Re: [Cfrg] PAKE selection repository
Watson Ladd <watsonbladd@gmail.com> Wed, 25 September 2019 16:52 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF87E120132 for <cfrg@ietfa.amsl.com>; Wed, 25 Sep 2019 09:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id loUzBQVRxUV5 for <cfrg@ietfa.amsl.com>; Wed, 25 Sep 2019 09:52:24 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 580231200CE for <cfrg@irtf.org>; Wed, 25 Sep 2019 09:52:24 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 72so4754909lfh.6 for <cfrg@irtf.org>; Wed, 25 Sep 2019 09:52:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+tuO1NDuS2sLHEMWZtAj59B56R9aZo+rWARjyN9RFII=; b=OKsYd7MtA9zS4C1iRInSME+T/X7V6xlWWI9+WmWkne2UfwrTxB266V2iSvi40CRYXQ SRQ8oAgd7xavma83vuelrqH29ORiveC+v0PMsel3QpTE2AvEvrTi97YDhZXb/supFU5I MYn+26JZCb18NCPKDQqzcXFKtYubFy0syFV6rzG+YdGx6jFUhSQnVFAOKovLKFT3ZtwY Z6J8qYISNV8X+H9sOgqNnzyj3hDjgJA0RZ0VdMzgLUOSRiFx5brckbFn7P2N3FcXC2SC 5JCH4awkcVTUwZ3PZ0Wuw9Nmege3f5acJu59x+alsBpFNRCNR8LnT3kRUyNLBYmL0rlL yFFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+tuO1NDuS2sLHEMWZtAj59B56R9aZo+rWARjyN9RFII=; b=cKNjRchCndQqsfeYxFJ6jusc/xxl37e69zb0XCc7DtbG0VRB0Ujyj90nvEBGqg7wF/ 21VsTzRQVnlZ8gx9RxpJad9JnmZ2VwyGjb/djA/HsVjUEJiVq3zIK42SkGWvFbmLwUU1 ntZBf5kAUnUMeeAu+x8kp9cLq/EStS5ZH8vAY9X6DnbuUPIP4OeRMAUOukY7FP74jqv6 +kgHbLCe1sBFl3AquZz/stLTzCJ5bUdXYInv6geCKkMNJSwYINSNQIO3JE5OZAKizLzI S+HGT/lE3eEv+NJ/AUsgZKamhguc37/Y98hQnKeqdkxDcA2ZGOQ/41FZ5YokGcvNaLNF 6GDg==
X-Gm-Message-State: APjAAAUJXorwq6Kj8MqPq6Xke9vzBBM/sCxTn5a+YkLxIFTj3/OkdkIW JqkLeSR0xjxLwUuKh444ewrMQCyCBG17hapRub4=
X-Google-Smtp-Source: APXvYqyyKTDsA11WLlnxT+ViJMmYZ36RFqepyahe4QEy4sghsm165I61cenayfzXDJp5fTCMf4TMmwd/trfgVCJSZt8=
X-Received: by 2002:ac2:5ec1:: with SMTP id d1mr6614218lfq.83.1569430342300; Wed, 25 Sep 2019 09:52:22 -0700 (PDT)
MIME-Version: 1.0
References: <04724898-6ABB-4775-8558-ADA6E3EF2A8A@live.warwick.ac.uk> <d51f2637-ee1d-fd31-cc84-bcc1f9268b50@web.de>
In-Reply-To: <d51f2637-ee1d-fd31-cc84-bcc1f9268b50@web.de>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 25 Sep 2019 09:52:10 -0700
Message-ID: <CACsn0cm=a-HgjcuPccc3_wR2YDTxq_3zTMFLBWBPLdWg83hCjw@mail.gmail.com>
To: Björn Haase <bjoern.m.haase@web.de>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000000d796e0593637a33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/GdBUIdfmn97ytpGokyMZyaQ3YFY>
Subject: Re: [Cfrg] PAKE selection repository
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2019 16:52:28 -0000
On Wed, Sep 25, 2019, 7:21 AM Björn Haase <bjoern.m.haase@web.de> wrote: > Dear Feng, > > > I agree with all of your points and specifically one of the key questions: > > >“Trusted setup vs hash-to-curve - which of these two is considered > acceptable, or neither?” > > > It was for preparing a clearer picture specifically for this question why > I have reviewed last week the patent situation regarding hash2curve. > > After concluding that any patents on hash2curve algorithms could safely be > circumvented, I am now clearly advocating for avoiding "trusted setup". > It's not only a security aspect but rather also an aspect of efficiency. > Great news: no PAKE in the competition have a trusted setup. The efficiency aspect is simply one of DH with unknown base vs SPAKE2 which has some additional operations. What SPAKE2 does have is a slight weakness where one DL breaks the protocol everywhere going forwards. Solution: use groups where DL is hard which you have to do anyway. In fact one could avoid both via