IETF Logo Mail Archive

Re: [Cfrg] PAKE selection repository

Björn Haase <bjoern.m.haase@web.de> Wed, 25 September 2019 14:20 UTC

Return-Path: <bjoern.m.haase@web.de>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B144A12006E for <cfrg@ietfa.amsl.com>; Wed, 25 Sep 2019 07:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=web.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HAr3MH1fQFXG for <cfrg@ietfa.amsl.com>; Wed, 25 Sep 2019 07:20:55 -0700 (PDT)
Received: from mout.web.de (mout.web.de [212.227.17.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A3C1200C4 for <cfrg@irtf.org>; Wed, 25 Sep 2019 07:20:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1569421249; bh=sTh3Lmi8sDn24oWDi8gc4yUKcVr3OIcbIroW2QTj2sE=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=enJETQef1g50JCvJ+3m/9srEj3mCTwJJ8vNtUyFIE1maEj86s/gIscFu+MPJ+DsuF YBWrAW8X7vDsDVsTW85Vgqmbkm+KTrsUHG19AMsyrtTDa8IJIPV8o1o4RMKVrqWjr3 QIWW136tRKletMXaiCUVCmO8WovIfJRdwVFf7vTw=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [192.168.2.161] ([88.65.212.229]) by smtp.web.de (mrweb101 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LxOQ2-1i60Jm29rG-016tNB for <cfrg@irtf.org>; Wed, 25 Sep 2019 16:20:49 +0200
To: cfrg@irtf.org
References: <04724898-6ABB-4775-8558-ADA6E3EF2A8A@live.warwick.ac.uk>
From: Björn Haase <bjoern.m.haase@web.de>
Message-ID: <d51f2637-ee1d-fd31-cc84-bcc1f9268b50@web.de>
Date: Wed, 25 Sep 2019 16:20:40 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <04724898-6ABB-4775-8558-ADA6E3EF2A8A@live.warwick.ac.uk>
Content-Type: multipart/alternative; boundary="------------A1C79787A59375399D46E1C4"
X-Provags-ID: V03:K1:9eqy3Kf1NtTwfNwHiKRIL/DXAymBTno8LP2qo8rIOr7m6FG3b8f k2Ns9YqqcLI5LtjqL+Hpx2E4ncOWUDQR5Zy5UPNcb4k/cmaUmvMhRXeS3Njw71fqYVFR1t+ RPj0A5st6I7rM5Ke5rPrbJi3CXLGMwxusgfgT/Gh0Mq5ocFjZj2uPOYsQD7hgy4WKZUn/I0 zlYlBIVkCiZnDU6Wi4HhA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:W1P0RMufScg=:RCzD1Utv4vJ5zkPu/RPzM6 iGTMyqXCGXC9tC8yKVYsu28RjJ59qcncxkGFVp9UJpszeHE1sh+fajJH3TFMvYYqe8WEz3JRq Nksrpi3xt8DjrITHT6/+Sm20gR5I8VoelgziOpnH/xbXsaHXcc9wceVmLo20/+MrKtvNWmK7q vvxrQuSifOgFdVGWBIlt2kKiudwkooLJ6DPe+3N+Lrxoy+VmnscyeOfjh1N0FoV3dpq7Gyouo jwJCDQ9kLjcdERoFW8GBq1eMEgM40edoY9O57V/ztJeotz2Tj8an5mZFLSUxqXetjLviHZm5+ CjUPY25Wstoji0I+QMNo/UnOx3MUaDmMXOA1Mce0pJz3+riJwuXw7lmTgii9Ec4N56CLIeNxl 7s+kfJSa4+pVpZnVSPUq//K2zl1lmXzS4WPBDP5snJK/dr/hAMc7X5AS2nGNQ+cFfoOCofaUO JWKZ9dDOQ9fEL0fB9c4heO1rjokogzUpl2aso4yqrqXvbID7v0pCbWJm/VYKM4mSQ1Svk0CNw rdt4NohYHSt/H2ED8ISv+HfHAdAXgPW1CJxeNL0EFza+mjAsUq87n3AfWFaFipZ0+DmA3Z7ow e2ZqetFCBmHdARVFTD0x+s8oNeTPhElcOcMZi9i5qydPVZHe2wlESUr0Nty8duQYfjElT/d7c 0+k4DBI9soQyM0aSvNoSf1c91KexPE9SqsSeBE6n9p620PZK5iAcYWg/YhtmVXWEx4Aq5P1fN 0fJhWvFyGPm9M+6aiezqSttTSDu8sAJgc5RRjyVH/XFwJMwZrETpxQ3tJVTm/TTEIwhbG4WZz ZzPqLP4arYbRz3xSrzXf+nE/PM6GAhqIWcGpqzslrVLhtNNMu8rynUd+emnQ0sqqvhRab8npX pM3nFLHkJWyinMaA5eu0uUxXKWyOorpfHRIrsKJPtieYhL7g4ZGNMK+0W0rkhoVJTTP7NCKBe ZCmBTf/0OwBzC1OdaKbyM9ND+Ng7jKpkjna8p1WPQQNMwDx83q+Wm1sV7UPCREH1lQOhY3Zhl LOqQrMGEECFz7rAcNAdZ/JKq5qa5px4bYJwNkizpX16WfPOIM9sc/4UWosQAT818xwVHjxHjH 4sAg9Wn3aHgDeHIi+kHygIPPZAprlIO+bzmyvlf/jFzFDngKRsqAXqtjptzDyoy17nQ0Ac7DM gxVpe2bhJg7f+yIp0dcbwmjTF1UZxUq6353thzdJe2dZjq+Kz/hBHN5o1HJWhyfafUVwf94xH EtxLHS4+160c5XcRldVsqrB9vOrnRuw0U0FNJA/Elo2WigY87CKkiXIeQSaw=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/NZ4uTjXtRKsC1gbguiuDqbMAu-s>
Subject: Re: [Cfrg] PAKE selection repository
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Sep 2019 14:20:58 -0000

