Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-02.txt

SeongHan Shin <seonghan.shin@aist.go.jp> Fri, 08 August 2014 06:01 UTC

Return-Path: <seonghan.shin@aist.go.jp>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1B61A02DF for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 23:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.678
X-Spam-Level:
X-Spam-Status: No, score=-3.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cma8gn747WQO for <cfrg@ietfa.amsl.com>; Thu, 7 Aug 2014 23:01:16 -0700 (PDT)
Received: from na3sys010aog106.obsmtp.com (na3sys010aog106.obsmtp.com [74.125.245.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 993AE1A02DD for <cfrg@ietf.org>; Thu, 7 Aug 2014 23:01:15 -0700 (PDT)
Received: from mail-lb0-f179.google.com ([209.85.217.179]) (using TLSv1) by na3sys010aob106.postini.com ([74.125.244.12]) with SMTP ID DSNKU+RnqpgbvjNxBMbZBWUEH4HmDmz1KCRS@postini.com; Thu, 07 Aug 2014 23:01:15 PDT
Received: by mail-lb0-f179.google.com with SMTP id v6so3379801lbi.24 for <cfrg@ietf.org>; Thu, 07 Aug 2014 23:01:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aist.go.jp; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=c5iFhRKqh6xenuGnjZuVKRr+205/uAnOSQ9ZFGmYLeQ=; b=f0IHfhHPCckQqzCWCAR1lnlFwlrC7cA5bVskOmL+wgOYuSZWqSnbsMrC7X8Y6K+DP3 OZhTiv85bGClypsZDeEY13RxIfQfzV4b++Plwm8CPId8SAmecTLRmXtkKnUwQkOa7wmd 5z1Abj57z1w+M1aVFIPJttj7cAhQuJp+B0RfE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=c5iFhRKqh6xenuGnjZuVKRr+205/uAnOSQ9ZFGmYLeQ=; b=HVABLIidfhM2rEfETlUaSuMEoPmerwBiFQFCcDZw8308m5H8PR2QX9siNsRDaQpktw XpQiajSw6kQYYi2HVOoaCiICMpyXIT52fgx2R1YO0XwegWK1/KoXchwGsGY8jrbNSHYD YAF7My4oT3xGimWrLYxBBqsvjJpPMvVpj3bWiGmd8sxNU7PLjliqWep5HoPDgkABv+rq h9tQkDGclDa+N2uFwMoX8zSCVUfy5q5L1vflHaG7na8eLe0aAwc6qrlBFmnevMoS+z5k 4NH/2jgfGHBsCalfP8gQnAJS8ol8t7/H30pNEydh0FEwsghl1aEtMDOcz2L+jgA/MODi meSA==
X-Gm-Message-State: ALoCoQm7RUuEtvzJAC/VnPD3W88I8C1K1E5plou52V6wgpL/mI6H63/qP7nGIs87cK8R81M4ZsaG/tb6i1Bsy7RwrnE3acerJN4q0tm4hVW9f1Q17NrMuAYyUm21e1w9bbNyWS/IfIa1
X-Received: by 10.112.72.3 with SMTP id z3mr19081032lbu.30.1407477673641; Thu, 07 Aug 2014 23:01:13 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.112.72.3 with SMTP id z3mr19081021lbu.30.1407477673516; Thu, 07 Aug 2014 23:01:13 -0700 (PDT)
Received: by 10.112.3.169 with HTTP; Thu, 7 Aug 2014 23:01:13 -0700 (PDT)
In-Reply-To: <20140806151649.GA20212@LK-Perkele-VII>
References: <20140806141208.29148.79482.idtracker@ietfa.amsl.com> <20140806151649.GA20212@LK-Perkele-VII>
Date: Fri, 8 Aug 2014 15:01:13 +0900
Message-ID: <CAEKgtqms2E+L_5ZGp2YG27-LUSe7XwjbB9u5YF-iSAuw3PVbbw@mail.gmail.com>
From: SeongHan Shin <seonghan.shin@aist.go.jp>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary=001a11c34140c27a7d050017ee29
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/5uV3W3uhvT24cjVY28vbdnA9rM4
Cc: =?UTF-8?B?5Y+k5Y6f5ZKM6YKm?= <k-kobara@aist.go.jp>, cfrg@ietf.org
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-augpake-02.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 06:01:18 -0000

Dear Ilari,

Thank you for your comments!

