IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt

Benjamin Kaduk <kaduk@mit.edu> Wed, 13 March 2019 15:12 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA5471277D6 for <cfrg@ietfa.amsl.com>; Wed, 13 Mar 2019 08:12:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRRzMCo5oPdk for <cfrg@ietfa.amsl.com>; Wed, 13 Mar 2019 08:12:19 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC3112B001 for <cfrg@ietf.org>; Wed, 13 Mar 2019 08:12:11 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2DFC6B6001983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Mar 2019 11:12:08 -0400
Date: Wed, 13 Mar 2019 10:12:06 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>
Cc: Greg Hudson <ghudson@mit.edu>, "cfrg@ietf.org" <cfrg@ietf.org>, "cawood@apple.com" <cawood@apple.com>
Message-ID: <20190313151205.GH8182@kduck.mit.edu>
References: <155232379553.23186.8764563590660883823@ietfa.amsl.com> <884f593b-0753-16ff-e68c-990acd0e8d68@mit.edu> <20190313034352.GE8182@kduck.mit.edu> <7fa7713b-94da-da7b-bf9e-465627a8f030@mit.edu> <135A8573-53DF-4B51-A9F2-E3783DD6A0D0@inf.ethz.ch> <fcb6ac2e-2a0c-3eb3-dbf5-0624596d9f20@mit.edu> <6F281044-7E9B-4055-A311-881BBF1D8BE3@inf.ethz.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <6F281044-7E9B-4055-A311-881BBF1D8BE3@inf.ethz.ch>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CrCK5YE-BonTAb1VCSEpZngVJXw>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 15:12:23 -0000

On Wed, Mar 13, 2019 at 03:01:33PM +0000, Paterson  Kenneth wrote:
> In-line...
> 
> -----Original Message-----
> From: Greg Hudson <ghudson@mit.edu>
> Date: Wednesday, 13 March 2019 at 14:47
> To: Paterson  Kenneth <kenny.paterson@inf.ethz.ch>, Benjamin Kaduk <kaduk@mit.edu>
> Cc: "cfrg@ietf.org" <cfrg@ietf.org>, "cawood@apple.com" <cawood@apple.com>
> Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt
> 
>     On 3/13/19 6:59 AM, Paterson  Kenneth wrote:
>     > 		page 3:  "B stores L=w1*g and w0." (In the context of SPAKE2+.)
>     > 
>     > 		[...]
>     > 
>     > 	-- Assuming g is the generator of G of order p*h, notice that this element L is not necessarily in the order p subgroup of G, since w1 (and w0) are not necessarily multiples of h.
>     
>     Since L is a multiple of G, it will be of order p (since G is of order
>     p).  Unless I'm badly mistaken?
>    
> G is not of order p (at least that's how I read the spec.) - rather it has order hp. See Section 3.1:

[Just to clarify: the -08 attempts to use G for the group or order p*h,
with distinguished generator P.  I think Greg may be using the old
terminology.]

> 	Suppose G has order p*h where p is a large prime; h will be called the cofactor.
> 
>     > Later in the protocol, A computes V = w1(Y-w0*N) where Y should have been received from B. If Y is chosen adversarially, then V may also not be in the order p subgroup of G.
>     
>     I hadn't looked too closely at SPAKE2+.  This step does seem problematic
>     because w1 is not a scaled coefficient, and I agree that it does not sit
>     well with the security considerations text (which I think was written
>     when the draft didn't cover SPAKE2+).  Following the same logic as your
>     analysis (except in regard to L), it probably doesn't lead to a
>     small-subgroup attack since the attacker cannot see V and cannot easily
>     make Y-w0*N be of small order.  But it may invalidate the security proof
>     because it's easy for an attacker to make V be of order 2p, 4p, ..., hp.
> 
> Right.
>     
>     I'm not sure I'm qualified to suggest a fix, but I would probably start
>     with making w1 a scaled coefficient (however it's generated mod p,
>     multiply it by h so that it's in the range [0,ph) mod h, similar to x
>     and y).  Although this is asymmetric with w0, note that w0 is used just
>     like w in SPAKE (multiplied by M or N to produce a mask), while w1 is
>     used similarly to x or y (multiplied by the generator or the other
>     party's point).
> 
> My intuition here is that we need to be very careful, and (without my chair's hat) I would not want CFRG to finalise an RFC on scheme until we are sure we have a proof that applies to the protocol as specified.

Given that we don't have a proof of any sort for SPAKE2+ (as opposed to
regular SPAKE2), even limited to a prime-order group, wouldn't that suggest
removing the augmented version from the document entirely?

-Ben

v2.23.0 | Report a Bug | By Email