Return-Path: X-Original-To: cfrg@ietfa.amsl.com Delivered-To: cfrg@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52DA1208A0 for ; Wed, 20 Nov 2019 03:12:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.996 X-Spam-Level: X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMlbjOKBXQNO for ; Wed, 20 Nov 2019 03:12:37 -0800 (PST) Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 577BF120043 for ; Wed, 20 Nov 2019 03:12:37 -0800 (PST) Received: by mail-lf1-x134.google.com with SMTP id f18so7500306lfj.6 for ; Wed, 20 Nov 2019 03:12:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XS2Iucj9SwTg7lZ/qVL/vPYRxRIQf8ZFatrGc+v/p4U=; b=CYfHDltco+1sVjEFQ+CyGvfBurVoWZtsfQPbqvqb/MKzaO6LVZNP8mQe1copamRHlh U5mtc12UwXx+sNtFhchURAk2lq5ddaE28h4BBGeCPljZPn0t2lFCNhSwJmpyfCEWiyKL tSEDdPWDjL5P+L8DUyKIQcLmVKsi24dErjUDo8t+lPjseSg+1BjjtIFf18dGYxGsOpBJ 70qeI0f/NU6yjebZ0mMzZKk1sg4VM4KNxae3wOyVkSnX1DFUm+r5yhhW6yTP3fTkrHxu 9OY7Qxk5RCDKPiW+zX1kAeV5WDHjqkMAewKwNBq7bCYZ9R+UKjcIWdaG0ZPDKV9gJkQV /RQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XS2Iucj9SwTg7lZ/qVL/vPYRxRIQf8ZFatrGc+v/p4U=; b=WBinGnVR9qfthdh8xAD7b0Qyeo4zfsQSwNepIUyRNOqRkcHoAdPu3+ZYUmWho9TRZN IE2dJTFxu2xIe/GsVcqW2/xbizYrGGSPCYoC0hrbgMAuzS2CYMhhzDNoHgI+nYHW5AhZ bXom3TWyuXsPAs71XzSs6OAVzZkNZQ2kx8V+3CKi/FrEA1KiylGVF/9aiXisburNaa/5 HSUNwvzckt1micp6BGu/RFk4WL673/7F20KXHui1sUl7pPT7hLcRXPXuRJyZx/30zFeg fQvIOsuHMjeUZMYnSIu1otVZMINSU2RXLTjuNWLIEMRbvDfFsrdeOzAP3yeMw8AfM5Le 1yUw== X-Gm-Message-State: APjAAAXVKRwMw9f0BAGe0soJcdDcTo+BDwvW55AssIbh3htZDdQcbz3w hiFNijjYazHnDOdgruDhnYi1mJ1JjHCqXqNNm771GXhS X-Google-Smtp-Source: APXvYqzsTFSOO+Ijyju7hwEmK0Yx8YO+T7wxSUJ8YdNIfqhJUKNTugqRTBdLvDETYuPR2crJIV/l8wOuMr9vrXckvlI= X-Received: by 2002:a05:6512:49c:: with SMTP id v28mr2399271lfq.9.1574248355491; Wed, 20 Nov 2019 03:12:35 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "Stanislav V. Smyshlyaev" Date: Wed, 20 Nov 2019 19:12:24 +0800 Message-ID: To: "Hao, Feng" Cc: CFRG Content-Type: multipart/alternative; boundary="0000000000000474c80597c542a2" Archived-At: Subject: Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2) X-BeenThere: cfrg@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Crypto Forum Research Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Nov 2019 11:12:40 -0000 --0000000000000474c80597c542a2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Dear Feng, Of course, any modifications of the protocols can only be provided only together with updated security proofs (that need additional verification, of course) - it was mentioned in my previous message. Regards, Stanislav =D1=81=D1=80, 20 =D0=BD=D0=BE=D1=8F=D0=B1. 