Re: [Cfrg] [CFRG] PAKE selection process: Update on documentation regarding CPace and AuCPace

"Björn Haase" <> Fri, 07 February 2020 21:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A84951200F1 for <>; Fri, 7 Feb 2020 13:51:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xudBjvEbhgt5 for <>; Fri, 7 Feb 2020 13:51:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B8CFA1200E0 for <>; Fri, 7 Feb 2020 13:51:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dbaedf251592; t=1581112275; bh=12CyZV7UCDzX+230sw1TspB9WSKbSVuPIHwhGrfgchs=; h=X-UI-Sender-Class:From:To:Subject:Date:References; b=Bo7CumYkbPEAiFJRqmsAdY2dwxj46T+R2S/Zbut5m3LPs5UHNcM7/WsGBvuzl1xtv wBL576AXqw6sYOboOUNXLLsiL/5izmr6CkoFOR6SXcx5TqN6FutSzlpyrjYbHAeNr+ JGZSUUIzJegWgGKDbILjf3gaAj/VoMpVTZXbhhiQ=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [] ([]) by (3c-app-webde-bs49.server.lan []) (via HTTP); Fri, 7 Feb 2020 22:46:11 +0100
MIME-Version: 1.0
Message-ID: <trinity-38d1b19c-4535-495b-93ed-f2111494ddf0-1581111971555@3c-app-webde-bs49>
From: "\"Björn Haase\"" <>
To: "" <>
Content-Type: text/html; charset="UTF-8"
Date: Fri, 07 Feb 2020 22:46:11 +0100
Importance: normal
Sensitivity: Normal
References: <trinity-277932c7-5fc1-4afd-b990-3bcc13189284-1581102307483@3c-app-webde-bs19> <> <trinity-e5b69672-991a-470e-b82e-14a957b853d0-1581111727907@3c-app-webde-bs49>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:B3UiVHsAMbRxJYZxwKlgv9F+rIUF8iE0odcci3bdncNz/fAlXRhVvS4hVj+aVu9ZW4V8K 91/O6/l35103LPAgnii95ZAYFwqy/+sJFO1/S7qQssz9AD43DBC4lu8mMOsZy8YyKCtfJ1C20evK Egty5U7dU+jipV8f0zWhDV1CXcKlvfwQFKgjK0iDYy/U415nOxUPVQd53FZ15Bksaap5j2Jgpiig /aD5uhFz0ZlhOUg9xsid9jBEDWnW7/vvUXpaA+/Z/DClCHxStBTek097wX/c49AWtiWWzMl3qR74 0M=
X-UI-Out-Filterresults: notjunk:1;V03:K0:ShfNhNDkM1w=:vLOM8TOuRyTE/7uEYAiuoP U+/8QpCKEd96itcK1uV6jQwhTLJfSaEhRMGx8NvCvjwmkBcbpI6ikGkPjHk7g0Y7iWozr3yqv SDeW9n6VC92HZH/3Doh287LKF2gqpdlRVkdinwmJOTbxiyMdnVnUoYHTJ3vDzsUV/VT5wAXPt 1/S6ZEuRfYnMJmpwtg5DZ7hHbRduPyHth4RAziawtEZxLFUNHRY2BQYL2trMztpMnc0Kt3+oe kGYEZSMXEuRmPWKXhjlBVRB/I//wuyjJjafzW9jFHmuFh69KN1mJVbyHDHAHW92p+Immnwicz e0D0OHEG5UvHJS4crUTOgJNW4/suN6VKGzBY292NgLO/enyvmRzY+8XDy80rPOiebBf1E6Ko6 e8YLVkuq4McJQSAm3hn6g2RpQh+E5HKQcNIshAcTBDbYuY6bhtKwt3iB4hT6xph7/peyVkrD9 M3TOsYztn8NNca9Xb//3hEvS4j+5eSTQuXsqhJbCly2fhFlg3+NNcrKqOPDrf5X3jDNwSwxod OETPTNZdXextQImcv7vxr5abzDzt4En/jL9A1UwsoFffW2zuaMe3jbwz405Iav8iMB8fW/BBb JsyPVUHJXD8VFkB9tuzs3VTy/JZCyFPitDVkhOzHqv/zMl+16Qyg4cXSioPA4Oe8rGZ/4ZvAi bH1jPMePjSHfeAMMsg2IqyTwLjFf3cKbooZgGRIobDaYtKHSl/lp4i7BazKKt3E0A9xM=
Archived-At: <>
Subject: Re: [Cfrg] [CFRG] PAKE selection process: Update on documentation regarding CPace and AuCPace
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Feb 2020 21:51:24 -0000

>Is everything going as planned with your preparation of replies for the Round 2 questions?
Mostly. I will not be able to finalize all of the aspects that I wanted to cover myself, but I am confident to finish the most important topics by sunday.
Regarding the proofs, I will be reworking the following aspects
- Firstly I have added a discussion according to the guidelines given by Ran-Canetti regarding establishment of a session ID only by the initator of the protocol.
- Secondly, as Stanislav Jarecki has correctly pointed out, the CPace proof actually needs a different assumption set for the proof. CDH alone is not sufficient, but we need exactly the same SDH problem as used by VTBPEKE and analyzed by Pointcheval and Wang in their paper. In fact this is not actually astonishing that TBPEKE and CPace both need SDH, since both protocols have SPEKE at their core.
- The third aspect is that I believe that the method used by Jarecki, Krawczyk and Xu that they presented in their latest OPAQUE paper revision (with Interrupt queries and delayed test password queries) is superiour to the relaxed functionality that I did use in the last revision of the CPace proof. I am reworking this subcomponent.
My plan was to prepare two things by sunday. Firstly a second paper for an implicitly authenticated version of AuCPace and, secondly, a rework the present AuCPace paper with the explicitly authenticated protocol (with Ta and Tb messages) (including a proper latex version of the .csv style simulator description on the PAKE github).
I will most likely be able to finish the first aspect by sunday (implicit authentication version paper) but maybe not the second aspect.
Gesendet: Freitag, 07. Februar 2020 um 20:13 Uhr
Von: "Stanislav V. Smyshlyaev" <>
An: "Björn Haase" <>
Cc: "" <>
Betreff: Re: [Cfrg] [CFRG] PAKE selection process: Update on documentation regarding CPace and AuCPace
Dear Björn,
Many thanks for the notice!
Is everything going as planned with your preparation of replies for the Round 2 questions?
пт, 7 февр. 2020 г. в 22:05, "Björn Haase" <>:

I would like to give notice of the changes in documentation regarding CPace and AuCPace." target="_blank" rel="nofollow">" target="_blank" rel="nofollow">

Differences in the CPace draft 01:

The CPace text is slightly rephrased and now refers to the acronym SDH as the
simultaneous Diffie-Hellmann problem (as defined and analyzed in the VTBPEKE paper).
Notation has been modified at some places in order to be in line with a reworked
paper with the security proof that considers the last recommendations of round 1.
(To be submitted this week-end).

Differences in the AuCPace draft 01:
I have added the process of AuCPace-authenticated transactions, such as useful for
change-passwords and "sudo"-style transactions. I moreover have fixed a bug in the
test vector section that stemmed from the fact that some python implementations of
scrypt seem to have problems with non-ASCII characters in the salt field.

Moreover, I have setup a repository with reference implementations for SageMath and C.
Code is available at" target="_blank" rel="nofollow">



Cfrg mailing list" target="_blank" rel="nofollow">