>"If the received X from user U is not a point on E or [2^n] * X = 0_E,"
>Should this be:
>If the received X from user U is not a point on E or [k] * X = 0_E,
>Similarly, there is:
>"If the received Y from server S is not a point on E or [2^n] * Y = 0_E,"
>Should this be:
>"If the received Y from server S is not a point on E or [k] * Y = 0_E,"
>
>Rationale:
>k is the cofactor, which may be ("optionally") power of two, it may
>not be 2^n.

In Appendix C, we set k = 2^n * q_1 * q_2 ...  q_t where n = {0,1,2} and
every primes q_i > q for i = 1, 2, ..., t (or optionally k = 2^n).
With this cofactor k, checking [2^n] * X =/ 0_E and [2^n] * Y =/ 0_E is
enough to exclude elements whose
group order is smaller than q. Now, X and Y are elements whose group order
is q or greater than q.

Of course, if k = 2^n * M where M is a composite integer whose factors are
< q,
the check should be [k] * X =/ 0_E and [k] * Y =/ 0_E as you recommended.


>Also:
>"The cofactor k is the value (#E / q) satisfying k = 2^n * q_1 * q_2
>...  q_t where n = {0,1,2} and every primes q_i > q for i = 1, 2,
>..., t."
>
>q_i are bigger than q? Isn't q usually chosen to be the biggest prime
>factor of #E?
As above, by using this cofactor k (or k = 2^n)
one can avoid the order check of elements received from the other party.


>Also, for some curves one might want to use (due to good performance
>and security), k=8.
I'll add this to the I-D.


Best regards,
Shin


On Thu, Aug 7, 2014 at 12:16 AM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi> wrote:

> On Wed, Aug 06, 2014 at 07:12:08AM -0700, internet-drafts@ietf.org wrote:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >  This draft is a work item of the Crypto Forum Research Group Working
> Group of the IETF.
> >
> >         Title           : Augmented Password-Authenticated Key Exchange
> (AugPAKE)
> >         Authors         : SeongHan Shin
> >                           Kazukuni Kobara
> >       Filename        : draft-irtf-cfrg-augpake-02.txt
> >       Pages           : 20
> >       Date            : 2014-08-06
> >
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-irtf-cfrg-augpake-02
> >
> > A diff from the previous version is available at:
> > http://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-augpake-02
>
> Did a quick read of changes:
>
> Appendix C:
>
> "If the received X from user U is not a point on E or [2^n] * X = 0_E,"
>
> Should this be:
>
> If the received X from user U is not a point on E or [k] * X = 0_E,
>
> Similarly, there is:
>
> "If the received Y from server S is not a point on E or [2^n] * Y = 0_E,"
>
> Should this be:
>
> "If the received Y from server S is not a point on E or [k] * Y = 0_E,"
>
>
> Rationale:
>
> k is the cofactor, which may be ("optionally") power of two, it may
> not be 2^n.
>
>
> Also:
>
> "The cofactor k is the value (#E / q) satisfying k = 2^n * q_1 * q_2
> ...  q_t where n = {0,1,2} and every primes q_i > q for i = 1, 2,
> ..., t."
>
> q_i are bigger than q? Isn't q usually chosen to be the biggest prime
> factor of #E?
>
> Also, for some curves one might want to use (due to good performance
> and security), k=8.
>
>
>
> -Ilari
>



-- 
------------------------------------------------------------------
SeongHan Shin
Research Institute for Secure Systems (RISEC),
National Institute of Advanced Industrial Science and Technology (AIST),
Central 2, 1-1-1, Umezono, Tsukuba City, Ibaraki 305-8568 Japan
Tel : +81-29-861-2670/5284
Fax : +81-29-861-5285
E-mail : seonghan.shin@aist.go.jp
------------------------------------------------------------------