created. During te first computation, te parties extract te entropy of pmk using a function called Hprf. Te function Hprf can be any function specified by te ciper-suite in used, but in tis paper we focus on te function proposed in te standard, function wic is very similar to te one used in te previous version of te protocol, tls 1.1. Tis function is constructed from several concatenations and iterations of Hmac. For sake of simplicity, we do not describe precisely tis function ere, for more details, see [11]. Te same way Hmac is derived from Nmac, function Hprf can be seen as derived from a function tat we call Nprf, tat is Hprf Has ipad,opad (IV ;k,x) is equal to: Nprf Has ((IV,k ipad),(iv,k opad),x). Te same way we ave sown tat Hmac is a good computational randomness extractor since it is te composite of Nmac, wic is a prf, wit a computational randomness extractor, we sow ere tat Hprf is a good computational randomness extractor since is te composite of Nprf, wic is a prf, wit a computational randomness

14 extractor. Note tat contrarily to Hmac, we only ave to coose randomly IV, ipad is fixed. As Nprf is a concatenation and a composite of several Nmac, te prf-resistance of Nprf can be reduced to te prf-resistance of Nmac. Te number v of concatenations depends on te output lengt required by te ciper suite and te prf-security of tis number. Teorem 11. Let u 1, t 1 and let : {0,1} κ {0,1} b {0,1} κ be a family of functions. Let A be a prf-adversary against Nprf H constructed wit v concatenations of Nmac H. Te algoritm A can make at most q queries, eac of at most u blocks, and as time-complexity at most T. Ten tere exist a prf-adversary A against Nmac suc tat: adv prf ( (A) advprf H A ) + qv 2 /2 κ. Nprf Nmac H Besides, A as time-complexity at most T + O(qv) and makes at most 2vq queries of at most u blocks. 4.2 Security Results In tis subsection, we adapt teorems of te previous section to te case of tls. 13 Teoretical Results First we give te security result for a long key, tat is a s-block key wit s 2. Note te similarity wit teorem 7. It is proved exactly te same way, except tat at te end of te proof te Nprf prf-security is introduced and is reduced to te prf-security of Nmac. Teorem 12. Let be a function family from {0,1} κ {0,1} b to {0,1} κ. Let ipad and opad be two b-bit strings and let Φ = { ipad, opad }. Let A be a pf-cre-adversary against Hprf tat as time-complexity at most T, generate labels of at most l blocks and a key of s 2 blocks and min-entropy m. Assume tat Hprf is a concatenation of v Hmac. Ten tere exist a rka-adversary A 2 against ĥ and tree prf-adversaries A 1, A 3, A 4 suc tat adv pf cre (A) is upper bounded by: H Hmac ( ) 2 t 3 2 m + 2s adv prf (A 1 ) + advb rka (A 2 ) +adv prf (A 3 ) + 4v 2 l adv prf (A 4 ) + 2v2 2 t + v2 2 κ were A 1 and A 2 make at most 2 queries and ave time-complexity T, A 3 makes 2v queries wit time-complexity T and A 4 makes at most 2 queries wit time-complexity O(l T ). Wen te key is not longer tan a block, similarly to teorem 5, we could establis a security result were tere would be te term 2 2κ (2 m + ε) for some ε. Tis term is small for sa-1, but it is greater tan 1 in te case of sa-384, since b = 2κ and m b. Terefore, we adapt te security ypotesis and assume tat ĥ is a prf resistant against related key attacks wen it is keyed wit a bit string of min-entropy at least m (m = κ for te classical rka). Tat is, te aim and te power of te m-rka are te same as te ones of a classical rka-adversary, excepted tat at te beginning of te game, te m-rka adversary generates an efficiently samplable distribution of minentropy at least m, gives it to te callenger and te latter cooses te key according

