Re: [Cfrg] Removing the magic constants from SPAKE2

Watson Ladd <> Thu, 09 January 2014 02:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2CAA31ADFE8 for <>; Wed, 8 Jan 2014 18:24:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BfKXsviCByPD for <>; Wed, 8 Jan 2014 18:23:58 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c00::22d]) by (Postfix) with ESMTP id CFC2E1ADFE3 for <>; Wed, 8 Jan 2014 18:23:57 -0800 (PST)
Received: by with SMTP id y10so2195747wgg.0 for <>; Wed, 08 Jan 2014 18:23:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=qo/xcM7lB8tR22xvcGoRyxEu16onxyIX1mpMJMcH7sY=; b=U/TFviS2jmdY5MzRooqe1ZpObEukF7kHwBNeRibh0C+hXUYFyJLzsfmJ51md/YjfLh L0DC27YSGi+cq5IOYMpJmHxI8XpNy3u7V6QwJkCkNNzwbvlCEQFvdylFaeqPWjWhRQGH 7/hdWGR9BHL9zeS1etGh3lccox2zsu6Zh63zMjgquzoO40mB4yP3IGqMFwcNY1o1KnWm Uw3HmS+dq/eqdYbGzs2SJBViATluf/Cj2wjJxw+BomdFWB+MCtxbB59hEu+XleVcaeDL f3siGXV4JdkRAEf71hme5JZ+pmeKG75InDKrN16WWQSWN3oYWKiaoSaflyTx7lHwSAbL cXuA==
MIME-Version: 1.0
X-Received: by with SMTP id bz6mr24268939wib.17.1389234227794; Wed, 08 Jan 2014 18:23:47 -0800 (PST)
Received: by with HTTP; Wed, 8 Jan 2014 18:23:47 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Wed, 08 Jan 2014 18:23:47 -0800
Message-ID: <>
From: Watson Ladd <>
To: Michael Hamburg <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: "" <>
Subject: Re: [Cfrg] Removing the magic constants from SPAKE2
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 09 Jan 2014 02:24:00 -0000

On Wed, Jan 8, 2014 at 3:19 PM, Michael Hamburg <> wrote:
> Hello CFRG,

> However, the protocol is considered problematic (and is out of favor with CFRG) in large part because of the magic curve points M,N.  The discrete logs of these points would be a backdoor in SPAKE2, so care must be taken to ensure that M,N are generated at random.
> However, there’s another way to do SPAKE2, which doesn’t need magic curve points.  Instead, M^hash(password) and N^hash(password) can be replaced with Elligator(hash(“M to the”, password)) and Elligator(hash(“N to the", password)).  This obviously achieves the same bounds in the ROM.

But it unfortunately falls apart in the standard model, because I can
cook the hash. The obvious choice for original SPAKE2 is the M and N
with smallest x or y coordinates that are on the curve besides the
generator. I don't think M&N are the issue here.

Basically, I think derandomization is better than SHA3 being like a
random oracle in all the ways that matter as an assumption.

> Cheers,
> — Mike Hamburg
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin