Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt
Björn Haase <bjoern.haase@endress.com> Mon, 24 August 2020 13:03 UTC
Return-Path: <bjoern.haase@endress.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE1E3A0DA8; Mon, 24 Aug 2020 06:03:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=endress.com header.b=rfgcaFpN; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=endress.com header.b=STtV+IRN
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wk1QHTeSNBoG; Mon, 24 Aug 2020 06:03:12 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30069.outbound.protection.outlook.com [40.107.3.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 295A93A0DAC; Mon, 24 Aug 2020 06:03:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FN5NyAtnse6aDs5sXcCOnhlKFcusMyhON9seKpXE21w=; b=rfgcaFpNw97F3pKqngMAMCqVZiU1EwPdmfVvSEzVpstCykdp+BbpGEWWokF9uyZ5bdPyxeNZodEZIr/wX4sOF29JxQMIoucZMLYmAbFzGSECjJ49CXysIOqhbvpLa+YYqFWhPyWiKdqFXIyJdbBvNdNjZjNetgPCfGCd6iCk/1k=
Received: from AM7PR03CA0006.eurprd03.prod.outlook.com (2603:10a6:20b:130::16) by AM6PR05MB5603.eurprd05.prod.outlook.com (2603:10a6:20b:5b::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.26; Mon, 24 Aug 2020 13:03:03 +0000
Received: from VE1EUR03FT037.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:130:cafe::5b) by AM7PR03CA0006.outlook.office365.com (2603:10a6:20b:130::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.25 via Frontend Transport; Mon, 24 Aug 2020 13:03:03 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 52.233.195.251) smtp.mailfrom=endress.com; ietf.org; dkim=fail (body hash did not verify) header.d=endress.com;ietf.org; dmarc=pass action=none header.from=endress.com;
Received-SPF: Pass (protection.outlook.com: domain of endress.com designates 52.233.195.251 as permitted sender) receiver=protection.outlook.com; client-ip=52.233.195.251; helo=iqsuite.endress.com;
Received: from iqsuite.endress.com (52.233.195.251) by VE1EUR03FT037.mail.protection.outlook.com (10.152.19.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.3305.24 via Frontend Transport; Mon, 24 Aug 2020 13:03:03 +0000
Received: from mail pickup service by iqsuite.endress.com with Microsoft SMTPSVC; Mon, 24 Aug 2020 15:03:02 +0200
Received: from EUR05-AM6-obe.outbound.protection.outlook.com ([104.47.18.111]) by iqsuite.endress.com over TLS secured channel with Microsoft SMTPSVC(8.5.9600.16384); Mon, 24 Aug 2020 15:03:01 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LUPZBnD5InsxtsXM7+BTVQbxBeU6S3eX0Tq5X3UxHw6ZcEphXG8xpp/sv2vvQagJN6gVD5e0pkhTdjYyFtzb82H35rC4rmrPTuea6LtZGTyRH27q3b4MaA3aUZ/xvK3WX7f4vdAGtwk5EQeCCLJbFXveDCZmpYPYnZuhcWQXDeyAOy5x6CrKpcMEc4PhmvXoMjXho0JgKEhijeRtRMTJEpj0JmuaTFjIvIu3PzkXX6dmz2DrJtEhXdPJ6KD8p6gperd9lpKiwSBoICfgBxHWlgzlwllkRFToQe/KOmUDA7iuRSRq8nK1axkGTy7KPNgRSadgY2BKlQB7rm1IdzqBaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AqzmgBLBiKlPctjOt/9fyECUI4NT0jLlnT8AZl75RGY=; b=FYgBvTEIRRHcGDPlbduW4W/mtxJWN79qs9pYPSBRoHUkQhfVBjnUxhRsCexl9YTm2YoknSwQgskne3zMlZwC8LNLoWB8d9zhyyAKMsyJvw9LVxdtsKaQyTCby5esLjK0oQfpxRfKnmfEGDqhDA1o5YXm+M3jmB0RkLN84s3ACkWTH2OskqyrQ//Jdjmis7gvHZTzbCF5I5XwUMkX5PwJVCTL8xxkMMN63FWPPLYzyqO2GbZ0dXg988KIQZ/aCdRiC4gIihDmDp15MoIwRW3nwnFXDCXneb7+by+5/t8B2pD2uX70IClSKf6iqttUVte6g9TpKV2DeX5nmwGuyJJ+fg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=endress.com; dmarc=pass action=none header.from=endress.com; dkim=pass header.d=endress.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=endress.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AqzmgBLBiKlPctjOt/9fyECUI4NT0jLlnT8AZl75RGY=; b=STtV+IRN0/qXE9WKxUFtlWLi9jTJBeq36L9NDmxUR047Bu/+lUSgxGjlee7p/YTOwsBm/Xv9oLWGUDoafMCqLvvqMSXcAjRbx/XEJIdn3F0LXP3jEtPDuCpIQp7VIoxsUIIVocAL+btfXmcHaXB1cdMbbuIEE0tzcm9pmYkpgcA=
Received: from AM0PR05MB4786.eurprd05.prod.outlook.com (2603:10a6:208:b3::15) by AM0PR05MB5714.eurprd05.prod.outlook.com (2603:10a6:208:114::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Mon, 24 Aug 2020 13:03:00 +0000
Received: from AM0PR05MB4786.eurprd05.prod.outlook.com ([fe80::dd98:2fea:beb3:6f16]) by AM0PR05MB4786.eurprd05.prod.outlook.com ([fe80::dd98:2fea:beb3:6f16%5]) with mapi id 15.20.3305.026; Mon, 24 Aug 2020 13:03:00 +0000
From: Björn Haase <bjoern.haase@endress.com>
To: Watson Ladd <watsonbladd@gmail.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
CC: "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "<cfrg@ietf.org>" <cfrg@ietf.org>, Russ Housley <housley@vigilsec.com>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Thread-Topic: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt
Thread-Index: AQHWeYJo37zBKIpvvEalI9uoXP9PRqlHNO+AgAABZHA=
Date: Mon, 24 Aug 2020 13:03:00 +0000
Message-ID: <AM0PR05MB4786942F46EC45406959E23183560@AM0PR05MB4786.eurprd05.prod.outlook.com>
References: <159709115024.10897.5395496576031260366@ietfa.amsl.com> <CACsn0cmX=DWCP5gpmPbzS=UjXfkBP9ObNpmEXPddsZJHbbhC-g@mail.gmail.com> <CAMr0u6k0f52E0i0ds9gR-xJ=M69RCV1vcYZJXi4Ycyc8QtBV3w@mail.gmail.com> <A0F53C47-3D85-4070-8ED4-A86E50899D13@vigilsec.com> <5f6565e7-49cb-32c4-1873-bac014cee965@isode.com> <80792d11-5400-1c79-ac60-d28d2ae803f0@isode.com> <CAMr0u6=Qokwbe6uUPQbBk3ZO4yUzm+UJT6uUPdjaK20tR837cQ@mail.gmail.com> <BN7PR11MB26415022F5F2FB219554DC6DC15F0@BN7PR11MB2641.namprd11.prod.outlook.com> <BN7PR11MB26418931A9921C0C121703D3C1590@BN7PR11MB2641.namprd11.prod.outlook.com> <CACsn0cke00kmWXNyQ1emWoLjkY47Xx+iFaKiXwdR=gJCPcya7Q@mail.gmail.com>
In-Reply-To: <CACsn0cke00kmWXNyQ1emWoLjkY47Xx+iFaKiXwdR=gJCPcya7Q@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ActionId=6520303b-6c58-4387-b2b1-000075fffafa; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_ContentBits=0; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Enabled=true; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Method=Standard; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_Name=2988f0a4-524a-45f2-829d-417725fa4957; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SetDate=2020-08-24T12:47:07Z; MSIP_Label_2988f0a4-524a-45f2-829d-417725fa4957_SiteId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e;
Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=endress.com;
x-originating-ip: [165.225.73.31]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: 303a4957-1862-42ea-6407-08d8482e0944
x-ms-traffictypediagnostic: AM0PR05MB5714:|AM6PR05MB5603:
X-Microsoft-Antispam-PRVS: <AM6PR05MB5603A9C0D7B7C2C84CE2AA2383560@AM6PR05MB5603.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 8ySH5jEDN8mhKGnePxAHBGbvQwvFGexlj2iYwJ+RqQO3tXnroqNMT8AuJ/wKpLvHno/jv8zLwnpU+Affq1vI+DYIuKRVvDEExuU65Ktshj5jSJaYiJuB+3GXnZjI4vLXIplfd9QdTlrQCj7mhdWJY7kZrwQo5KeMOo1x9OHBKEd622i+F1a8DonVGLmZUr4H+tWyRFbPv9KzK5yGaqJM04S5yx7fcgkd44apB7YUIDmQ1I021QYeA0yh0FxY5chDmYPxeD86khRR9wOUFQAHMqVRMc8I4bVFUB8trHPENfnPQxaZ4WVZtJ5YSEfvov84j18pPZm0mmM95dztjLKRQiM2gpEa6xaAeSD85rqV10AhZRhDcvMYxD5FIjALjOz0sgUQCoGj/WnD1eaEyYqaGQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR05MB4786.eurprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(136003)(39860400002)(346002)(376002)(53546011)(186003)(71200400001)(6506007)(478600001)(7696005)(26005)(66574015)(52536014)(83380400001)(45080400002)(55236004)(2906002)(33656002)(966005)(86362001)(5660300002)(66476007)(64756008)(4326008)(8936002)(8676002)(66556008)(85182001)(66446008)(30864003)(85202003)(9686003)(55016002)(54906003)(76116006)(110136005)(66946007)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: o7t/S1soxMW/MTrCwsYLrYiQBM6A5vTqFHaj7eNgrzOVI8NMx+6Suf4cfOK9SQMpznq5VoO3l5P0siKKbSCMbFT1sl2qaFvbJcKJHtHSwcwMFHy6Hch7N66ZCoId7sF5n0vx1aWclE1BvO46F3GryDuCz357eqyHBmt3ubXMJccR650LrN7QR8y6DqY9+/hiQWbrvnMxvelTGa0BNjdYdfcDghaHEwWIVls3TOlW4RiS4ISPBYB9ouT+CVpwaYJc5+DUrS3zOuZz+450kqhmYw8Nwoqs3i+24C7kOMuSObxisV0uT3N/PLX8mq7zxDdvQJKj+u09t7lUqw5+TM6cPahX5MzEbM7ojICZl9uZ21Ad6gbneCQJL+psLq5jxHhjoyJZ5McRxdThU0XRr3UIp5EdbiOY/FfRoEvVvjr2YlX+M+cTKQgJ03sGGbSic4SaGM/9I3eW2S9B/fu1OOYL/432tUloFudXv9POWZ8KoMCj5nMMdW+mVbj2sTuXMjuXPfHJnipAvUQ6AdrnIcacN7dUCvVFuyk24AU/2tc34myH5/3KET16nCjgodnafo4x6ne5TYxCTVWsvDfVYWFn4D6GlMXzoDdIkFdDkArogLm3qIbnphG14mFGKD2g37pWMjeEs6oqkoahZ4qB73GLRQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR05MB5714
X-OriginalArrivalTime: 24 Aug 2020 13:03:01.0208 (UTC) FILETIME=[E57D6D80:01D67A16]
X-Trailer: 1
X-GBS-PROC: /Xv+G2fTxPnfZarvVGIJR8wTCVwN2vyW8NWo+gM0yEc=
X-GRP-TAN: IQWE02@071D16A45A3047A39B6863A7F66BDC22
X-iqsuite-process: processed
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT037.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: a3ad3f0a-5888-4f65-4c68-08d8482e0782
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: uvU/vs8B64D7JCVSA0apNkAZJcUeZWt+3LViRF8Em2hPEP8RRIqPx5CYMyVGiKs9Q9mbbUJuJJdqjH2dwmPRSGeFiL0NivCqOoWL5Rq0K6+x1g4SDOY8sKiC6IGu9S9UZPFVzjE5W+ph7GG6MwG5UiY0lDyvKYm3noolZX0uW/8lvGpq8QSfXrscU9vAxSHjTf/X3GFcglZA6iWp/QCB6ZqefLfrQX0BvMhorHCft3MFx8EXCZhhPuxkpZIuAqw74X9xIIpXAjaMoetHPChIKHd87L+PMjgrJzI4cFmAMVOnCxsrwfO2slR5dNYB9d0RDLm62T3JIts2aPasioZhu/XAD1zQrSDu/hZE4CjInfl4tSV/gKUhQnaBvMvZgQFZoTaBXTC1aRwBXZKU9VJWTka8jCDjPDydHsGh48IAsF4YvaI8f8wEMCko+uCshUaIQwhJTPbg88OIj30FOYsfrFgINNSJAwWA6z+4LROh6ic=
X-Forefront-Antispam-Report: CIP:52.233.195.251; CTRY:NL; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:iqsuite.endress.com; PTR:InfoDomainNonexistent; CAT:NONE; SFS:(4636009)(39860400002)(396003)(136003)(346002)(376002)(46966005)(47076004)(45080400002)(6506007)(52536014)(110136005)(8936002)(30864003)(186003)(33656002)(7696005)(82740400003)(55016002)(356005)(336012)(4326008)(966005)(2906002)(450100002)(66574015)(81166007)(83380400001)(54906003)(316002)(53546011)(9686003)(85182001)(82310400002)(55236004)(70206006)(15974865002)(70586007)(26005)(86362001)(85202003)(478600001)(8676002)(5660300002); DIR:OUT; SFP:1101;
X-OriginatorOrg: endress.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Aug 2020 13:03:03.3218 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 303a4957-1862-42ea-6407-08d8482e0944
X-MS-Exchange-CrossTenant-Id: 52daf2a9-3b73-4da4-ac6a-3f81adc92b7e
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=52daf2a9-3b73-4da4-ac6a-3f81adc92b7e; Ip=[52.233.195.251]; Helo=[iqsuite.endress.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT037.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR05MB5603
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Jj5mBAOu9JjCl6czDO0dbULk_ss>
Subject: Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 13:03:15 -0000
Dear Watson, If I understood correctly Manuel and Michel's proof, the reduction to the GAP version of CDH problem refers only to the "perfect-forward security" aspect of the SPAKE2 proofs. To my best knowledge, the game-based proof regarding the "only one password guess per session" feature does rely on "Discrete Logarithm Password-based Chosen-basis Computational Diffie-Hellman assumption" (DLPWBCDH) (i.e. without the "GAP"). IIRC there is some small margin between the CDH and DLPWBCDH but there is no need for the GAP assumption when carrying out the proof in the game-based models, except for the forward-security aspect which to my knowledge requires the DDH oracle. For the UC proofs, OTOTH the GAP assumption appears to be mandatory, IIUC, since this proof strategy also implies forward security. I'm in close contact with Michel for the CPace draft preparation and I'll ask him what specific wording he would be recommending for your document, the next time I'll be talking to him. Yours, Björn. Mit freundlichen Grüßen I Best Regards Dr. Björn Haase Senior Expert Electronics | TGREH Electronics Hardware Endress+Hauser Liquid Analysis Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany Phone: +49 7156 209 377 | Fax: +49 7156 209 221 bjoern.haase@endress.com | www.ehla.endress.com Endress+Hauser Conducta GmbH+Co.KG Amtsgericht Stuttgart HRA 201908 Sitz der Gesellschaft: Gerlingen Persönlich haftende Gesellschafterin: Endress+Hauser Conducta Verwaltungsgesellschaft mbH Sitz der Gesellschaft: Gerlingen Amtsgericht Stuttgart HRA 201929 Geschäftsführer: Dr. Manfred Jagiella Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben. Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach. Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such. -----Ursprüngliche Nachricht----- Von: Cfrg <cfrg-bounces@irtf.org> Im Auftrag von Watson Ladd Gesendet: Montag, 24. August 2020 14:42 An: Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org> Cc: crypto-panel@irtf.org; <cfrg@ietf.org> <cfrg@ietf.org>; Russ Housley <housley@vigilsec.com>; cfrg-chairs@ietf.org Betreff: Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt On Sun, Aug 23, 2020 at 3:20 PM Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org> wrote: > > I looked through it (the Crypto20 crypto conference was last week, that kept me busy); it looked good, with two nits: Thank you very much for reviewing it so quickly! > > > > Section 3.1 states “Lets G be a group in which the computational Diffie-Hellman (CDH) problem is hard”. Actually, if you go through the security proof, it appears that the slightly stronger “S-PCCDH assumption” is required. While it is plausible that, for any group where the CDH assumption holds, so does the S-PCCDH assumption, however, this is not proven. So recently https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Feprint.iacr.org%2F2019%2F1194.pdf&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=TwffvrezUzSnJeaPaahlF08H744LL1mxocrTksHdvo0%3D&reserved=0 reduces to Gap Diffie-Hellman. I think I should revise that sentence of 3.1 and discuss in security considerations section exactly what is assumed and that elliptic curves in the draft are widely conjectured to satisfy it. Hopefully this won't confuse anyone more than necessary. > This draft still relies on a fixed (per group) M and N values; as we have argued before, having a global N and M value menas that breaking one discrete problem would mean breaking the entire system globally, and so that arguably too attractive as a target. Assuming that the authors aren’t willing to use a Hash2Curve method to generate N, M values, I would recommend that a paragraph be added to the document outlining the situation (and perferably giving a procedure where individual protocols can select their own N, M values) Section 5: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fid%2Fdraft-irtf-cfrg-spake2-11.html%23rfc.section.5&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=TSxHJGOCsecYGoYp4OwBajfg%2FXt%2F9aLbokD%2F7iKprK0%3D&reserved=0 has M and N per user, following one of the papers in the references. I think a per-protocol option makes sense to add, but it would be nice to know if it would be used. > > > > From: Scott Fluhrer (sfluhrer) > Sent: Monday, August 17, 2020 7:50 AM > To: Stanislav V. Smyshlyaev <smyshsv@gmail.com>; Russ Housley <housley@vigilsec.com>; crypto-panel@irtf.org > Cc: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg-chairs@ietf.org > Subject: RE: [Crypto-panel] Fwd: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt > > > > I’ll take a quick look at it. > > > > From: Crypto-panel <crypto-panel-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev > Sent: Monday, August 17, 2020 4:40 AM > To: Russ Housley <housley@vigilsec.com>; crypto-panel@irtf.org > Cc: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg-chairs@ietf.org > Subject: Re: [Crypto-panel] Fwd: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt > > > > Dear Russ, dear Crypto Panel experts, > > > > Any volunteers for a quick review of the updated version of the SPAKE2 draft (before commencing a RGLC)? > > > > Regards, > > Stanislav > > > > On Tue, 11 Aug 2020 at 20:02, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > > On 11/08/2020 17:47, Alexey Melnikov wrote: > > Hi Russ, > > On 11/08/2020 17:43, Russ Housley wrote: > > > We recommend the following two protocols to be selected as «recommended by the CFRG for usage in IETF protocols»: one balanced PAKE - CPace, and one augmented PAKE - OPAQUE. > > > > What was the point of the selection process if we are going to publish the ones that were not selected too? > > It is needed by Kitten WG for one of Kerberos documents. The idea is to publish it with a disclaimer that it predated PAKE selection process and was not selected as one of the finalists. > > To clarify: we don't intend to publish any other PAKE candidates that weren't finalists. > > Best Regards, > > Alexey > > > > Russ > > > > > > > > On Aug 11, 2020, at 10:57 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > > > > Dear Crypto Panel experts, > > > > Could someone please take a quick look at the updated version (taking into account the reviews made during the PAKE selection process)? > > > > Regards, > > Stanislav (on behalf of CFRG chairs) > > > > ---------- Пересылаемое сообщение --------- > От: Watson Ladd <watsonbladd@gmail.com> > Дата: пн, 10 авг. 2020 г. в 23:29 > Тема: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt > Кому: <cfrg@ietf.org> > > > > This fixes the comment on missing identities received during the PAKE > competition which was the only one I