[CFRG] Modifying SPAKE2 draft for more curves (was Re: Attack on a Real World SPAKE2 Implementation)
Watson Ladd <watsonbladd@gmail.com> Mon, 10 May 2021 02:48 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61FDB3A05AC for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 19:48:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAIoeiXbw78H for <cfrg@ietfa.amsl.com>; Sun, 9 May 2021 19:48:30 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE7333A0553 for <cfrg@irtf.org>; Sun, 9 May 2021 19:48:30 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id u21so22144441ejo.13 for <cfrg@irtf.org>; Sun, 09 May 2021 19:48:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=9MHmcm0bbpNm/gfB0FEjSUbf7mFWFpRLSFwlZcuqUWA=; b=Snlq+nJ3eB/QM2OtAiIWmafdbtb3B3QG7wfVGQgrCCjZk+eF2699HoAARNI5jQXQSn m0MktFjSkBFbz1NpXB6AtFFvI0fd/4HuVyNVQofpyTq7XzOsf6Trl28H9ohDMrPMQs7T mEGcjy5N2WzsJQ2x1ZoABB4DaAheEa2bQZ/0PYXmzOazuzXuUGLF/wRgCAEHcyTQzY08 wGfZKeGXPCG3+uT4eW9pDj1V+0VggWnaNoYxi5ZYkwJaRJm8O8vIktPouRvERDxLuG8J K4kSoAmHWxbx1DYZRD4OOrW/iMEDbS1UyR0flox9KOzq/sn+7NPr3BGxAqCkubbSu7d0 U9ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=9MHmcm0bbpNm/gfB0FEjSUbf7mFWFpRLSFwlZcuqUWA=; b=Wudu6Ods9pVKtUmYDXJABcKXXZ+XqPEg80GL/CfPf3HPKqCjhFA4QuGxIIq8mkUKRQ 99zW4g9XkZz4GaqciDTq03Zk7pFFdsMKIyxKyMix/170hfXnJOUP3SKBjtSavyIi34lI SrOsDKz25z3cEkAlDXRpfhawkuGtk3Vn5ZpJk8kfiTS56iZvjV+3vtcq782eWpigpZjV F85GyYsfZS76ccp3PFZK1rd62w2e/ttLEPekCCqLDBI81uwPZIf2pd19gVPdQT4FeX2V LopB4AHkqCQcG7tBgJ+TB6vByxnqBKk2khpepp0srQrf67fWi12wvQbH6GiRYgh5oSbQ HeSg==
X-Gm-Message-State: AOAM530naiAjboZELKXXFx3s1P0F1o5efeyTv4tHUiuNOVSV5JvBGk43 Ztdakn4yMdeW8MsCtAPE32HSiHApdndLi9snKPQ=
X-Google-Smtp-Source: ABdhPJzGxC7eKqllXipTg+NZ/PUCrnYAjO0neGxUnhBKylgBNeCwW2l0nychAkXBytOakkWDNVyw52gaetPl2LwFJzY=
X-Received: by 2002:a17:906:3b10:: with SMTP id g16mr23867836ejf.232.1620614904058; Sun, 09 May 2021 19:48:24 -0700 (PDT)
MIME-Version: 1.0
References: <2bfbd767-b93a-42bd-be7d-1dae9e32e555@ruben-gonzalez.de> <SY4PR01MB625110F1F7633D989FCF183EEE579@SY4PR01MB6251.ausprd01.prod.outlook.com> <e88bae26-ff1f-42e3-babf-c5de3ee1d781@www.fastmail.com> <e47d0509-2b47-b811-7fd5-8846c11dc055@web.de>
In-Reply-To: <e47d0509-2b47-b811-7fd5-8846c11dc055@web.de>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 09 May 2021 22:48:12 -0400
Message-ID: <CACsn0c=6FgTHzTp7zuFri-gSYG3dBr6sASBMH34mBO5YDE7Ejw@mail.gmail.com>
To: Björn Haase <bjoern.m.haase@web.de>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MfL_3al8lR4mi0CDXvvjXA__zWg>
Subject: [CFRG] Modifying SPAKE2 draft for more curves (was Re: Attack on a Real World SPAKE2 Implementation)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 02:48:35 -0000
On Sun, May 9, 2021 at 12:06 PM Björn Haase <bjoern.m.haase@web.de> wrote: <snip> > Regarding possible improvements of the draft I still would like to come up with a suggestion: Thank you for the suggestion. Alas there are several procedural and substantive reasons I don't think I'll be following it. > > What about adding a clear and *mandatory* specification for conforming implementations of SPAKE2 on any curve on how to generate the "nothing upon my sleeve" inputs M,N? > > I would recommend mandating a procedure that refers to the current draft version of the h2c draft as it is today. Remember the M and N are computed offline, once. So hunt and peck works, and is what we did for the M and N in the draft for the most common curves of interest. Really there is just P256 and Ed25519 in use. Now, as for the h2c draft, the problem is that draft is far behind in the process, and indeed didn't even exist when we began this work. I'd prefer to not introduce an unnecessary dependency. The other problem is that then changes to the h2c draft would force changes, sometimes big ones to this draft. > > Alternatively, if one would like to avoid references to the h2c draft (in order to make M,N independent of possible future changes in the h2c draft), one could consider using a specification in the style of appendix A in https://eprint.iacr.org/2018/286.pdf, where similar "nothing upon my sleeve" points "A, C" were needed. This draft has already passed through extensive review, including two distinct examinations by the Experts Panel, a rather prolonged post-last call process that discovered several unfortunate mistakes (now corrected!) in test vector generation. At this stage, with the draft in the IRTF chair queue, I am very reluctant to make a change solely because it might be a good idea for a small handful of people doing things on other curves. If there is a genuine implementor need, a separate document can be advanced. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim
- [CFRG] Attack on a Real World SPAKE2 Implementati… Ruben Gonzalez
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Peter Gutmann
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Dan Harkins
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Watson Ladd
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Björn Haase
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… steve
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Loup Vaillant-David
- Re: [CFRG] Attack on a Real World SPAKE2 Implemen… Filippo Valsorda
- [CFRG] Modifying SPAKE2 draft for more curves (wa… Watson Ladd
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng
- Re: [CFRG] Modifying SPAKE2 draft for more curves… Hao, Feng