[Cfrg] small editorial error in and question on draft-irtf-cfrg-dragonfly-01 (was: Re: CFRG meeting at IETF 87)

Rene Struik <rstruik.ext@gmail.com> Fri, 26 July 2013 23:05 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38B8C11E8162 for <cfrg@ietfa.amsl.com>; Fri, 26 Jul 2013 16:05:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, SARE_SUB_RAND_LETTRS4=0.799]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7hnliSgO7Ce for <cfrg@ietfa.amsl.com>; Fri, 26 Jul 2013 16:05:41 -0700 (PDT)
Received: from mail-qa0-x231.google.com (mail-qa0-x231.google.com [IPv6:2607:f8b0:400d:c00::231]) by ietfa.amsl.com (Postfix) with ESMTP id 6942E21F9B03 for <cfrg@irtf.org>; Fri, 26 Jul 2013 16:05:41 -0700 (PDT)
Received: by mail-qa0-f49.google.com with SMTP id cr7so693575qab.1 for <cfrg@irtf.org>; Fri, 26 Jul 2013 16:05:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=mB7cbkyei1hwEsHIC/Os0bwOe9Sm0GzrMSjvMJcwzgQ=; b=aZ5nbqDvLdPDBoOGUdk4AKe2/999C5UEH7JGLCSKHxuyLcPAsSFNbEFCCC4xOOLYVo XN8bZg0qE/H6UvfYlhm4JEJRYSVNzHEFyI3RfAWMMxvK4DKl1ULN58NhiVBZayhZtAIY wGtehNJae3rSqseiZpGkmhvFcvX0u/5ggJ0davczQFJS8GHGXcjWYNzL7vCSi/yqjj/a +UT1aecTkpgf36pLxusX49/BD6/LplDDybDmKNCsN9D4/ufVl95hAKiM7lenNtws+TXo eDKPowFXFFlFmLf601Cc+xWKoIUPDb9tdSn+sZW+KlSsj1dRshgQqBlWT6ru3JAWoOT0 oiYQ==
X-Received: by 10.229.92.196 with SMTP id s4mr13355018qcm.5.1374879939889; Fri, 26 Jul 2013 16:05:39 -0700 (PDT)
Received: from [192.168.1.101] (CPE0013100e2c51-CM001cea35caa6.cpe.net.cable.rogers.com. [99.231.4.27]) by mx.google.com with ESMTPSA id w2sm60066224qec.8.2013.07.26.16.05.37 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 26 Jul 2013 16:05:38 -0700 (PDT)
Message-ID: <51F300BF.3090907@gmail.com>
Date: Fri, 26 Jul 2013 19:05:35 -0400
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Dan Harkins <dharkins@arubanetworks.com>
References: <1374875408.7839.627.camel@darkstar>
In-Reply-To: <1374875408.7839.627.camel@darkstar>
Content-Type: multipart/alternative; boundary="------------000802030706070702060207"
Cc: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] small editorial error in and question on draft-irtf-cfrg-dragonfly-01 (was: Re: CFRG meeting at IETF 87)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jul 2013 23:05:42 -0000

Hi Dan:

I just quickly revisited the "password to point" mapping for elliptic 
curves in draft-irtf-cfrg-dragonfly-01 (Section 3.2.1) and noticed a 
small error: the seed is recursively defined. Fortunately, this is easy 
to fix, as follows:

was:

    base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)
    seed = KDF-n(seed, "Dragonfly Hunting And Pecking")

suggested change:

    base = H(max(Alice,Bob) | min(Alice,Bob) | password | counter)
    seed = KDF-n(base, "Dragonfly Hunting And Pecking")

On a more general note, with the draft rev1 version, the found point Q 
is a function of the password itself and the presumed key sharing 
parties Alice and Bob. In other words, the password-derived generator of 
the curve "PE Element" is fixed throughout the lifetime of the pair 
(password, key sharing parties). With draft-harkins-tls-pwd-03, a 
similar procedure is proposed, but there a "salt" is mixed in as well. 
Just curious: why the difference? 
<http://tools.ietf.org/pdf/draft-harkins-tls-pwd-03.pdf>

Best regards, Rene



On 7/26/2013 5:50 PM, David McGrew wrote:
> Hi,
>
> here is the agenda for our upcoming meeting; we are looking forward to
> seeing you there.
>
> David and Kevin
>
> ---
>
> Crypto Forum Research Group at IETF 87
> Monday, July 29, 2013
> 1510-1610  Afternoon Session II
> Room: Tiergarten 1/2
>
> Agenda Bashing
>
> Randomized Hashing (as described in NIST SP-800-106/107) - Quynh Dang
>
> Updates on active drafts
>
>   - OCB Mode of Operation, draft-irtf-cfrg-ocb-03
>
>   - Dragonfly Key Exchange, draft-irtf-cfrg-dragonfly-01
>
>   - Hash-Based Signatures, draft-mcgrew-hash-sigs-00
>
> "Selection of Future Cryptographic Standards", Sheffer, Grieco, McGrew.
> draft-mcgrew-standby-cipher-00
>
> Discussion on other crypto work
>    Salsa20
>    DTLS In Constrained Environments (DICE)
>    CAESER
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 690-7363