Re: [Cfrg] Requirements for PAKE schemes

Schmidt, Jörn-Marc <Joern-Marc.Schmidt@secunet.com> Tue, 26 April 2016 12:28 UTC

Return-Path: <Joern-Marc.Schmidt@secunet.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFA4D12B04C for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 05:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JhDczNP4JIVg for <cfrg@ietfa.amsl.com>; Tue, 26 Apr 2016 05:28:42 -0700 (PDT)
Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3124D12B011 for <cfrg@irtf.org>; Tue, 26 Apr 2016 05:28:41 -0700 (PDT)
Received: from localhost (alg1 [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id BA4461A074D; Tue, 26 Apr 2016 14:28:39 +0200 (CEST)
X-Virus-Scanned: by secunet
Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 97JFBEqXozMa; Tue, 26 Apr 2016 14:28:38 +0200 (CEST)
Received: from mail-essen-02.secunet.de (unknown [10.53.40.205]) by a.mx.secunet.com (Postfix) with ESMTP id 788691A06BD; Tue, 26 Apr 2016 14:28:38 +0200 (CEST)
Received: from MAIL-ESSEN-01.secunet.de ([fe80::1c79:38b7:821e:46b4]) by mail-essen-02.secunet.de ([fe80::4431:e661:14d0:41ce%16]) with mapi id 14.03.0279.002; Tue, 26 Apr 2016 14:28:38 +0200
From: "Schmidt, Jörn-Marc" <Joern-Marc.Schmidt@secunet.com>
To: Евгений Алексеев <geni-cmc@mail.ru>
Thread-Topic: [Cfrg] Requirements for PAKE schemes
Thread-Index: AQHRnLykNr4iUcN4pUeXRFeJk0x8vp+cM1ow
Date: Tue, 26 Apr 2016 12:28:37 +0000
Message-ID: <38634A9C401D714A92BB13BBA9CCD34F23476BB8@mail-essen-01.secunet.de>
References: <1461335580.69111977@f418.i.mail.ru>
In-Reply-To: <1461335580.69111977@f418.i.mail.ru>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.208.1.80]
x-exclaimer-md-config: 2c86f778-e09b-4440-8b15-867914633a10
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0149_01D19FC8.01FDC960"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/ewm1jfHdPJ_RlD8Nd1FjyPH8jZU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Requirements for PAKE schemes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 12:28:44 -0000

Hello Evgeny,

thank you for reading the document and your suggestion. It's true, those two requirements are pretty similar. I have separated them to stress that constant time is very important and everything above a "may". But you're right, I can merge these two and use SHOULD.

Best regards,

Jörn

-----Ursprüngliche Nachricht-----
Von: Евгений Алексеев [mailto:geni-cmc@mail.ru] 
Gesendet: Freitag, 22. April 2016 16:33
An: cfrg@irtf.org; Schmidt, Jörn-Marc; KennyKenny.Paterson@rhul.ac.uk; alexey.melnikov
Betreff: Re: [Cfrg] Requirements for PAKE schemes

Hello!
The R3 and R4 requirements seem to be very similar, as I understand. The requirement to show how to protect an implementation in hostile environment includes the requirement of the necessity to implement the scheme in constant time. Maybe it is resonable to formulate R3 and R4 together in the following way:

R4: It SHOULD be possible to implement the PAKE scheme in hostile environments safely, particularly to implement the PAKE scheme in constant time to protect from timing attacks.

-- 
Best regards,
Evgeny Alekseev,
Moscow State University, Technical committee for standardisation "Cryptography and security mechanisms" (ТC 26).