Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)

"Stanislav V. Smyshlyaev" <> Wed, 20 November 2019 11:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D52DA1208A0 for <>; Wed, 20 Nov 2019 03:12:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AMlbjOKBXQNO for <>; Wed, 20 Nov 2019 03:12:37 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 577BF120043 for <>; Wed, 20 Nov 2019 03:12:37 -0800 (PST)
Received: by with SMTP id f18so7500306lfj.6 for <>; Wed, 20 Nov 2019 03:12:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XS2Iucj9SwTg7lZ/qVL/vPYRxRIQf8ZFatrGc+v/p4U=; b=CYfHDltco+1sVjEFQ+CyGvfBurVoWZtsfQPbqvqb/MKzaO6LVZNP8mQe1copamRHlh U5mtc12UwXx+sNtFhchURAk2lq5ddaE28h4BBGeCPljZPn0t2lFCNhSwJmpyfCEWiyKL tSEDdPWDjL5P+L8DUyKIQcLmVKsi24dErjUDo8t+lPjseSg+1BjjtIFf18dGYxGsOpBJ 70qeI0f/NU6yjebZ0mMzZKk1sg4VM4KNxae3wOyVkSnX1DFUm+r5yhhW6yTP3fTkrHxu 9OY7Qxk5RCDKPiW+zX1kAeV5WDHjqkMAewKwNBq7bCYZ9R+UKjcIWdaG0ZPDKV9gJkQV /RQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XS2Iucj9SwTg7lZ/qVL/vPYRxRIQf8ZFatrGc+v/p4U=; b=WBinGnVR9qfthdh8xAD7b0Qyeo4zfsQSwNepIUyRNOqRkcHoAdPu3+ZYUmWho9TRZN IE2dJTFxu2xIe/GsVcqW2/xbizYrGGSPCYoC0hrbgMAuzS2CYMhhzDNoHgI+nYHW5AhZ bXom3TWyuXsPAs71XzSs6OAVzZkNZQ2kx8V+3CKi/FrEA1KiylGVF/9aiXisburNaa/5 HSUNwvzckt1micp6BGu/RFk4WL673/7F20KXHui1sUl7pPT7hLcRXPXuRJyZx/30zFeg fQvIOsuHMjeUZMYnSIu1otVZMINSU2RXLTjuNWLIEMRbvDfFsrdeOzAP3yeMw8AfM5Le 1yUw==
X-Gm-Message-State: APjAAAXVKRwMw9f0BAGe0soJcdDcTo+BDwvW55AssIbh3htZDdQcbz3w hiFNijjYazHnDOdgruDhnYi1mJ1JjHCqXqNNm771GXhS
X-Google-Smtp-Source: APXvYqzsTFSOO+Ijyju7hwEmK0Yx8YO+T7wxSUJ8YdNIfqhJUKNTugqRTBdLvDETYuPR2crJIV/l8wOuMr9vrXckvlI=
X-Received: by 2002:a05:6512:49c:: with SMTP id v28mr2399271lfq.9.1574248355491; Wed, 20 Nov 2019 03:12:35 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: "Stanislav V. Smyshlyaev" <>
Date: Wed, 20 Nov 2019 19:12:24 +0800
Message-ID: <>
To: "Hao, Feng" <>
Cc: CFRG <>
Content-Type: multipart/alternative; boundary="0000000000000474c80597c542a2"
Archived-At: <>
Subject: Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Nov 2019 11:12:40 -0000

Dear Feng,

Of course, any modifications of the protocols can only be provided only
together with updated security proofs (that need additional verification,
of course) - it was mentioned in my previous message.


ср, 20 нояб. 2019 г. в 18:52, Hao, Feng <>uk>:

> Hi,
> I’m not involved in the panel review, but the following is my personal
> observation.
> It seems to me that this standardization process is tangled with modifying
> protocols and fixing issues as they arise along the way. The changes raised
> below are not anything trivial. As we should all know well, designing a
> cryptographic protocol is extremely delicate and error-prone – it often
> takes several years of public scrutiny to uncover flaws; even for protocols
> that are “provably secure”, the proofs may contain errors or invalid
> assumptions, which can also take several years for them to be discovered.
> If a protocol is to be considered for standardization, first of all, it
> should really need to be “completely” specified, and “fixed” (no movable
> parts). Then, give plenty time for public scrutiny and time for maturity.
> If no attacks are found, the public confidence on the security on the
> protocol will grow over time. In most cases, designers of a protocol only
> have a chance to get it right – either at the start or never. Allowing
> heuristic or retrospective changes would not help increase public
> confidence.
> Cheers,
> Feng
> *From: *Cfrg <> on behalf of "Stanislav V.
> Smyshlyaev" <>
> *Date: *Wednesday, 20 November 2019 at 07:44
> *To: *"" <>
> *Subject: *[Cfrg] A question to be added to the Round 2 questions list
> for nominated PAKEs (about SPAKE2)
> Dear CFRG,
> I've just sent two questions to be considered to be added to the Round 2
> questions list, including: "Can you propose a modification of SPAKE2
> (preserving all existing good properties of SPAKE2) with a correspondingly
> updated security proof, addressing the issue of a single discrete log
> relationship necessary for the security of all sessions (e.g., solution
> based on using M=hash2curve(A|B), N=hash2curve(B|A))?"
> We've had a discussion with Dan Harkins about possible improvements of
> SPAKE2 (many thanks to him for such a fruitful discussion!): it seems that
> the only major issue about SPAKE2 can be solved by using M=hash2curve(A|B),
> N=hash2curve(B|A)). It seems that there can't be any additional
> side-channel issues (like occured in Dragonfly), since the proposed
> modification needs only calculations based on publicly available
> information.
> Of course, such a modification requires additional security analysis of
> SPAKE2, modified accordingly.
> Best regards,
> Stanislav

С уважением,

Станислав Смышляев, к.ф.-м.н.,

Заместитель генерального директора