Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2

Watson Ladd <watsonbladd@gmail.com> Fri, 25 October 2019 15:53 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3733120982 for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 08:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Io6bDCx2hqSq for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 08:53:22 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D5DC12097F for <cfrg@irtf.org>; Fri, 25 Oct 2019 08:53:22 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id c4so3241834lja.11 for <cfrg@irtf.org>; Fri, 25 Oct 2019 08:53:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SijwgbnRblKhZ1CnaKQGNzi9fdtm69FmiRFqxDUc66o=; b=aryCAIHutUTiHo0d2tnHTzgRPye42i9tb3m4oWBxlmCYZtAPbUZ8xAnoPqKzMoestO /pCuO9CUO++4TLIwG88u4wyTtKaJezVXD05sbhNNTCZeNquAQxP7k5YL6tLEWp87tTgK owOmK30Db58NucyZCtzuK0ms/PaAPG8uLucM3LsWqQcjZopWfPKu6p52LT8gtygpcjfo g19HHRG76+Y+tir53AZFnzvpxhq5EaxUOuVX8Ln+yYqgjwOW5Vz9+MqDmurFOcQoE7Jw s2AAOXoiovf6Hk3knRObSgKZ1rFJGPjAYGZJ5Gn5GLyuvz1wB1JF37rmJy1+i/h7as1h Gp6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SijwgbnRblKhZ1CnaKQGNzi9fdtm69FmiRFqxDUc66o=; b=WuT/A1bkwAloiJd7ALemLDEjlopwnjGjNp2noklf5Rz+UVPg1HdyP+sFGofxaAQpfs 6Wg1bgP6zDBb+99sYas5CAtoimrcbfJ3Rc6LHFcCoQWxTV95NrKCwhApwF7gBEbmiv5Z RcqZHW6l5OrISrJqZGCfp4W+0iyGkkqbzaYgVmL7t5aexKrcneqv+UX0eWZkTYr9XFcE 62Q6RvhIRMiNgRAZKDdvxergW43d/wKo7JTJRHj8Lijf2nG9A5Uxea9uNehLCyusr6m5 g1P8F7OnbVovQ90tWOi2cnWLYRv6gpBK/H1+pFM/LJ03CnHP58PISzP1b7ueHhBjflk3 05Rw==
X-Gm-Message-State: APjAAAV6krIi7ha5YD5Joz3EzUdqDSlM2ZnXcuWm31igRxwtlYDfcS/t v96/2sYmGIt2maeEd2/7sZgF+J2kWqaf0csBMDY=
X-Google-Smtp-Source: APXvYqzdxHZ0B8mCi6EBwhv3h+7Yecf2q9RdZoDOy5gPghTnoFH6VlDA+Mpi8HPEIR0wOSzE9dPIMPCMdhEACZw1Ud8=
X-Received: by 2002:a2e:8505:: with SMTP id j5mr2966337lji.154.1572018800369; Fri, 25 Oct 2019 08:53:20 -0700 (PDT)
MIME-Version: 1.0
References: <7A98E9E0-52B9-48E4-A160-3532E42DCD60@inria.fr>
In-Reply-To: <7A98E9E0-52B9-48E4-A160-3532E42DCD60@inria.fr>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 25 Oct 2019 08:53:07 -0700
Message-ID: <CACsn0cmTcz_hqB0Dx_F1Bj6Fb9k1qgWU-r+LQAeoqfT4W=iCgA@mail.gmail.com>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000002d2bd70595be2651"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/05JabT3IuP5SAay4qM0FbVk6Kq8>
Subject: Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 15:53:25 -0000

On Fri, Oct 25, 2019, 3:03 AM Karthik Bhargavan <
karthikeyan.bhargavan@inria.fr> wrote:

> Hello All,
>
> Michel Abdalla and Manuel Barbosa have just published a new paper the
> perfect forward security of SPAKE2: https://eprint.iacr.org/2019/1194
>
> They say:
> "In this version, we tried to address some of the issues that were raised
> in the CFRG mailing list and during our meeting.
>
> In particular, the proof handles explicitly the case M=N. The cases where
> M and N are chosen as the output of a random oracle also follows from the
> proof. This means for instance that M and N could be set the hash of two
> fixed points (or one point when M=N) or set as a function of the client and
> server, such as M=H(C,S) (where H is a hash-to-group function.)
>
> The goal of the paper was not to compare it with the other submissions. It
> was simply to improve the security analysis of SPAKE2 and its possible
> variants”
>
> With these new results in mind, I would recommend that the SPAKE2 draft
> use a connection-specific M=N=H(C,S,...) generated using hash-to-curve.
> This will make the precomputation attack on SPAKE2 less worrisome.
>

I'll add both of these as options and the higher level protocol will
specify which one to use. Will take some talking because SPAKE2 is
integrated into Kerberos and this might present some issues if we remove
the pregeneration.

Probably one can throw in a nonce as well.


> Best regards,
> Karthik
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>