IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-06.txt

Greg Hudson <ghudson@mit.edu> Sun, 02 December 2018 17:06 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575A4130EE7 for <cfrg@ietfa.amsl.com>; Sun, 2 Dec 2018 09:06:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFAXK3x42yEo for <cfrg@ietfa.amsl.com>; Sun, 2 Dec 2018 09:06:46 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4984C130DDE for <cfrg@ietf.org>; Sun, 2 Dec 2018 09:06:46 -0800 (PST)
X-AuditID: 1209190c-6f3ff700000018f2-54-5c041124ef67
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id AF.90.06386.421140C5; Sun, 2 Dec 2018 12:06:44 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wB2H6hsp021700; Sun, 2 Dec 2018 12:06:43 -0500
Received: from [18.101.8.110] (VPN-18-101-8-110.MIT.EDU [18.101.8.110]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wB2H6eKE013782 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 2 Dec 2018 12:06:42 -0500
To: Nico Williams <nico@cryptonector.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org
References: <153434759643.14400.9943392813751876897@ietfa.amsl.com> <20180815154402.GP40887@kduck.kaduk.org> <20181201211038.GA15561@localhost> <c0799f2c-8079-c066-9a19-c9640f00c93e@mit.edu> <20181201233630.GB15561@localhost>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <1a71a4a5-65a5-7504-f0a4-403d7e46629b@mit.edu>
Date: Sun, 02 Dec 2018 12:06:40 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20181201233630.GB15561@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjleLIzCtJLcpLzFFi42IR4hRV1lURZIkx+PLZ2OLorjYWi1PXjrA5 MHm8PHWO0WPJkp9MAUxRXDYpqTmZZalF+nYJXBkT7r5mLXjMWdH86jpzA+N39i5GTg4JAROJ M3+ms3QxcnEICaxhkph1aiKUs4FRYuGZXWwQzhEmieP77oO1CAvYSszofAVmiwhoSlyft5QN xGYWMJQ49HMfI0TDc0aJrjX7GUESbALKEuv3b2UBsXkFrCT+np0K1swioCJxYMUdZhBbVCBC 4t75T2wQNYISJ2c+AavnFNCXWPfkJyvEAjOJeZsfMkPY4hK3nsxngrDlJba/ncM8gVFwFpL2 WUhaZiFpmYWkZQEjyypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdQ73czBK91JTSTYzg4Jbk2cF4 5o3XIUYBDkYlHl6HF0wxQqyJZcWVuYcYJTmYlER5u9czxwjxJeWnVGYkFmfEF5XmpBYfYpTg YFYS4XXbAlTOm5JYWZValA+TkuZgURLn/S3yOFpIID2xJDU7NbUgtQgmK8PBoSTBK8nDEiMk WJSanlqRlplTgpBm4uAEGc4DNPznA6DFvMUFibnFmekQ+VOMilLivGvYgZoFQBIZpXlwveDk k8qR94pRHOgVYV73h0DtPMDEBdf9CmgwE9DgHLCri0sSEVJSDYx28afXH3He/79K3nB+c3d0 Mmdk4eabRtMntDwWna9xetl95w9yiy+7Hl3LdP1PgbOpgd+zO7fL7lnt5nK+mCwf3trHKvw+ vURCs7/7WY9e8YRn33YYzO03eJ52nEv3xn39Wv+L9w68vD7tTL88o/ipsuncdfNbMjZFay3S mCkTvnqX0Za364OUWIozEg21mIuKEwE9ZbqwGQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/6_Zh_RI6rhtV0p7Rhw8A3NonhFk>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Dec 2018 17:06:48 -0000

On 12/01/2018 06:36 PM, Nico Williams wrote:
>> I know that in discussions of PAKE algorithms for Kerberos, we wanted to
>> avoid requiring hash-to-curve if possible.  From what I can find online, if
>> you use SPEKE with curve25519 and simply hash to the x coordinate, you leak
>> one bit of the hashed password, which isn't necessarily a huge problem but
>> isn't an attractive property.
> 
> Can you explain this a bit more, that is, how hash-to-curve leaks a bit?

I was looking at
https://crypto.stackexchange.com/questions/51888/an-efficient-speke-protocol-with-curve25519
which notes that if you just hash to an x coordinate, an observer can 
see whether the chosen x coordinate is on the curve or the twist.  Of 
course using a proper hash-to-curve algorithm such as elligator2 avoids 
this problem.

> A leak of one bit per-exchange is absolutely disastrous if it means that
> with each exchange an eavesdropper can eliminate half the passwords in
> their dictionary, as then observing N exchanges lets you eliminate all
> but 2^-N of passwords in your dictionary.

It's the same bit every time.  It would let an attacker filter out half 
of a password dictionary offline before conducting an online attack, 
perhaps.

v2.23.0 | Report a Bug | By Email