15 14 to tis distribution. We say tat ĥ is resistant against m-rka and note advm rka b (A),Φ te advantage of a m-rka adversary against ĥ. Tis assumption cannot be reduced to te prf-security against rka. Indeed, te prf assumption requires tat te key is uniformly distributed and a good prf for a uniformly distributed key is not necessary a good prf for a ig-entropy key. Consider te following example. Let f from {0,1} n {0,1} n to {0,1} n be te function family defined by f K (x) = K x. If K is cosen uniformly at random in {0,1} n, te function family f is a perfect random function family against adversaries wic are limited to ask one query. But if K = K 0 were K is cosen uniformly in {0,1} n 1, K is a n-bit string wit min-entropy n 1 and f is not secure any more against adversaries wic are limited to ask one query, since te f output least significant bit can be guessed. Teorem 13. Let ipad and opad be two fixed b-bit string, let Φ = { ipad, opad } and let be a function family from {0,1} κ {0,1} b to {0,1} κ wic is resistant against m-rka. Let A be a cre-adversary against Hprf tat as time-complexity at most T, generate labels of at most l blocks and a key of at most 1 block and min-entropy m. Assume tat Hprf is a concatenation of v Hmac. Ten tere exist a m-rka adversary A 0 and two prf-adversaries A 1, A 2 suc tat te advantage adv pf cre (A) is upper bounded by: adv m rka b,φ (A 0 ) + adv prf Hprf H (A 1 ) + 4v 2 l adv prf (A 2 ) + 2v2 2 t + v2 2 κ were A 0 makes at most two queries wit time complexity T, A 1 makes 2v query wit time-complexity T and A 2 makes at most 2 queries wit time-complexity O(l T ), were T is te time for one computation of. Practical Security Te tls standard imposes tat te master-secret is 384-bit long. Terefore if one uses sa-384 as te underlying as function, v = 1, κ = 512 and t = 384. Te label and te two random nonces, wen concatenated, are 616-bit long and ten smaller tan te 1024-bit block of sa-384, tat is wy in practice l = 1. Let denote te compression function of sa-384. Assume tat te best-known prf-adversary against in time T, is te exaustive searc adversary wose advantage is smaller tan (T/T )/2 κ. Similarly, assume tat te best known m-rka-adversary against wit time-complexity T and wit Φ = { ipad, opad } is te exaustive searc adversary wose advantage is smaller tan (T/T )/2 m. We examine, in tis context, te practical security of te key derivation, wen te master-secret is smaller tan te block size and wen it is longer tan te block size. For a long key of s = 2 blocks, te pf-cre-advantage of an adversary in time T is smaller tan (T/T ) if m 512. Tis implies a 62-bit security if m 512. For a small key, te cre-advantage of an adversary in time T is smaller tan (T/T ) ( m+3). Tis implies at least a 124-bit security if m 128. In te case of RSA, te premaster-secret lengt is 384 bits wic is smaller tan te 1024-bit block. As its min-entropy is 368 bits, terefore, tis case as a 124-bit security at least. In te case of Diffie-Hellman, if te DDH assumption is true ten te result of te key excange is indistinguisable for te adversary from a random element in te group. Terefore, wit te DDH assumption, if te key excange is performed in a subgroup G of Z p, were p is a prime of exactly 1024 bits, a 256-bit subgroup is enoug

16 to guarantee a 124-bit security. If p is strictly larger tan 1024-bit block size, ten G as to be at least a 512-bit subgroup to guarantee a 62-bit security. 15 Wen te IV is not Random Our security proofs rely on te fact tat IV (and for Hmac, ipad also) is cosen randomly every time a new master-secret is extracted. However, IV (and ipad) are fixed once for all in te Hmac standard [5] and cannot vary. Consequently, it may seem tat our proofs are not of practical interest. Fortunately, it is not te case. Indeed, our definition of computational randomness extractor allows te adversary to make only one query to guess te bit b. However, one could allow te adversary to make at most q queries wit te same IV. In tis case, using an ybrid argument, it can be proven tat te advantage of te adversary is upper bounded by q times its advantage in te one-query game. It implies tat if IV was generated randomly wen te Hmac standard was written, ten te advantage of any cre-adversary against te tls extraction function or Hmac increases linearly wit te number of master-secret extractions te adversary witnesses. Suc an assumption as already been made by Barak et al. [1] wit te same consequences upon te security bound. One can found a proof of it in te particular case of te Leftover Has Lemma in Soup s book [20] (see teorem 6.22.). 