Re: [Cfrg] Some questions on draft-irtf-cfrg-spake2
Richard Barnes <rlb@ipv.sx> Mon, 16 April 2018 19:03 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AAC112EA97 for <cfrg@ietfa.amsl.com>; Mon, 16 Apr 2018 12:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.609
X-Spam-Level:
X-Spam-Status: No, score=-2.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SveaCiS2BbI7 for <cfrg@ietfa.amsl.com>; Mon, 16 Apr 2018 12:03:29 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62A5A126CD6 for <cfrg@irtf.org>; Mon, 16 Apr 2018 12:03:29 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id f63-v6so15590768oic.4 for <cfrg@irtf.org>; Mon, 16 Apr 2018 12:03:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=RiGLWDtwuw7VPVV3hNFZTJ1OD5YjsiIb7BoyDaNYgC8=; b=YHbC5GSFkupFOjoqF+GLbCpg9/+GjRoDhuVkORZzYhVecNzJ/Wj0SBX5SRMslDloEJ 5t8JBu0aXgSeuxVfBY9TuscG2a1xv1LiMtTMG8Ko3fi4yfzQOpeussLr8XJLenHh0gbr kGWbGfyS1yODAQRyFH20cVTljmIMnuRAglBpvMw4cEkse989U34/4Bx0dwZ/Wd2PB34c XuF/gpDNZtkcsyqLa79/XXrL0ufimvORkFKuRupkPESoxzE3toMicrEjuyGCDA9InPgk N2zDXhZ1vWQCGIWdm57sJgMGm/nE/iyaZEdsWCIwIlujv5DSr40yIia+5X/OcpuDfVen PkVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=RiGLWDtwuw7VPVV3hNFZTJ1OD5YjsiIb7BoyDaNYgC8=; b=fNK+OEiJUUizYLpw0SS0dLAb/eyh/iP0vFMs8QLAC7sBshF03d9WkrFYwomS+3rJc8 yUwod0L2Ury1hP+/D2zlDKJrN5e46fzF+rjOe5Pkt8bY3wuRIZIb1OH4YYlCD93O86ix E22Zj1Q0+f57RBpFt9pcTJKtluZViv/K11hZgKuIRr9mEfUuDxItnKg/vPw8OLUn4TPi 2EaPTXp8wq/Kpcz/w8rtv8FvzTLN/f8ChI6mOdbX9tizY+ZB/mQwM5Lpm22oddza2Bdr 0t6uBA1q2rhpYUiI4GSZ6J2YOMkeb9KHHkwVpGNBiNN6lsef+eHAhamb8DHi+2uWr7Co aWYw==
X-Gm-Message-State: ALQs6tAwDj0c6BNnd+J6v0UEGrFdH2mLieHBoRazpFo0VDUNgL7zpsTv KVO4tNRbCPjkv1R3J4052b2TFtzTreTHqq3U9I3eDg==
X-Google-Smtp-Source: AIpwx4/j9KzTunzX2JHDCcxy2BUQSws54mvoLVDMs7gbMl5odQJCsIoHs7igajEeuPEbruvm1RmU9a0TxXEiTfn2Xg4=
X-Received: by 2002:aca:d08c:: with SMTP id j12-v6mr3542899oiy.276.1523905408723; Mon, 16 Apr 2018 12:03:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.90.67 with HTTP; Mon, 16 Apr 2018 12:03:28 -0700 (PDT)
In-Reply-To: <1c81c2e1-0569-3a2a-3712-8b855bb0ee0d@mit.edu>
References: <CAL02cgTWMafMKQag-vGy7dtUK_A0X2SHhnwDxJj3-crQyrS1Wg@mail.gmail.com> <1c81c2e1-0569-3a2a-3712-8b855bb0ee0d@mit.edu>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 16 Apr 2018 15:03:28 -0400
Message-ID: <CAL02cgTZsJnosk9w8SBEvyiHy1bcW2wmggGF1_12+fwW-per+g@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: CFRG <cfrg@irtf.org>, Benjamin Kaduk <kaduk@mit.edu>, Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008f01c70569fbe089"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/cA5odrHHba9udmK1ZMaloW32OFc>
Subject: Re: [Cfrg] Some questions on draft-irtf-cfrg-spake2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 19:03:31 -0000
Thanks, Greg, I had missed that point. It might be worth noting that in the text somewhere, perhaps in the Security Considerations. On Mon, Apr 16, 2018 at 11:31 AM, Greg Hudson <ghudson@mit.edu> wrote: > On 04/16/2018 10:45 AM, Richard Barnes wrote: > > 1. The secrets w, w0, w1 aren't really specified, except "typically w > > will be the hash of a user-supplied password, truncated and taken mod > > p." However, in the security considerations, you say "the > > multiplication by cofactors eliminates the potential for mebership in a > > small-order subgroup". > > > > Don't you need to specify that the integer w / w0 / w1 is divisible by > > h, or equivalently, multiply it by h before use in the protocol? It > > seems like if not, then you end up leaking w mod h. > > w is multiplied by M or N, not by a point chosen by the peer. Since M > and N are members of the prime-order subgroup, wM and wN will also be. > > If a rogue peer sends a T or S value which is not in the prime-order > subgroup, S-wN or T-wM will also not be in the prime-order subgroup, > whether or not w is divisible by h. But multiplication by x or y to > produce x(S-wN) or y(T-wM) will yield a point in the prime-order > subgroup, because x and y are divisible by h. This step is what the > security consideration refers to by "multiplication by cofactors". > > [I do not have a response to point 2, as SPAKE2+ isn't in my area of > interest for this draft.] >
- [Cfrg] Some questions on draft-irtf-cfrg-spake2 Richard Barnes
- Re: [Cfrg] Some questions on draft-irtf-cfrg-spak… Greg Hudson
- Re: [Cfrg] Some questions on draft-irtf-cfrg-spak… Richard Barnes