Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document

"Dan Harkins" <> Mon, 15 December 2014 18:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E69551A8729 for <>; Mon, 15 Dec 2014 10:19:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.968
X-Spam-Status: No, score=-1.968 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JXZe5J4x7S7I for <>; Mon, 15 Dec 2014 10:19:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C588A1A8723 for <>; Mon, 15 Dec 2014 10:19:50 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id ACD90A888132; Mon, 15 Dec 2014 10:19:49 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Mon, 15 Dec 2014 10:19:50 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <>
Date: Mon, 15 Dec 2014 10:19:50 -0800
From: Dan Harkins <>
To: Alexey Melnikov <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "" <>
Subject: Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Dec 2014 18:19:52 -0000


On Sun, December 14, 2014 8:41 am, Alexey Melnikov wrote:
> Hi,
> This message starts 3 weeks adoption call for draft-ladd-spake2. Please
> reply to this message or directly to CFRG chairs, stating one of the
> following
> 1) that you are happy to adopt the draft as a starting point
> 2) that you are not happy to adopt this draft
> or
> 3) that you think the document needs more work before the RG should
> consider adopting it

  I'm in favor of another PAKE being documented but I'm not sure
why SPAKE2 is the one.

> While detailed document reviews are generally welcome, this not a call to
> provide detailed comments on the document.

  SPAKE2 seems to be the Dual_EC_DRBG of PAKEs (and I'm very surprised
the author isn't being accused by a bunch of people on twitter, and some
hack tech blogger, of being an NSA plant out to subvert the Internet). There
are 2 constant elements used in the calculation and knowledge of the scalar
used to generate either of them would allow an attacker to break the
exchange. This draft will need to go through a rigorous NUMS procedure in
order to populate (the currently empty) section 3, a contentious step that
other PAKEs would not need to go through.

  There are other PAKEs out there so it would be nice to know why SPAKE2
is the one that should be pursued.