5 Conclusion We ave sown tat Hmac is a good randomness extractor, watever te size of te key is, even wen it is greater tan te block size. Tese results can be applied to te security of te tls key extraction function. Our results promote te use of sa-384 as te as function in te key extraction function. We can guarantee a security of 124 bits in te case of RSA key excange and in te case of Diffie-Hellman key excange wit a 1024-bit prime for a 256-bit group size, wic is very reasonable. We can also guarantee a 62-bit security in te case of Diffie-Hellman key excange wit a prime longer tan 1024 bits for a 512-bit group size. References 1. B. Barak, R. Saltiel, and E. Tromer. True random number generators secure in a canging environment. In C. D. Walter, Çetin Kaya Koç, and C. Paar, editors, CHES 2003, volume 2779 of LNCS, pages Springer, Sept M. Bellare. New proofs for NMAC and HMAC: security witout collision-resistance. In Crypto 06, LNCS Springer-Verlag, Berlin, M. Bellare, R. Canetti, and H. Krawczyk. Keying as functions for message autentication. In Crypto 96, LNCS Springer-Verlag, Berlin, M. Bellare, R. Canetti, and H. Krawczyk. Message autentication using as functions: te mac construction. RSA Laboratories Cryptobytes, 2(1), Spring M. Bellare, R. Cannetti, and H. Krawczyk. HMAC: keyed-asing for message autentication, february RFC 2104 Available from ttp:// 6. R. Canetti, J. Friedlander, S. Konyagin, M. Larsen, D. Lieman, and I. Sparlinski. On te statistical properties of Diffie-Hellman distributions. Israel Journal of Matematics, 120:23 46, R. Canetti, J. Friedlander, and I. Sparlinski. On certain exponential sums and te distribution of Diffie-Hellman triples. Journal of te London Matematical Society, 59(2): , O. Cevassut, P. A. Fouque, P. Gaudry, and D. Pointceval. Te twist-augmented tecnique for key excange. In PKC 06, LNCS. Springer-Verlag, Berlin, Q. Dang and T. Polk. Has-based key derivation function (kd). draft-dang-nistkdf-01.txt, June 2006.

17 T. Dierks and C. Allen. RFC Te TLS protocol version 1.0. Internet Activities Board, Jan T. Dierks and E. Rescorla. Te Transport Layer Security (TLS) protocol version 1.2, July Internet Request for Comment RFC 4346 bis, Internet Engineering Task Force. 12. Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, and T. Rabin. Randomness extraction and key derivation using te CBC, cascade and HMAC modes. In Crypto 04, LNCS, pages Springer-Verlag, Berlin, P.-A. Fouque, D. Pointceval, J. Stern, and S. Zimmer. Hardness of distinguising te MSB or LSB of secret keys in Diffie-Hellman scemes. In M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, editors, ICALP 2006, Part II, volume 4052 of LNCS, pages Springer, July R. Gennaro, H. Krawczyk, and T. Rabin. Secure ased Diffie-Hellman over non-ddh groups. In Eurocrypt 04, LNCS 3027, pages Springer-Verlag, Berlin, J. Håstad, R. Impagliazzo, L. