IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt

"Paterson Kenneth" <kenny.paterson@inf.ethz.ch> Wed, 13 March 2019 16:21 UTC

Return-Path: <kenny.paterson@inf.ethz.ch>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F0513104F for <cfrg@ietfa.amsl.com>; Wed, 13 Mar 2019 09:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.999
X-Spam-Level:
X-Spam-Status: No, score=-4.999 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m43Fw1GeWvnf for <cfrg@ietfa.amsl.com>; Wed, 13 Mar 2019 09:21:39 -0700 (PDT)
Received: from edge20.ethz.ch (edge20.ethz.ch [82.130.99.26]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46F2D130FC7 for <cfrg@ietf.org>; Wed, 13 Mar 2019 09:21:39 -0700 (PDT)
Received: from CAS11.d.ethz.ch (172.31.38.211) by edge20.ethz.ch (82.130.99.26) with Microsoft SMTP Server (TLS) id 14.3.439.0; Wed, 13 Mar 2019 17:20:20 +0100
Received: from MBX117.d.ethz.ch ([fe80::c1d4:d225:fabf:1974]) by CAS11.d.ethz.ch ([fe80::ecc9:4e2d:b26b:1614%10]) with mapi id 14.03.0439.000; Wed, 13 Mar 2019 17:20:06 +0100
From: Paterson Kenneth <kenny.paterson@inf.ethz.ch>
To: Greg Hudson <ghudson@mit.edu>, Benjamin Kaduk <kaduk@mit.edu>
CC: "cfrg@ietf.org" <cfrg@ietf.org>, "cawood@apple.com" <cawood@apple.com>
Thread-Topic: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt
Thread-Index: AQHU2Cx0BfbR89M7N02t2s+AosM+i6YHVDEAgAGIp4CAAA91gIAAakKAgAA/nQCAAAP9gIAADCkAgAAJvgA=
Date: Wed, 13 Mar 2019 16:20:05 +0000
Message-ID: <D40D6FCD-F4D2-4D12-8FE3-AF1ADD0A1968@inf.ethz.ch>
References: <155232379553.23186.8764563590660883823@ietfa.amsl.com> <884f593b-0753-16ff-e68c-990acd0e8d68@mit.edu> <20190313034352.GE8182@kduck.mit.edu> <7fa7713b-94da-da7b-bf9e-465627a8f030@mit.edu> <135A8573-53DF-4B51-A9F2-E3783DD6A0D0@inf.ethz.ch> <fcb6ac2e-2a0c-3eb3-dbf5-0624596d9f20@mit.edu> <6F281044-7E9B-4055-A311-881BBF1D8BE3@inf.ethz.ch> <30a32040-7c9f-bbfc-29d9-0f8e3dcd71cd@mit.edu>
In-Reply-To: <30a32040-7c9f-bbfc-29d9-0f8e3dcd71cd@mit.edu>
Accept-Language: de-CH, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.132.139.34]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C3A2EA9416E47B4C8C8A110F92C43091@intern.ethz.ch>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/L3ZzhmCLu0bpM_c3A32H5GGM5dE>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 16:21:42 -0000

Thanks for those clarifications - I should have read the new draft all the way through. I'll get to it in due course, and I hope others will too. 

-----Original Message-----
From: Greg Hudson <ghudson@mit.edu>
Date: Wednesday, 13 March 2019 at 15:45
To: Paterson  Kenneth <kenny.paterson@inf.ethz.ch>, Benjamin Kaduk <kaduk@mit.edu>
Cc: "cfrg@ietf.org" <cfrg@ietf.org>, "cawood@apple.com" <cawood@apple.com>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-08.txt

    On 3/13/19 11:01 AM, Paterson  Kenneth wrote:
    >     > 		page 3:  "B stores L=w1*g and w0." (In the context of SPAKE2+.)
    >     > 	-- Assuming g is the generator of G of order p*h, notice that this element L is not necessarily in the order p subgroup of G, since w1 (and w0) are not necessarily multiples of h.
    >     
    >     Since L is a multiple of G, it will be of order p (since G is of order
    >     p).  Unless I'm badly mistaken?
    >    
    > G is not of order p (at least that's how I read the spec.) - rather it has order hp.
    
    If g is the generator, then in the new terminology L=w1*P.  P is a point
    of order p, so L should have order p as well.

    
    > See Section 3.1:
    > 	Suppose G has order p*h where p is a large prime; h will be called the cofactor.
    
    That refers to the group.  (Having G refer to both the group and the
    generator is of course confusing, and was rightly rectified in -08.)
    
    The new draft defines "a generator P of the (large) prime-order subgroup
    of G".  In the old draft, it was not clear in the text that G (the
    generator point) was a point of order p, but for edwards25519 and
    edwards448 it used the standard generators for those groups, which are
    of order p.

v2.23.0 | Report a Bug | By Email