Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 20 November 2019 11:12 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52DA1208A0 for <cfrg@ietfa.amsl.com>; Wed, 20 Nov 2019 03:12:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMlbjOKBXQNO for <cfrg@ietfa.amsl.com>; Wed, 20 Nov 2019 03:12:37 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577BF120043 for <cfrg@irtf.org>; Wed, 20 Nov 2019 03:12:37 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id f18so7500306lfj.6 for <cfrg@irtf.org>; Wed, 20 Nov 2019 03:12:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XS2Iucj9SwTg7lZ/qVL/vPYRxRIQf8ZFatrGc+v/p4U=; b=CYfHDltco+1sVjEFQ+CyGvfBurVoWZtsfQPbqvqb/MKzaO6LVZNP8mQe1copamRHlh U5mtc12UwXx+sNtFhchURAk2lq5ddaE28h4BBGeCPljZPn0t2lFCNhSwJmpyfCEWiyKL tSEDdPWDjL5P+L8DUyKIQcLmVKsi24dErjUDo8t+lPjseSg+1BjjtIFf18dGYxGsOpBJ 70qeI0f/NU6yjebZ0mMzZKk1sg4VM4KNxae3wOyVkSnX1DFUm+r5yhhW6yTP3fTkrHxu 9OY7Qxk5RCDKPiW+zX1kAeV5WDHjqkMAewKwNBq7bCYZ9R+UKjcIWdaG0ZPDKV9gJkQV /RQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XS2Iucj9SwTg7lZ/qVL/vPYRxRIQf8ZFatrGc+v/p4U=; b=WBinGnVR9qfthdh8xAD7b0Qyeo4zfsQSwNepIUyRNOqRkcHoAdPu3+ZYUmWho9TRZN IE2dJTFxu2xIe/GsVcqW2/xbizYrGGSPCYoC0hrbgMAuzS2CYMhhzDNoHgI+nYHW5AhZ bXom3TWyuXsPAs71XzSs6OAVzZkNZQ2kx8V+3CKi/FrEA1KiylGVF/9aiXisburNaa/5 HSUNwvzckt1micp6BGu/RFk4WL673/7F20KXHui1sUl7pPT7hLcRXPXuRJyZx/30zFeg fQvIOsuHMjeUZMYnSIu1otVZMINSU2RXLTjuNWLIEMRbvDfFsrdeOzAP3yeMw8AfM5Le 1yUw==
X-Gm-Message-State: APjAAAXVKRwMw9f0BAGe0soJcdDcTo+BDwvW55AssIbh3htZDdQcbz3w hiFNijjYazHnDOdgruDhnYi1mJ1JjHCqXqNNm771GXhS
X-Google-Smtp-Source: APXvYqzsTFSOO+Ijyju7hwEmK0Yx8YO+T7wxSUJ8YdNIfqhJUKNTugqRTBdLvDETYuPR2crJIV/l8wOuMr9vrXckvlI=
X-Received: by 2002:a05:6512:49c:: with SMTP id v28mr2399271lfq.9.1574248355491; Wed, 20 Nov 2019 03:12:35 -0800 (PST)
MIME-Version: 1.0
References: <CAMr0u6m+r5-2qp9qHTdAiy1i0RN9gonpqXPkv5zFiAFsppEnbA@mail.gmail.com> <CAF4450C-C421-43EF-A3E5-978E129B1D09@live.warwick.ac.uk>
In-Reply-To: <CAF4450C-C421-43EF-A3E5-978E129B1D09@live.warwick.ac.uk>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 20 Nov 2019 19:12:24 +0800
Message-ID: <CAMr0u6msuLCsmM=G7Grm3+GDhPxva1aEEUZi7S581oO=cKVubQ@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Cc: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="0000000000000474c80597c542a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JGCKLYxaDN_dd8-3IoSFdKUHyxo>
Subject: Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 11:12:40 -0000

Dear Feng,

Of course, any modifications of the protocols can only be provided only
together with updated security proofs (that need additional verification,
of course) - it was mentioned in my previous message.

Regards,
Stanislav

ср, 20 нояб. 2019 г. в 18:52, Hao, Feng <Feng.Hao@warwick.ac.uk>;:

> Hi,
>
>
>
> I’m not involved in the panel review, but the following is my personal
> observation.
>
>
>
> It seems to me that this standardization process is tangled with modifying
> protocols and fixing issues as they arise along the way. The changes raised
> below are not anything trivial. As we should all know well, designing a
> cryptographic protocol is extremely delicate and error-prone – it often
> takes several years of public scrutiny to uncover flaws; even for protocols
> that are “provably secure”, the proofs may contain errors or invalid
> assumptions, which can also take several years for them to be discovered.
> If a protocol is to be considered for standardization, first of all, it
> should really need to be “completely” specified, and “fixed” (no movable
> parts). Then, give plenty time for public scrutiny and time for maturity.
> If no attacks are found, the public confidence on the security on the
> protocol will grow over time. In most cases, designers of a protocol only
> have a chance to get it right – either at the start or never. Allowing
> heuristic or retrospective changes would not help increase public
> confidence.
>
>
>
> Cheers,
>
> Feng
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org>; on behalf of "Stanislav V.
> Smyshlyaev" <smyshsv@gmail.com>;
> *Date: *Wednesday, 20 November 2019 at 07:44
> *To: *"cfrg@irtf.org"; <cfrg@irtf.org>;
> *Subject: *[Cfrg] A question to be added to the Round 2 questions list
> for nominated PAKEs (about SPAKE2)
>
>
>
> Dear CFRG,
>
>
>
> I've just sent two questions to be considered to be added to the Round 2
> questions list, including: "Can you propose a modification of SPAKE2
> (preserving all existing good properties of SPAKE2) with a correspondingly
> updated security proof, addressing the issue of a single discrete log
> relationship necessary for the security of all sessions (e.g., solution
> based on using M=hash2curve(A|B), N=hash2curve(B|A))?"
>
>
>
> We've had a discussion with Dan Harkins about possible improvements of
> SPAKE2 (many thanks to him for such a fruitful discussion!): it seems that
> the only major issue about SPAKE2 can be solved by using M=hash2curve(A|B),
> N=hash2curve(B|A)). It seems that there can't be any additional
> side-channel issues (like occured in Dragonfly), since the proposed
> modification needs only calculations based on publicly available
> information.
>
>
>
> Of course, such a modification requires additional security analysis of
> SPAKE2, modified accordingly.
>
>
>
> Best regards,
>
> Stanislav
>
-- 

С уважением,

Станислав Смышляев, к.ф.-м.н.,

Заместитель генерального директора

ООО «КРИПТО-ПРО»