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM Journal of Computing, 28(4): , R. Impagliazzo and D. Zuckerman. How to recycle random bits. In Proc. of te 30t FOCS, pages IEEE, New York, J. Jonsson and B. S. Kaliski Jr. On te security of RSA encryption in TLS. In M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages Springer, Aug C. Kaufman. RFC 4306: Internet Key Excange (IKEv2) protocol, Dec Recommendations for pair-wise key establisment scemes using discrete logaritm cryptograpy (revised). NIST Special Publications A, Mar V. Soup. A computational introduction to number teory and algebra. Cambridge University Press, A Security Proof for Small Keys In tis appendix we give te two proofs of te teorem of subsection 3.2, wen te key is smaller tan te block size. First we remind te teorem wen Hmac is used wit a classical iterated as function and give its proof, and ten remind te teorem in te case of a truncated iterated as function wit its proof. Teorem 2. Let IV be a fixed κ-bit string and let be a function family from {0,1} κ {0,1} b to {0,1} κ, were te key is te first input on κ bits. Let be te as function defined by IV (pad, ) = (IV, pad) were te key is pad. Let A be a cre-adversary against te construction tat as time-complexity at most T, generates labels of at most l blocks and a key of at most 1 block and min-entropy m. Ten tere exist one prf-adversary A 1 against and two prf-adversaries A 2 and A 3 against suc tat adv cre (A) is upper bounded by: Hmac H ( ) 2 2κ 2 m + 2 adv prf (A 1 ) κ + adv prf (A 2 ) + 2l adv prf (A 3 ) were A 1 makes two queries wit time-complexity T + 2T, A 2 makes one query wit time-complexity T and A 3 makes at most 2 queries wit time-complexity O(l T ), were T is te time for one computation of. Proof. Before considering te proof itself, we prove tat te as function family F = ((IV, ipad) (IV, opad)) (ipad,opad) is cau. Indeed since any prf-adversary A against wit 2 queries and a timecomplexity T as a prf-advantage denoted adv prf (A ), any prf-adversary A F against F

18 wit time-complexity T 2T and wit 2 queries, as a prf-advantage wic is smaller tan 2adv prf (A ). Ten, it can be easily seen tat from any cau-adversary against F one can construct a prf-adversary against F. Tis implies tat any cau-adversary against F wic as a time-complexity at most T + 2T and generates probability distributions of at least min-entropy at least m (for any m!), as a cau-advantage wic is upper bounded by adv prf F (A) + 2 t, for a particular prf-adversary A against F wit two queries and same time complexity. Let consider now te following sequence of games. Game 0: tis game corresponds to te attack wen te real extraction is performed. 1. A sends (D,label) 2. pmk D {0,1} s, opad $ {0,1} b, ipad $ {0,1} b 3. (k 1,k 2 ) = ((IV,pmk ipad),(iv,pmk opad)) 4. k = Nmac H (k 1,k 2,label), send (IV,ipad,k) to A 5. A sends its guess b Game 1: in tis game, we coose k 1 and k 2 uniformly at random in {0,1} κ. Game 2: in tis game, we coose k uniformly at random in {0,1} k. Firstly, te distance between Game 0 and Game 1 can be upper bounded using te computational Leftover Has Lemma wit F: it is upper bounded by 2 2κ (2 m + 2 adv prf (A 1 )). Secondly tere exists a prf-adversary A against Nmac wic makes at most one query and as time-complexity T suc tat te distance between Game 1 and Game 2 is upper bounded by adv prf (A ). Bellare s result implies tat te latter is smaller Nmac H tan adv prf (A 3 ) + 2l adv prf (A 4 ) + 1/2 κ. We consider now te case wen Hmac is used wit an truncated iterated as function. Teorem 5. Let IV be a fixed κ-bit string and let be a function family from {0,1} κ {0,1} b to {0,1} κ, were te key is te first input on κ bits. Let be te as function defined by IV (pad, ) = (IV, pad) were te key is pad. Let A be a cre-adversary against te construction tat as time-complexity at most T, generates labels of at most l blocks and a key of at most 1 block and min-entropy m. Ten tere exist one prf-adversary A 1 against and two prf-adversaries A 2 and A 3 against suc tat adv cre (A) is upper bounded by: Hmac H ( ) 2 2κ 2 m + 2 adv prf (A 1 ) t + adv prf (A 2 ) + 2l adv prf (A 3 ) were A 1 makes two queries wit time-complexity T + 2T, A 2 makes one query wit time-complexity T and A 3 makes at most 2 queries wit time-complexity O(l T ), were T is te time for one computation of. Proof. Let consider te following sequence of games. Game 0: tis game corresponds to te attack wen te real extraction is performed. 1. A sends (D,label) 17