IETF Logo Mail Archive

Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.txt

Rene Struik <rstruik.ext@gmail.com> Fri, 26 November 2021 18:23 UTC

Return-Path: <rstruik.ext@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E9433A0969; Fri, 26 Nov 2021 10:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fLuBl2vq2WwA; Fri, 26 Nov 2021 10:23:10 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FC5A3A0965; Fri, 26 Nov 2021 10:23:10 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id f20so9741648qtb.4; Fri, 26 Nov 2021 10:23:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:content-language:to :references:from:subject:in-reply-to:content-transfer-encoding; bh=5WuonmNnvLU/aHLAYW1Fib1Wiw1V9d6mMDq131ppd90=; b=RYBgdZfe6yczOfbrGaxz/5XTlykFKFEvkkLwBS5xgw++6G8yZe8oguhpUDxLqcKKku LXmoqCSSu4oYVQABeYIhhFwm32eLL9zRoQKx19lq9avV8DcCNHAP0U4Nm5cVe+nASVCZ 8ZrO+813xcuw+eJ5eXaCdxpLQ3HUXI5/abcHw36PdnMSUuRBR6TcTKuU3CJR3fErW9vl U2Rxa2xp66wvA5lk/TPDi2eRTuRwXalwOQgNz6JkbQ7H5Mpj3aYcYtsbMkbqEx2YP9rO A5A4UTZqZdkxDAfAS9AOJ9hmMyqAlFz0JsK3l9MqIA/MzFuz52uJBX0aJEHH0cLyKql5 wRyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:references:from:subject:in-reply-to :content-transfer-encoding; bh=5WuonmNnvLU/aHLAYW1Fib1Wiw1V9d6mMDq131ppd90=; b=i0581RP0phfO1q9/XsNQikpSl/yqy11DTASRbblphRDoW2+lLkKacReKjwoNRJ79EF WYoYxyhGOA+mbEF4KiUXswIrLa9GFBPfjk/7mQ4R2xJNap4Zgzv0+BkLQHsmDmIm4NYz O4kkzk/8hAJpAbyVz6i08OxeeCXVWGNnNsRVdvkVyFU6gvIWglsdBW01VstsBLtK9fi7 Byksik7LibSFE1kOKUjEVizsuCVCtGJSw+ubOMyeF9NT7AbCQyfJ9MSJdMA2cmuWYGed Bi9pUBqAvH197kOG5Ei2h7Dg9JOpRXV4ChCVQ7VYAxHTD8xG6DvA3InzGqHk4dE7ErCc PKcw==
X-Gm-Message-State: AOAM5334q7CKsHNzSF9K5/Fo6INw3/MgxGKT14n6k3Z6hoQodX5TyR9L XDkinOPNWhfqwSH9SOMLGNLmYsWurhw=
X-Google-Smtp-Source: ABdhPJxLilIR/1rOu67kUkC0FN8bao5Pg4JmPjE2iZmgdVzd/a8IsVV622XM91q6ZNrEBaTboOc7Ug==
X-Received: by 2002:ac8:5e49:: with SMTP id i9mr27276611qtx.396.1637950987895; Fri, 26 Nov 2021 10:23:07 -0800 (PST)
Received: from ?IPV6:2607:fea8:8a0:1397:1ce8:c977:cc4b:bca4? ([2607:fea8:8a0:1397:1ce8:c977:cc4b:bca4]) by smtp.gmail.com with ESMTPSA id bk25sm3615929qkb.13.2021.11.26.10.23.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 26 Nov 2021 10:23:07 -0800 (PST)
Message-ID: <150d01c6-4dd4-81aa-a1b6-c483089d88f7@gmail.com>
Date: Fri, 26 Nov 2021 13:23:03 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Content-Language: en-US
To: cfrg@ietf.org, i-d-announce@ietf.org
References: <163779438705.7630.11284925259086244674@ietfa.amsl.com>
From: Rene Struik <rstruik.ext@gmail.com>
In-Reply-To: <163779438705.7630.11284925259086244674@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/PJivUx9AyI_osymgXggy8Nzdal4>
Subject: Re: [CFRG] I-D Action: draft-irtf-cfrg-spake2-24.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2021 18:23:15 -0000

Dear Watson, Ben:

I did have a brief look at rev24 of the SPAKE2 draft and noticed that 
the abstract now includes the statement "This document predated the CFRG 
PAKE competition and it was not selected, however, given existing use of 
variants in Kerberos and other applications it was felt publication was 
beneficial. Applications that need a symmetric PAKE and where hashing 
onto an elliptic curve at execution time is not possible can use 
SPAKE2". I was wondering which applications would not have the 
capability to perform a hash-to-curve operation (after all, if an 
application implements elliptic-curve arithmetic, it seems unlikely it 
could not easily implement a hash-to-curve mapping). In other words, 
what am I missing?

