Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt
Benjamin Kaduk <kaduk@mit.edu> Wed, 13 March 2019 15:12 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA5471277D6 for <cfrg@ietfa.amsl.com>; Wed, 13 Mar 2019 08:12:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CRRzMCo5oPdk for <cfrg@ietfa.amsl.com>; Wed, 13 Mar 2019 08:12:19 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADC3112B001 for <cfrg@ietf.org>; Wed, 13 Mar 2019 08:12:11 -0700 (PDT)
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2DFC6B6001983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Mar 2019 11:12:08 -0400
Date: Wed, 13 Mar 2019 10:12:06 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>
Cc: Greg Hudson <ghudson@mit.edu>, "cfrg@ietf.org" <cfrg@ietf.org>, "cawood@apple.com" <cawood@apple.com>
Message-ID: <20190313151205.GH8182@kduck.mit.edu>
References: <155232379553.23186.8764563590660883823@ietfa.amsl.com> <884f593b-0753-16ff-e68c-990acd0e8d68@mit.edu> <20190313034352.GE8182@kduck.mit.edu> <7fa7713b-94da-da7b-bf9e-465627a8f030@mit.edu> <135A8573-53DF-4B51-A9F2-E3783DD6A0D0@inf.ethz.ch> <fcb6ac2e-2a0c-3eb3-dbf5-0624596d9f20@mit.edu> <6F281044-7E9B-4055-A311-881BBF1D8BE3@inf.ethz.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <6F281044-7E9B-4055-A311-881BBF1D8BE3@inf.ethz.ch>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/CrCK5YE-BonTAb1VCSEpZngVJXw>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 15:12:23 -0000
On Wed, Mar 13, 2019 at 03:01:33PM +0000, Paterson Kenneth wrote: > In-line... > > -----Original Message----- > From: Greg Hudson <ghudson@mit.edu> > Date: Wednesday, 13 March 2019 at 14:47 > To: Paterson Kenneth <kenny.paterson@inf.ethz.ch>, Benjamin Kaduk <kaduk@mit.edu> > Cc: "cfrg@ietf.org" <cfrg@ietf.org>, "cawood@apple.com" <cawood@apple.com> > Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt > > On 3/13/19 6:59 AM, Paterson Kenneth wrote: > > page 3: "B stores L=w1*g and w0." (In the context of SPAKE2+.) > > > > [...] > > > > -- Assuming g is the generator of G of order p*h, notice that this element L is not necessarily in the order p subgroup of G, since w1 (and w0) are not necessarily multiples of h. > > Since L is a multiple of G, it will be of order p (since G is of order > p). Unless I'm badly mistaken? > > G is not of order p (at least that's how I read the spec.) - rather it has order hp. See Section 3.1: [Just to clarify: the -08 attempts to use G for the group or order p*h, with distinguished generator P. I think Greg may be using the old terminology.] > Suppose G has order p*h where p is a large prime; h will be called the cofactor. > > > Later in the protocol, A computes V = w1(Y-w0*N) where Y should have been received from B. If Y is chosen adversarially, then V may also not be in the order p subgroup of G. > > I hadn't looked too closely at SPAKE2+. This step does seem problematic > because w1 is not a scaled coefficient, and I agree that it does not sit > well with the security considerations text (which I think was written > when the draft didn't cover SPAKE2+). Following the same logic as your > analysis (except in regard to L), it probably doesn't lead to a > small-subgroup attack since the attacker cannot see V and cannot easily > make Y-w0*N be of small order. But it may invalidate the security proof > because it's easy for an attacker to make V be of order 2p, 4p, ..., hp. > > Right. > > I'm not sure I'm qualified to suggest a fix, but I would probably start > with making w1 a scaled coefficient (however it's generated mod p, > multiply it by h so that it's in the range [0,ph) mod h, similar to x > and y). Although this is asymmetric with w0, note that w0 is used just > like w in SPAKE (multiplied by M or N to produce a mask), while w1 is > used similarly to x or y (multiplied by the generator or the other > party's point). > > My intuition here is that we need to be very careful, and (without my chair's hat) I would not want CFRG to finalise an RFC on scheme until we are sure we have a proof that applies to the protocol as specified. Given that we don't have a proof of any sort for SPAKE2+ (as opposed to regular SPAKE2), even limited to a prime-order group, wouldn't that suggest removing the augmented version from the document entirely? -Ben
- [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Greg Hudson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Benjamin Kaduk
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Greg Hudson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Paterson Kenneth
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Greg Hudson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Paterson Kenneth
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Benjamin Kaduk
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Greg Hudson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Paterson Kenneth
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Chris Wood
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Greg Hudson
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Eike Kiltz
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Eike Kiltz
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.… Greg Hudson