[Cfrg] Balanced PAKEs: new paper on SPAKE2
Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Fri, 25 October 2019 10:03 UTC
Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56E8F120824 for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 03:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pbg8MJUdTBoB for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 03:02:59 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 291F0120818 for <cfrg@irtf.org>; Fri, 25 Oct 2019 03:02:58 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.68,228,1569276000"; d="scan'208";a="324285134"
Received: from wifi-pro-83-080.paris.inria.fr ([128.93.83.80]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Oct 2019 12:02:56 +0200
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <7A98E9E0-52B9-48E4-A160-3532E42DCD60@inria.fr>
Date: Fri, 25 Oct 2019 12:02:56 +0200
To: cfrg@irtf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/JXspHFD-W030TAAlybwna1VcuNk>
Subject: [Cfrg] Balanced PAKEs: new paper on SPAKE2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 10:03:01 -0000
Hello All, Michel Abdalla and Manuel Barbosa have just published a new paper the perfect forward security of SPAKE2: https://eprint.iacr.org/2019/1194 They say: "In this version, we tried to address some of the issues that were raised in the CFRG mailing list and during our meeting. In particular, the proof handles explicitly the case M=N. The cases where M and N are chosen as the output of a random oracle also follows from the proof. This means for instance that M and N could be set the hash of two fixed points (or one point when M=N) or set as a function of the client and server, such as M=H(C,S) (where H is a hash-to-group function.) The goal of the paper was not to compare it with the other submissions. It was simply to improve the security analysis of SPAKE2 and its possible variants” With these new results in mind, I would recommend that the SPAKE2 draft use a connection-specific M=N=H(C,S,...) generated using hash-to-curve. This will make the precomputation attack on SPAKE2 less worrisome. Best regards, Karthik
- [Cfrg] Balanced PAKEs: new paper on SPAKE2 Karthik Bhargavan
- Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2 Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2 Watson Ladd
- Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2 Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2 Dan Harkins