Re: [CFRG] Symmetric SPAKE2

Filippo Valsorda <filippo@ml.filippo.io> Mon, 21 June 2021 15:58 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C993A0D00 for <cfrg@ietfa.amsl.com>; Mon, 21 Jun 2021 08:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.096
X-Spam-Level:
X-Spam-Status: No, score=-0.096 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=hXuEHqMY; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=eNaSm9bz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwJQOFsYFzMz for <cfrg@ietfa.amsl.com>; Mon, 21 Jun 2021 08:57:54 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB3403A0D06 for <cfrg@irtf.org>; Mon, 21 Jun 2021 08:57:54 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id C59A35C003B; Mon, 21 Jun 2021 11:57:48 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute1.internal (MEProxy); Mon, 21 Jun 2021 11:57:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm3; bh=w6RpQ87n0GPcsqBAUfLHeoED8nhdfXK UF7GTfSuiy2c=; b=hXuEHqMYpq4jym0E9/NHCiglmOXP0zJ6IAKlOLND4uI+m+F 23MjYs1PtufXiW4JBT/QJXcCTIhgj81FPpOqUt87xS634WWbBEvnv7uP9NPhiWpu ypWmd4i6KdI/NIv1n/p67PHzCK8R2sksnYzQ39LglxZ7rAi/ZkhVqiFZzQB6EAzC v0Y/BbTkJX+um331BHXvnt47VVlyM0LHu8t+5zKTU40PLh6AcEMyT+RxlQNfTRDe uyzDvMSKGUbYCOH/RPZOFifpQvch7Px/LLCRJ9tTBm/a8ou+hiLOdf6IOC4ZUsIN YJ9RHpBrxdHUZ67elQRIGFvSYvLqEkjbQu+bXfw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=w6RpQ8 7n0GPcsqBAUfLHeoED8nhdfXKUF7GTfSuiy2c=; b=eNaSm9bzo8fb9/fd7Cz44q GmLYU4fST4Czk6k20vN4TcT8JdOgtbOkt8xHYJP2kcy8V7O0yDCTvG4vzl/HrwVN E471HuWRE1I0ej1at8kFfvmcJO+V10sT6Z4GcNBZ+aWIlP8c+nJPpow8YcjVRFei MCEmpF22kDuLBdhWhNg79lhQfP6/9nonoJfuYUCdpn+vYGumzsCOYeGOUguctbtO qwNY3FuSNRTXxI33EjbOgNVepkcvRxC+lsXXNorL0sB65FckoG59Zwjzy936rf2J JOamkBwVKX2tYe/1Y7QDdqcfh1Z0zaRmvuIFdv85f+PEuYpHdk1iqEaHdBkJU2SA ==
X-ME-Sender: <xms:-7bQYKJQxEtPEonIYPs1q3h20l0p8gGDrbrre2_13KJf1cSQYJyyEg> <xme:-7bQYCL9VbxUBNPExtwZy5GCdnoxocy5LzfbKZtelbQ7mcHwyovdjdTPvg6WRAcjB BRxk_-7oAG9nh0ezg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeefledgleeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesrgdtreerreertdenucfhrhhomhepfdfhihhl ihhpphhoucggrghlshhorhgurgdfuceofhhilhhiphhpohesmhhlrdhfihhlihhpphhord hioheqnecuggftrfgrthhtvghrnhepteefheejtdduleekudffudfftdetjeeutefghfev tdejueejieefffeutdfhgeegnecuffhomhgrihhnpehivghtfhdrohhrghenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehfihhlihhpphhosehm lhdrfhhilhhiphhpohdrihho
X-ME-Proxy: <xmx:-7bQYKurwUAVPlCoTU4tvbBgjphQ6EK8psyQh3w2sJpvTII4oEyEqg> <xmx:-7bQYPYlOWOZk3ssN2EJhn0mhkXAT0UfHVITGaJXmi2tm0Gi93rpEg> <xmx:-7bQYBbyeya7hcXo2EfQ9ANdCpjPDnT9qVsJx69OiMVZWY8Rx5zgJA> <xmx:_LbQYFGf9a8tXhLn_UVV--hFg-K-o6IlCu4Zw1eI6VC5savQT4VJUg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D36131300083; Mon, 21 Jun 2021 11:57:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-530-gd0c265785f-fm-20210616.002-gd0c26578
Mime-Version: 1.0
Message-Id: <75ff10a4-9e39-48d5-a00b-71d942d0dcad@www.fastmail.com>
In-Reply-To: <CACsn0c=iL_HLMidJoL9eUqmzcTumiNTZZ+7vRXNTea1geeBK7Q@mail.gmail.com>
References: <272c789a-afa2-4cef-869d-980f4e0df1e8@www.fastmail.com> <CACsn0c=iL_HLMidJoL9eUqmzcTumiNTZZ+7vRXNTea1geeBK7Q@mail.gmail.com>
Date: Mon, 21 Jun 2021 17:57:24 +0200
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: "Watson Ladd" <watsonbladd@gmail.com>
Cc: CFRG <cfrg@irtf.org>, "Brian Warner" <warner@lothar.com>, "Hao, Feng" <Feng.Hao@warwick.ac.uk>, "Mike Hamburg" <mike@shiftleft.org>, "Benjamin Kaduk" <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary=48297926f4ef4d6eb75c3876f2ebbf03
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/FSsR_BXrZBHtX7uY5EGORKuHvu8>
Subject: Re: [CFRG] Symmetric SPAKE2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 15:58:00 -0000

2021-04-27 06:04 GMT+02:00 Watson Ladd <watsonbladd@gmail.com <mailto:watsonbladd%40gmail.com>>:
> On Mon, Apr 26, 2021 at 6:20 PM Filippo Valsorda <filippo@ml.filippo.io <mailto:filippo%40ml.filippo.io>> wrote:
> >
> > Hi all,
> >
> > I am trying to figure out the properties of symmetric SPAKE2, where there is no
> > ordering and M = N.
> >
> > The only note I can find in draft-irtf-cfrg-spake2-18 is this in Section 5.
> >
> >    In addition M and N may be equal to have a symmetric variant.  The
> >    security of these variants is examined in [MNVAR].  This variant may
> >    not be suitable for protocols that require the messages to be
> >    exchanged symmetrically and do not know the exact identity of the
> >    parties before the flow begins.
> >
> > https://tools.ietf.org/html/draft-irtf-cfrg-spake2-18#section-5
> >
> > I interpret "these variants" as the ones with M = N, and "This variant" as the
> > "Per-User M and N" one, meaning this paragraph is saying that you can't do
> > per-user M and N if M = N, which tracks.
> >
> > However, the spec is hardcoding M and N to different values, so it doesn't
> > actually seem to allow M = N variants at all. Should that be addressed?
> 
> "These variants" is supposed to be M=N where you pick the point or the
> per user one.

Should the spec provide fixed points for M = N, or a recommendation
to use the provided N (or M) on both sides? It feels important for
interoperability.