[Cfrg] PAKE

"Igoe, Kevin M." <kmigoe@nsa.gov> Wed, 02 May 2012 20:07 UTC

Return-Path: <kmigoe@nsa.gov>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 934D221E80F5 for <cfrg@ietfa.amsl.com>; Wed, 2 May 2012 13:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.85
X-Spam-Status: No, score=-8.85 tagged_above=-999 required=5 tests=[AWL=-0.552, BAYES_00=-2.599, HTML_MESSAGE=0.001, MANGLED_OFF=2.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Gv0lBt+xMxWO for <cfrg@ietfa.amsl.com>; Wed, 2 May 2012 13:07:54 -0700 (PDT)
Received: from nsa.gov (emvm-gh1-uea09.nsa.gov []) by ietfa.amsl.com (Postfix) with ESMTP id 6F4E521E80F2 for <cfrg@irtf.org>; Wed, 2 May 2012 13:07:54 -0700 (PDT)
X-TM-IMSS-Message-ID: <342e0f4f0009018c@nsa.gov>
Received: from MSCS-GH1-UEA03.corp.nsa.gov ([]) by nsa.gov ([]) with ESMTP (TREND IMSS SMTP Service 7.1) id 342e0f4f0009018c ; Wed, 2 May 2012 16:08:58 -0400
Received: from MSIS-GH1-UEA06.corp.nsa.gov ([]) by MSCS-GH1-UEA03.corp.nsa.gov with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 May 2012 16:07:51 -0400
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CD289F.4097E5A5"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 2 May 2012 16:07:51 -0400
Message-ID: <80F9AC969A517A4DA0DE3E7CF74CC1BB425BF6@MSIS-GH1-UEA06.corp.nsa.gov>
Thread-Topic: PAKE
Thread-Index: Ac0on0GmoxGRBW5zQZqTViEfntPTMw==
From: "Igoe, Kevin M." <kmigoe@nsa.gov>
To: <cfrg@irtf.org>, "Dan Harkins" <dharkins@arubanetworks.com>
X-OriginalArrivalTime: 02 May 2012 20:07:51.0644 (UTC) FILETIME=[40D849C0:01CD289F]
Subject: [Cfrg] PAKE
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 20:07:55 -0000

One quick piece of feedback.  In the EC case, the construction

of the PassWrod Element (PWE) on the curve involves

trying to take the square root of f = x^3 + ax + b.  This

is MUCH easier to do in p = 3 mod 4 (in this case compute

y = f^( (p+1)/4).  If y^2 = f, your done, otherwise y^2 = -f

and f doesn't have a square root mod p.


The p = 1 mod 4 case gets ugly, especially if p-1 is divisible

by a high power of 2.   Luckily most EC groups use p=3 mod 4.


I'd advise adding the constraint that for eliiptic cureves pmust

be 3 mod 4. 


P.S.  The fact that f has a preferred square root mod p might

eliminate the code that decides whether to use (x,y) or

(x,-y) as the PWE.


Kevin M. Igoe       |   "Everyone is entitled to their own
kmigoe@nsa.gov <mailto:kmigoe@nsa.gov>   |    opinions, but not to their
own facts."
                           |       - Daniel Patrick Moynihan -