Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-04.txt

Greg Hudson <> Fri, 20 October 2017 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D0B61342E8 for <>; Fri, 20 Oct 2017 10:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.219
X-Spam-Status: No, score=-4.219 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YvY71_H2MBL9 for <>; Fri, 20 Oct 2017 10:10:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D18541342E3 for <>; Fri, 20 Oct 2017 10:10:16 -0700 (PDT)
X-AuditID: 1209190e-05fff70000001112-db-59ea2df7282d
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id D4.59.04370.7FD2AE95; Fri, 20 Oct 2017 13:10:15 -0400 (EDT)
Received: from (OUTGOING-AUTH-1.MIT.EDU []) by (8.13.8/8.9.2) with ESMTP id v9KHAEc3017708; Fri, 20 Oct 2017 13:10:15 -0400
Received: from [] (VPN-18-101-8-86.MIT.EDU []) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id v9KHACKD013867 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 20 Oct 2017 13:10:13 -0400
To: Benjamin Kaduk <>,
References: <> <>
From: Greg Hudson <>
Message-ID: <>
Date: Fri, 20 Oct 2017 13:10:12 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsUixCmqrPtd91WkQUe7kcXRXW0sDoweS5b8 ZApgjOKySUnNySxLLdK3S+DKOPQ7oOCRUMXsrnXMDYzf+boYOTkkBEwkuldeZ+li5OIQEljM JNH8sZEZwtnIKHF4cRNU5hCTxMGPkxhBWoQFbCXe7XzADGKLCBhKXPrdygZiCwnkScyf9Qws ziagLLF+/1agZg4OXgEriY3T3EHCLAKqEj/WXwErERWIkHjYuYsdxOYVEJQ4OfMJC4jNKWAq ceD2FLAaZgE9iR3Xf7FC2PIS29/OYZ7AyD8LScssJGWzkJQtYGRexSibklulm5uYmVOcmqxb nJyYl5dapGusl5tZopeaUrqJERx6knw7GCc1eB9iFOBgVOLhrRB7FSnEmlhWXJl7iFGSg0lJ lDew8mWkEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRHeHWpA5bwpiZVVqUX5MClpDhYlcd5tQbsi hQTSE0tSs1NTC1KLYLIyHBxKEryPdIAaBYtS01Mr0jJzShDSTBycIMN5gIbPAqnhLS5IzC3O TIfIn2JUlBLnfQ2SEABJZJTmwfWCU0MqR9grRnGgV4R5GYGJQogHmFbgul8BDWYCGsxu/wJk cEkiQkqqgXHJ9/lPOO/fP8pV1/BiT9eiZ8/dKg6IvnG0MZfZcHf2Sds8iQNVDBPeZQq5Xy8y /dsX/XP19CvnT36Z0JRyZU7BKs81UnmuL2+Euxp/Si8vey8WslH73YTpwubK/Ut2rP1ttrd3 yf3Tx06JR5b4aj9apbu+0+DtTpHEfWZXV+hZ/3E+NMHf8MEZJZbijERDLeai4kQAlrrgEegC AAA=
Archived-At: <>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-04.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Oct 2017 17:10:18 -0000

On 10/17/2017 07:18 AM, Benjamin Kaduk wrote:
> This version is intended to have minimal changes from the -03, and was
> intended to un-expire the draft and add me as editor to effect that change.
> I want this draft to advance so that it can be used as a reference by
> draft-ietf-kitten-krb-spake-preauth.
> There is some reformatting due to having to rewrite the source into XML,
> and I took advantage of that opportunity to un-wrap the python snippet.

Thanks.  I found my old feedback on this draft in and
this update resolves one of those issues (the misformatted Python code).

I do not know how to resolve the problem that SPAKE2+ doesn't use w0 or
w1 in the transcript hash, and therefore more closely resembles SPAKE1
than SPAKE2.  I suggest the following edits for the other issues:

* In section 2.2, remove the spaces around the || operators starting
after K.

* In section 2.3, replaces "here Bob" with "here B".

* In the Python code, replace "ec.canon_pointstr" with "canon_pointstr".

* Replace the introductory text of section 3 with:

  Every curve presented in the table below has an OID from [RFC5480].
  We construct a string using the OID and the needed constant, for
  instance " point generation seed (M)" for P-512.  This
  string is turned into a series of blocks by hashing with SHA256, and
  hashing that output again to generate the next 32 bytes, and so on.
  This pattern is repeated for each group and value, with the string
  modified appropriately.

  A byte string of length equal to that of an encoded group element is
  constructed by concatenating as many blocks as are required,
  starting from the first block, and truncating to the desired length.
  The byte string is then formatted as required for the group.  In the
  case of Weierstrass curves, this means setting the first byte to
  0x02 or 0x03 depending on the low-order bit.  For Ed25519 style
  formats this means taking all the bytes as the representation of the
  group element.  The byte string is then interpreted as an element in
  the group.  If this interpretation yields a valid group element with
  the correct order (p), the byte string is the output.  Otherwise,
  the initial hash block is discarded and the process is repeated
  until a valid element is found.