[Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 20 November 2019 07:43 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8269F120880 for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 23:43:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aF2q6WlvRuBj for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 23:43:38 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207B2120086 for <cfrg@irtf.org>; Tue, 19 Nov 2019 23:43:38 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id r7so26358615ljg.2 for <cfrg@irtf.org>; Tue, 19 Nov 2019 23:43:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=yP80VMhYUh/PQ6sOyXveqy/EoOdPFwVQ5Y2JfabATAg=; b=krpDZX7PxliNb+fWe10LEBP3+zpCOnH0oPA3SQVePjqHp6OnQmCp/p2myNDkyDxBVI CiywSi74YWJWpUvlTYFAtPwbcESXlUViJimnQTcBZfFQ951iseo7C9UyvS35d1MNWdIp 4qwR70GSMey1d6LXBaEbAFFozHUOQWgElVRL42PtxmD0IWj9isISvTSy2DOZpiYa5YT6 8XnVq+uPSE44Notml/dIkPMswFwUNb05JF0u9MFTW06k8uPZIIbgsYax5q1xf3ZSQwvU 3bJHx4Bg11u5LNAWAqUy4V1Q4D1ip6+q7+W0qeeYdAr7s1uVi0qqLqZsM/xZM0PIbmmT oFBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=yP80VMhYUh/PQ6sOyXveqy/EoOdPFwVQ5Y2JfabATAg=; b=UkIaoChl+4xENhCPXPF4BCRu5aQcCRB0aq+ld9fqFkecuU81AnGT1SnjrHoG82q8mg T0W42V3LT1lKu0nTbtx3/sFaxk6p8d+j+QzclMIgGlx6m1DMgtFCXwL5mbxgPDfQJGdw H3Bag6aZLZNnHZTdu+5t+9ZkFCKNOWeTjMSUnbv6/U4MYPGoWHeqk1+SVYxsi9SLG0kH rvF4xCVCxN90qe0LvxaUToIkcZBBykUlS02y8Q+Q3zZ9Ogx396HDM8l8+JxKOCzrlsOZ UbLBarMsxs2Kff4kxatTuRqoK10hmUwJJd0CUDJQGtEYcfiJbgYexBPJZkaxqOw1u34m KBBQ==
X-Gm-Message-State: APjAAAVwA451Ui9SRn/GHJtGTowW5cGcOEDrLT9fz2QioZNF4kddQzZ0 X30WkP/TnmmvtYiiofKF0SzamREn2ZWOk5XQ1S/Z1wzRheE=
X-Google-Smtp-Source: APXvYqz8EpvqTmEMOr88FLwGaObbjzStWY4u49Gg0MtmRJ2U64L4mRo+UI2HsJ7F6YgpIRYvcZoGFwPmb1lH0lG7aGs=
X-Received: by 2002:a2e:a0ce:: with SMTP id f14mr1415542ljm.241.1574235815852; Tue, 19 Nov 2019 23:43:35 -0800 (PST)
MIME-Version: 1.0
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 20 Nov 2019 10:43:26 +0300
Message-ID: <CAMr0u6m+r5-2qp9qHTdAiy1i0RN9gonpqXPkv5zFiAFsppEnbA@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="00000000000098be520597c2565c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/9fs7SsM_Uf2KDUlMKACbHkgYhFw>
Subject: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 07:43:43 -0000
Dear CFRG, I've just sent two questions to be considered to be added to the Round 2 questions list, including: "Can you propose a modification of SPAKE2 (preserving all existing good properties of SPAKE2) with a correspondingly updated security proof, addressing the issue of a single discrete log relationship necessary for the security of all sessions (e.g., solution based on using M=hash2curve(A|B), N=hash2curve(B|A))?" We've had a discussion with Dan Harkins about possible improvements of SPAKE2 (many thanks to him for such a fruitful discussion!): it seems that the only major issue about SPAKE2 can be solved by using M=hash2curve(A|B), N=hash2curve(B|A)). It seems that there can't be any additional side-channel issues (like occured in Dragonfly), since the proposed modification needs only calculations based on publicly available information. Of course, such a modification requires additional security analysis of SPAKE2, modified accordingly. Best regards, Stanislav
- [Cfrg] A question to be added to the Round 2 ques… Stanislav V. Smyshlyaev
- Re: [Cfrg] A question to be added to the Round 2 … Hao, Feng
- Re: [Cfrg] A question to be added to the Round 2 … Stanislav V. Smyshlyaev
- Re: [Cfrg] A question to be added to the Round 2 … Scott Fluhrer (sfluhrer)