Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Wed, 20 November 2019 15:49 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CB481208F6 for <cfrg@ietfa.amsl.com>; Wed, 20 Nov 2019 07:49:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=P9FBLo+w; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JZIioMZf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jq_YnMGLK9cl for <cfrg@ietfa.amsl.com>; Wed, 20 Nov 2019 07:49:06 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 214DC1208F1 for <cfrg@irtf.org>; Wed, 20 Nov 2019 07:49:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9248; q=dns/txt; s=iport; t=1574264946; x=1575474546; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=3VN5sGJ4IIbE91ZU0KsohAvShsppAUzGzbjchwxz6KU=; b=P9FBLo+w6gU9ENxPW0D/P1Jrm7c7RCuZ3JFsBRgYN3UbJRIEI5rG8IWx qILKp2RSzAmLsKQmpukQpperS9i2qXiW20/CyKdNMeT89f8b+oc+NCRJ7 USNPH/S/xMPN96IIKSoNweE08Qxhx0BriI7wax9IruDjlam9/nqz/4xH8 4=;
IronPort-PHdr: 9a23:voWiHRXHrodZrgLkr0r+IVfhrizV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtankhEsBfVEVo5VmwMFNeH4D1YFiB6nA=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CjBACGX9Vd/4MNJK1lHAEBAQEBBwEBEQEEBAEBgW0EAQELAYEbL1AFbFggBAsqhCqDRgOKa06CEJMehGKBQoEQA1QJAQEBDAEBLQIBAYRAAheCECQ3Bg4CAw0BAQQBAQECAQUEbYU3DIVRAQEBAQMSEQoTAQEwCA8CAQgRBAEBKwICAjAdCAIEARIIEweDAYF5TQMuAQKlLgKBOIhgdYEygn4BAQWFDBiCFwmBNgGMFRiBQD+BEUaCHi4+hA06gw4ygiyQFYVImFUKgiuVapoUjkiaDAIEAgQFAg4BAQWBaCOBWHAVO4JsUBEUhkYLGBWDO4pSAXSBKI1GAQE
X-IronPort-AV: E=Sophos;i="5.69,222,1571702400"; d="scan'208,217";a="377000534"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 Nov 2019 15:49:04 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id xAKFn4Gu027488 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 20 Nov 2019 15:49:04 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 20 Nov 2019 09:49:04 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 20 Nov 2019 10:49:03 -0500
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 20 Nov 2019 09:49:02 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I06FaaaAt2UK5cypaUeyEnx0bimJbBwCFnPaRj/q13su6+DnaMStuWiBA5RAJA3L4asgWv6YlbBh5OX9pPexz1kCDTILM4BW+bGBy7YFLVW6Ixnjg3Q4uFVkDAwMQKTP1iGUpdF5xzx3If0gSfRT4loV9F4uJani8kjTFVP+KMx9VdomKAJ/3iXH01JvJY7nHHNBqHU5g6fLjTojANbRYpp8i2P3ju8T9nMJeJ9UHUf9CtRKK9sME8Reiii/WrzZjnECyrEoakU7icrYKEh/qQ4tiuH9UMF8zqRj+sIcpXbMqJVhoszECNU/cFTGJcA4YcB2WleM22CK2NUUjJu9UA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3VN5sGJ4IIbE91ZU0KsohAvShsppAUzGzbjchwxz6KU=; b=fIJnqgk1ZqfzkF+gv3wUSdpO7ZVKGjGxvhO0335e5HIN5omUcAf3KkgUkLJ3QUauafMWBIKdbMcs7+Q4bJ94UH3kCx09UMwqbnoWIc1ohHVxSvxJXUa8LwE9pdu1aidh2H0p8CkGKxqb8InC/H77XSGFYkb6tCYcK+VoI2McVa4nGvryKSS47/+FAukR8ZoHmDUwUjwRizc/aiyEAdCUM8pgttz/sWOJJjujvB+Hu2IFSB+a/BPgtgO5UOPOISe7h1NUhyOY6JGxdkGkjueT8S0oGskYo+0R8kUrJENIczofPH0t2OQBLxrfyjXnhQiYQD5z8hiPNRpX3/sKhW7/Gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3VN5sGJ4IIbE91ZU0KsohAvShsppAUzGzbjchwxz6KU=; b=JZIioMZfXQtJfjeI6qO+AZuCNBqJxo8L1jBeNQv4EYzDHtu/KmM5aZGcHxgnC6/V9mPs7Jgb7osysb75Wm3XIxrMibnHwUkDNtUf7mH3Q+jM5uVEbSzqYmFq332pk/fcQcW2wYnekUN8lHAD1NnSwToaHh5CpcGO7Hm5zZfV7y4=
Received: from BN8PR11MB3666.namprd11.prod.outlook.com (20.178.221.19) by BN8PR11MB3779.namprd11.prod.outlook.com (20.178.220.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Wed, 20 Nov 2019 15:49:01 +0000
Received: from BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::815c:974a:5eab:868b]) by BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::815c:974a:5eab:868b%7]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019 15:49:01 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, CFRG <cfrg@irtf.org>
Thread-Topic: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
Thread-Index: AQHVn3ZVfhggCoZ8tkywAwvOJGbF26eUNJYg
Date: Wed, 20 Nov 2019 15:49:01 +0000
Message-ID: <BN8PR11MB366617575416C330800604E3C14F0@BN8PR11MB3666.namprd11.prod.outlook.com>
References: <CAMr0u6m+r5-2qp9qHTdAiy1i0RN9gonpqXPkv5zFiAFsppEnbA@mail.gmail.com>