found. > > I think it's ready for RGLC. > > On Mon, Aug 10, 2020 at 4:27 PM <internet-drafts@ietf.org> wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Crypto Forum RG of the IRTF. > > > > Title : SPAKE2, a PAKE > > Authors : Watson Ladd > > Benjamin Kaduk > > Filename : draft-irtf-cfrg-spake2-12.txt > > Pages : 16 > > Date : 2020-08-10 > > > > Abstract: > > This document describes SPAKE2 which is a protocol for two parties > > that share a password to derive a strong shared key with no risk of > > disclosing the password. This method is compatible with any group, > > is computationally efficient, and SPAKE2 has a security proof. This > > document predated the CFRG PAKE competition and it was not selected. > > > > > > The IETF datatracker status page for this draft is: > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-irtf-cfrg-spake2%2F&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=lfQZ%2Bk58AZtuJDwwoL3kp9h%2B1t6eVh%2BO4IhcPF%2BJA9k%3D&reserved=0 > > > > There are also htmlized versions available at: > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-irtf-cfrg-spake2-12&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=M%2B1R6InBuduuxEehA%2Fmz99McvXt8KnILIj9S2bRBifs%3D&reserved=0 > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-irtf-cfrg-spake2-12&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=9IrixLVgOePrXOr4FXNIgwa8x9Jgpldlq5tr55o%2FGgI%3D&reserved=0 > > > > A diff from the previous version is available at: > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-irtf-cfrg-spake2-12&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=TI3p%2F1EM4Un4No8%2BEY6KsExVBQyMXIlg6OzWoZFi8%2FU%3D&reserved=0 > > > > > > Please note that it may take a couple of minutes from the time of submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > https://eur03.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ietf.org%2Finternet-drafts%2F&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691624309&sdata=JLdVl7lCQLtmHJiKclYtzm81ubwwTgRe29PJMfhIPtY%3D&reserved=0 > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691634306&sdata=oteAqHxVYJtxizv9OX5GP3qfiAuWTpgeZXxZPIlj3z8%3D&reserved=0 > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691634306&sdata=oteAqHxVYJtxizv9OX5GP3qfiAuWTpgeZXxZPIlj3z8%3D&reserved=0 > > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcrypto-panel&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691634306&sdata=w0Bf%2F8e3bInXUJ8FckOi5dK%2FRPdY879EkrXP02iaSR4%3D&reserved=0 > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691634306&sdata=oteAqHxVYJtxizv9OX5GP3qfiAuWTpgeZXxZPIlj3z8%3D&reserved=0 -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.irtf.org%2Fmailman%2Flistinfo%2Fcfrg&data=02%7C01%7Cbjoern.haase%40endress.com%7C8359743fd98a4c38077608d8482b33bd%7C52daf2a93b734da4ac6a3f81adc92b7e%7C1%7C1%7C637338697691634306&sdata=oteAqHxVYJtxizv9OX5GP3qfiAuWTpgeZXxZPIlj3z8%3D&reserved=0
- [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.… Stanislav V. Smyshlyaev
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Watson Ladd
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Björn Haase
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Watson Ladd
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Stanislav V. Smyshlyaev
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Björn Haase
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Stanislav V. Smyshlyaev