Elligator+encryption, but sadly I didn't have that idea on time. > > Regarding the algorithms, I'd opt on a one-to-one mapping of hash2curve > algorithm per curve. For Montgomery or (twisted) edwards curves, I'd like > to suggest elligator2. For the conventional short-Weierstrass form curves, > I'd like to suggest Riad's version of simplified SWU that avoids using "-1" > as a non-square element. This latter also provides a solution for most > curves. > There is a separate hash2curve draft. Let's use that. > > The only real drawback of hash2curve that I am aware of might be related > to legacy designs of secure element chipsets. Unlike for conventional > scalar multiplication there might not be comparable hardware assistance for > hash2curve. However I am not aware of any legacy secure element chipset > that serves the typical IETF use cases. In my perception most applications > regarding passwords will be software-based and future secure-element > solutions could consider hash2curve without problems. > > > Yours, > > > Björn. > > > > Am 25.09.2019 um 12:28 schrieb Hao, Feng: > > Hi Yaron, > > > > Thanks for putting this together. It’s really encouraging to see the > interest and detailed comments on PAKE from I agreifferent sectors in the > industry. After reading all reviews, I think there is a fundamental > question that needs to be addressed. The question is below: > > > > “Trusted setup vs hash-to-curve - which of these two is considered > acceptable, or neither?” > > > > If the former is acceptable, we need to fully understand the implications > once this setup becomes a target of attack and is broken in the worst case. > However, the implications are not spelt out. If the latter is acceptable, > the hash-to-curve functions must be fully specified. They have to be part > of the complete specification for a PAKE system, and “fixed” (not movable > parts) so people can review the whole system and fairly compare it with > other techniques. We should also need to anticipate the likely scenario > that in 10-20 years from now new EC curves might emerge and have more > desirable security/efficiency properties, and hence become the preferred > choices in the industry. Does a general hash-to-curve function exist that > can adapt to any such curve that may emerge in the future? > > > > Cheers, > > Feng > > > > *From: *Cfrg <cfrg-bounces@irtf.org> <cfrg-bounces@irtf.org> on behalf of > Yaron Sheffer <yaronf.ietf@gmail.com> <yaronf.ietf@gmail.com> > *Date: *Friday, 20 September 2019 at 16:30 > *To: *"cfrg@irtf.org" <cfrg@irtf.org> <cfrg@irtf.org> <cfrg@irtf.org> > *Subject: *[Cfrg] PAKE selection repository > > > > Hi, > > > > We have established a GitHub repository [1] for the source material of the > PAKE selection candidates, as well as a list of all reviews submitted so > far. We will update it when new reviews come in. > > > > If you would like to amend a review you have submitted, please send the > full review to the CFRG mailing list, and then open a Pull Request (or a > GitHub Issue if that’s easier) with a stable link for the new review. > > > > Thanks, > > Yaron > > > > [1] https://github.com/cfrg/pake-selection/ > > > > > > _______________________________________________ > Cfrg mailing listCfrg@irtf.orghttps://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] PAKE selection repository Yaron Sheffer
- Re: [Cfrg] PAKE selection repository Hao, Feng
- Re: [Cfrg] PAKE selection repository Björn Haase
- Re: [Cfrg] PAKE selection repository Watson Ladd