In-Reply-To: <CAMr0u6m+r5-2qp9qHTdAiy1i0RN9gonpqXPkv5zFiAFsppEnbA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [2001:420:c0c8:1005::641]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b4c09180-bf55-48c0-fd0b-08d76dd12a11
x-ms-traffictypediagnostic: BN8PR11MB3779:
x-microsoft-antispam-prvs: <BN8PR11MB3779C7C64440C1D8EF6C793DC14F0@BN8PR11MB3779.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(4636009)(396003)(346002)(376002)(366004)(136003)(39860400002)(199004)(189003)(46003)(446003)(52536014)(9686003)(476003)(6306002)(54896002)(256004)(14444005)(76176011)(486006)(7696005)(2906002)(8936002)(81166006)(186003)(81156014)(11346002)(6436002)(5660300002)(55016002)(6246003)(53546011)(99286004)(6506007)(102836004)(229853002)(86362001)(316002)(6116002)(790700001)(14454004)(71200400001)(71190400001)(76116006)(33656002)(110136005)(66476007)(66556008)(66446008)(64756008)(66946007)(7736002)(25786009)(478600001)(8676002)(74316002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3779; H:BN8PR11MB3666.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HFTjW9IpHVlaUt2SDkF/hCNGgwvtgnOjAaZPDsTInE6iMSu8Uy+Vvlv7ri6lUmxinF/mNv9r3dNJY4gXuAH2y+9/lFXwMGAwOz/tZvPxbSz3zNiUp8baUhyqnG6WRVo1W6Xj021YU/z8yy9ruDtJnr2OZ+oYM/P5OIsiILhkrDNYDRqbrJoqG4AC6PTv7tdfDMLr72+odot9WEtqBWEx/v/ps1jx+EZTlYiSc41vhR3tS3l5362vUpL6qNnFsHY4jO5n7nczJr0XdeftmDhgSX+cbPTwEg4/guBN7t/lyjmn4tWBDe82CPHxcyj+C6OAilJYYig2xYGWZ6+Rg4+Opq3nKSHk2QJLecffQipx3wwXzGtibMX181XtxckgB6LxeYvxzmWh3WQVofTbKasZvb9EDKJQieTPvTsbE5QkMB1oRXktV8gMbdd3ToUNWHNs
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN8PR11MB366617575416C330800604E3C14F0BN8PR11MB3666namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b4c09180-bf55-48c0-fd0b-08d76dd12a11
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 15:49:01.5680 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TaA2LZVPWQ2oPkfwU4iV07A0i3yNLXvtSkV+AT8MVIN8HnRwUph+HT8dIaFjS6Rb7N/SpInq24cJu1g/K36rsw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3779
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CFS88gNSjC48P6B2INWnG5dlNTw>
Subject: Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 15:49:08 -0000
The issue I foresee in a hash-to-curve method is that SPAKE2 attempts to use a number of different curves (P256, Curve25519), and these curves have different hash2curve algorithms. Do we restrict the curves supported? Do we use different hash2curve algorithms for different curves? Do we try to use a single hash2curve algorithm that attempts to supports all the curves (possibly suboptimially)? From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev Sent: Wednesday, November 20, 2019 2:43 AM To: CFRG <cfrg@irtf.org> Subject: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2) Dear CFRG, I've just sent two questions to be considered to be added to the Round 2 questions list, including: "Can you propose a modification of SPAKE2 (preserving all existing good properties of SPAKE2) with a correspondingly updated security proof, addressing the issue of a single discrete log relationship necessary for the security of all sessions (e.g., solution based on using M=hash2curve(A|B), N=hash2curve(B|A))?" We've had a discussion with Dan Harkins about possible improvements of SPAKE2 (many thanks to him for such a fruitful discussion!): it seems that the only major issue about SPAKE2 can be solved by using M=hash2curve(A|B), N=hash2curve(B|A)). It seems that there can't be any additional side-channel issues (like occured in Dragonfly), since the proposed modification needs only calculations based on publicly available information. Of course, such a modification requires additional security analysis of SPAKE2, modified accordingly. Best regards, Stanislav
- [Cfrg] A question to be added to the Round 2 ques… Stanislav V. Smyshlyaev
- Re: [Cfrg] A question to be added to the Round 2 … Hao, Feng
- Re: [Cfrg] A question to be added to the Round 2 … Stanislav V. Smyshlyaev
- Re: [Cfrg] A question to be added to the Round 2 … Scott Fluhrer (sfluhrer)