Dear Feng,


I agree with all of your points and specifically one of the key questions:

>“Trusted  setup vs hash-to-curve - which  of these two is considered acceptable,
or neither?”


It was for preparing a clearer picture specifically for this question
why I have reviewed last week the patent situation regarding hash2curve.

After concluding that any patents on hash2curve algorithms could safely
be circumvented, I am now clearly advocating for avoiding "trusted
setup". It's not only a security aspect but rather also an aspect of
efficiency.


Regarding the algorithms, I'd opt on a one-to-one mapping of hash2curve
algorithm per curve. For Montgomery or (twisted) edwards curves, I'd
like to suggest elligator2. For the conventional short-Weierstrass form
curves, I'd like to suggest Riad's version of simplified SWU that avoids
using "-1" as a non-square element. This latter also provides a solution
for most curves.


The only real drawback of hash2curve that I am aware of might be related
to legacy designs of secure element chipsets. Unlike for conventional
scalar multiplication there might not be comparable hardware assistance
for hash2curve. However I am not aware of any legacy secure element
chipset that serves the typical IETF use cases. In my perception most
applications regarding passwords will be software-based and future
secure-element solutions could consider hash2curve without problems.


Yours,


Björn.



Am 25.09.2019 um 12:28 schrieb Hao, Feng:
>
> Hi Yaron,
>
> Thanks for putting this together. It’s really encouraging to see the
> interest and detailed comments on PAKE from I agreifferent sectors in
> the industry. After reading all reviews, I think there is a
> fundamental question that needs to be addressed. The question is below:
>
> “Trusted setup vs hash-to-curve - which  of these two is considered
> acceptable, or neither?”
>
> If the former is acceptable, we need to fully understand the
> implications once this setup becomes a target of attack and is broken
> in the worst case. However, the implications are not spelt out. If the
> latter is acceptable, the hash-to-curve functions must be fully
> specified. They have to be part of the complete specification for a
> PAKE system, and “fixed” (not movable parts) so people can review the
> whole system and fairly compare it with other techniques. We should
> also need to anticipate the likely scenario that in 10-20 years from
> now new EC curves might emerge and have more desirable
> security/efficiency properties, and hence become the preferred choices
> in the industry. Does a general hash-to-curve function exist that can
> adapt to any such curve that may emerge in the future?
>
> Cheers,
>
> Feng
>
> *From: *Cfrg <cfrg-bounces@irtf.org> on behalf of Yaron Sheffer
> <yaronf.ietf@gmail.com>
> *Date: *Friday, 20 September 2019 at 16:30
> *To: *"cfrg@irtf.org" <cfrg@irtf.org>
> *Subject: *[Cfrg] PAKE selection repository
>
> Hi,
>
> We have established a GitHub repository [1] for the source material of
> the PAKE selection candidates, as well as a list of all reviews
> submitted so far. We will update it when new reviews come in.
>
> If you would like to amend a review you have submitted, please send
> the full review to the CFRG mailing list, and then open a Pull Request
> (or a GitHub Issue if that’s easier) with a stable link for the new
> review.
>
> Thanks,
>
> Yaron
>
> [1] https://github.com/cfrg/pake-selection/
> <https://github.com/cfrg/pake-selection/>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email