2019 =D0=B3. =D0=B2 18:52, Hao, = Feng : > Hi, > > > > I=E2=80=99m not involved in the panel review, but the following is my per= sonal > observation. > > > > It seems to me that this standardization process is tangled with modifyin= g > protocols and fixing issues as they arise along the way. The changes rais= ed > below are not anything trivial. As we should all know well, designing a > cryptographic protocol is extremely delicate and error-prone =E2=80=93 it= often > takes several years of public scrutiny to uncover flaws; even for protoco= ls > that are =E2=80=9Cprovably secure=E2=80=9D, the proofs may contain errors= or invalid > assumptions, which can also take several years for them to be discovered. > If a protocol is to be considered for standardization, first of all, it > should really need to be =E2=80=9Ccompletely=E2=80=9D specified, and =E2= =80=9Cfixed=E2=80=9D (no movable > parts). Then, give plenty time for public scrutiny and time for maturity. > If no attacks are found, the public confidence on the security on the > protocol will grow over time. In most cases, designers of a protocol only > have a chance to get it right =E2=80=93 either at the start or never. All= owing > heuristic or retrospective changes would not help increase public > confidence. > > > > Cheers, > > Feng > > > > *From: *Cfrg on behalf of "Stanislav V. > Smyshlyaev" > *Date: *Wednesday, 20 November 2019 at 07:44 > *To: *"cfrg@irtf.org" > *Subject: *[Cfrg] A question to be added to the Round 2 questions list > for nominated PAKEs (about SPAKE2) > > > > Dear CFRG, > > > > I've just sent two questions to be considered to be added to the Round 2 > questions list, including: "Can you propose a modification of SPAKE2 > (preserving all existing good properties of SPAKE2) with a correspondingl= y > updated security proof, addressing the issue of a single discrete log > relationship necessary for the security of all sessions (e.g., solution > based on using M=3Dhash2curve(A|B), N=3Dhash2curve(B|A))?" > > > > We've had a discussion with Dan Harkins about possible improvements of > SPAKE2 (many thanks to him for such a fruitful discussion!): it seems tha= t > the only major issue about SPAKE2 can be solved by using M=3Dhash2curve(A= |B), > N=3Dhash2curve(B|A)). It seems that there can't be any additional > side-channel issues (like occured in Dragonfly), since the proposed > modification needs only calculations based on publicly available > information. > > > > Of course, such a modification requires additional security analysis of > SPAKE2, modified accordingly. > > > > Best regards, > > Stanislav > --=20 =D0=A1 =D1=83=D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC, =D0=A1=D1=82=D0=B0=D0=BD=D0=B8=D1=81=D0=BB=D0=B0=D0=B2 =D0=A1=D0=BC=D1=8B= =D1=88=D0=BB=D1=8F=D0=B5=D0=B2, =D0=BA.=D1=84.-=D0=BC.=D0=BD., =D0=97=D0=B0=D0=BC=D0=B5=D1=81=D1=82=D0=B8=D1=82=D0=B5=D0=BB=D1=8C =D0=B3= =D0=B5=D0=BD=D0=B5=D1=80=D0=B0=D0=BB=D1=8C=D0=BD=D0=BE=D0=B3=D0=BE =D0=B4= =D0=B8=D1=80=D0=B5=D0=BA=D1=82=D0=BE=D1=80=D0=B0 =D0=9E=D0=9E=D0=9E =C2=AB=D0=9A=D0=A0=D0=98=D0=9F=D0=A2=D0=9E-=D0=9F=D0=A0= =D0=9E=C2=BB --0000000000000474c80597c542a2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Dear Feng,