A few comments from rereading the draft (without trying to be exhaustive 
[I do realize this may be too late in the game, but wonder who looked at 
this stuff carefully]):
1) Proper naming. The draft mentions the curve P512 a few times. I 
presume this should be the NIST curve P-521 (I think I sent Watson an 
offline note on this two years ago). Shouldn't one have a proper 
reference to NIST curves (e.g., FIPS Pub 186-4) and denote these in 
slightly less sloppy way as P-256, P-384, and P-521? {The same remark 
applies to SHA2 hash function family members, which in FIPS 180-4 are 
denoted by SHA-256, SHA-384, and SHA-512.}
2) Representation. Table 1 of the draft refers to edwards25519 and 
edwards448, but RFC 7748 does not specify the encoding format of points 
of these curves. This leaves the transcript TT underspecified. Shouldn't 
one also specify whether one uses compressed or uncompressed formats?
3) Test vectors. Appendix B only gives test vectors for SPAKE2 with the 
{P-256, SHA-256, HKDF, HMAC} suite. Given that Table 1 lists many more 
ciphersuites, this makes me wonder why this particular one was singled 
out in Appendix B.
4) Ciphersuites. Table 1 uses two ciphersuites with P-256, viz. one wish 
SHA-256 and one with SHA-512. What is the reason for including SHA-512? 
If this was only included because SHA-256 was deemed "too short" for key 
derivation, this seems more an artifact of the key derivation itself 
(where one partitions Hash(TT) into two half-size strings) and would be 
easily remedied by using the (already used) hkdf function for key 
derivation).
5) Security Considerations. The main construction does not mention at 
all that M and N should be elements of the prime-order subgroup (of, 
unfortunately named, order "p"), while this is required to not leak w 
(mod h), where h is the co-factor of the group. It would be beneficial 
to have a reference that illustrates why "x" and "y" cannot be reused at 
all (or a simple illustration in a sentence or two that a single repeat 
destroys security [this is not entirely obvious]).
6) Some small notes:
-i) The set-up (Section 3.2) considers very general set-ups (groups in 
which the gap-Diffie-Hellman problem is hard), but then refers to 
"points at infinity" and SEC1 formatting, where the former is not 
defined for (complete) twisted Edwards curves and where the latter is 
only defined for short-Weierstrass curves. Lots of concepts are 
well-known to insiders, but not so much to others (as an example, "we 
will work in the quotient group" may make sense to people with a 
background in abstract algebra, but perhaps not too much to others. 
Moreover, there are many ways to represent elements of a quotient 
group...).
ii) According to the abstract, SPAKE2 is above all useful if one does 
not have access to hash-to-curve functionality, which makes me wonder 
why (in Section 3.2, p.4, 2nd para) one suddenly invokes hash-to-curve 
concepts. Even if one would use this (seemingly superfluous) reference, 
one should then at least properly introduce notions as DST and indicate 
which of the zillions of flavors of hash-to-curve constructs one wishes 
to recommend (since you use "SHOULD", one would expect some precision 
here). If hash-to-curve is somehow used in the draft, why weren't the M 
and N parameters generated that way (rather than using the 
trial-and-error method)? This would also make it much easier for an 
implementation to check whether  and N were indeed generated that way.
iii) In the informal introduction of KDF (Section 3.2, p. 5), both ikm 
and IKM are used, while MAC is used without arguments (e.g., 
MAC(key,msg)). Since the hash function has as output a bit string, 
shouldn't its minimum length be 256 bits (rather than 32 bytes)?


On 2021-11-24 5:53 p.m., internet-drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Crypto Forum RG of the IRTF.
>
>          Title           : SPAKE2, a PAKE
>          Authors         : Watson Ladd
>                            Benjamin Kaduk
> 	Filename        : draft-irtf-cfrg-spake2-24.txt
> 	Pages           : 17
> 	Date            : 2021-11-24
>
> Abstract:
>     This document describes SPAKE2 which is a protocol for two parties
>     that share a password to derive a strong shared key without
>     disclosing the password.  This method is compatible with any group,
>     is computationally efficient, and SPAKE2 has a security proof.  This
>     document predated the CFRG PAKE competition and it was not selected,
>     however, given existing use of variants in Kerberos and other
>     applications it was felt publication was beneficial.  Applications
>     that need a symmetric PAKE and where hashing onto an elliptic curve
>     at execution time is not possible can use SPAKE2.  This document is a
>     product of the Crypto Forum Research Group (CFRG) in the IRTF.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-spake2/
>
> There is also an htmlized version available at:
> https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-spake2-24
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-spake2-24
>
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> CFRG mailing list
> CFRG@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg


-- 
email: rstruik.ext@gmail.com | Skype: rstruik
cell: +1 (647) 867-5658 | US: +1 (415) 287-3867

v2.23.0 | Report a Bug | By Email