Of course, any modifications of the protocols can only be p= rovided only together with updated security proofs (that need additional ve= rification, of course) - it was mentioned in my previous message.
Regards,
S= tanislav

=D1=81=D1=80, 20 =D0=BD=D0=BE=D1=8F=D0=B1. 2019 =D0=B3. =D0=B2= 18:52, Hao, Feng <Feng.Hao@wa= rwick.ac.uk>:

Hi,

=C2=A0

I=E2=80=99m not involved in the panel review, but th= e following is my personal observation.

=C2=A0

It seems to me that this standardization process is = tangled with modifying protocols and fixing issues as they arise along the = way. The changes raised below are not anything trivial. As we should all kn= ow well, designing a cryptographic protocol is extremely delicate and error-prone =E2=80=93 it often takes se= veral years of public scrutiny to uncover flaws; even for protocols that ar= e =E2=80=9Cprovably secure=E2=80=9D, the proofs may contain errors or inval= id assumptions, which can also take several years for them to be discovered. If a protocol is to be considered for standardization, f= irst of all, it should really need to be =E2=80=9Ccompletely=E2=80=9D speci= fied, and =E2=80=9Cfixed=E2=80=9D (no movable parts). Then, give plenty tim= e for public scrutiny and time for maturity. If no attacks are found, the public confidence on the security on the protocol will grow over time.= In most cases, designers of a protocol only have a chance to get it right = =E2=80=93 either at the start or never. Allowing heuristic or retrospective= changes would not help increase public confidence.

=C2=A0

Cheers,

Feng

=C2=A0

From= : Cfrg <cfrg-bounces@irtf.org> on behalf of "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wednesday, 20 November 2019 at 07:44
To: "cfrg@ir= tf.org" <cfr= g@irtf.org>
Subject: [Cfrg] A question to be added to the Round 2 questions list= for nominated PAKEs (about SPAKE2)

=C2=A0

Dear CFRG,

=C2=A0

I've just sent two questions to be considered to= be added to the Round 2 questions list, including: "Can you propose a= modification of SPAKE2 (preserving all existing good properties of SPAKE2)= with a correspondingly updated security proof, addressing the issue of a single discrete log relationship necessary for t= he security of all sessions (e.g., solution based on using M=3Dhash2curve(A= |B), N=3Dhash2curve(B|A))?"

=C2=A0

We've had a discussion with Dan Harkins about po= ssible improvements of SPAKE2 (many thanks to him for such a fruitful discu= ssion!): it seems that the only major issue about SPAKE2 can be solved by u= sing M=3Dhash2curve(A|B), N=3Dhash2curve(B|A)). It seems that there can't be any additional side-channel issues (like = occured in Dragonfly), since the proposed modification needs only calculati= ons based on publicly available information.

=C2=A0

Of course, such a modification requires additional s= ecurity analysis of SPAKE2, modified accordingly.

=C2=A0

Best regards,

Stanislav

--
<= div dir=3D"ltr">

=D0=A1 =D1=83= =D0=B2=D0=B0=D0=B6=D0=B5=D0=BD=D0=B8=D0=B5=D0=BC,

=D0=A1=D1=82=D0=B0=D0=BD=D0=B8=D1=81=D0=BB=D0=B0=D0=B2 =D0=A1= =D0=BC=D1=8B=D1=88=D0=BB=D1=8F=D0=B5=D0=B2, =D0=BA.=D1=84.-=D0=BC.=D0=BD.,<= /font>

=D0=97=D0=B0=D0=BC=D0=B5=D1=81=D1=82= =D0=B8=D1=82=D0=B5=D0=BB=D1=8C =D0=B3=D0=B5=D0=BD=D0=B5=D1=80=D0=B0=D0=BB= =D1=8C=D0=BD=D0=BE=D0=B3=D0=BE =D0=B4=D0=B8=D1=80=D0=B5=D0=BA=D1=82=D0=BE= =D1=80=D0=B0

=D0=9E=D0=9E=D0=9E =C2=AB= =D0=9A=D0=A0=D0=98=D0=9F=D0=A2=D0=9E-=D0=9F=D0=A0=D0=9E=C2=BB


--0000000000000474c80597c542a2--