Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document

Watson Ladd <> Mon, 15 December 2014 18:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 400651A8758 for <>; Mon, 15 Dec 2014 10:47:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Zt_lmwu0x68r for <>; Mon, 15 Dec 2014 10:47:53 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c01::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 050861A8767 for <>; Mon, 15 Dec 2014 10:47:21 -0800 (PST)
Received: by with SMTP id a41so5434435yho.28 for <>; Mon, 15 Dec 2014 10:47:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=M71yvzVUUwWgedVSrzsu/gMlXlc2eVmTqKFmu2x2gEc=; b=TRrVS1GHqROLDy2ticNw1YpeUowzxBSsyl9TIfNgRDiztaVIJxOeHiZAjqhxCNBuiN dpeqz37vcbmoRVMScF2SRzSM/ndAEJUC6ecG43fNq+Xk0g3j9Wchwr4nIKPxRX8UQr9M Lykvnq5DXtdzZGZpVyDj8kQZXFKrGN+wIh3OG7uhMYdhwNZ3/ICSw+9C4w/FPdjtSUdd mpxuoF33DhuxjzUxG66xBCdCEvU86BiHHStY1PrOkRd50CjZ63hor0j1qJuiEW7QItgM paeXCTXgLcc5yszPjasuIDv+iz050Ie/UAKGeIM9pEsd3P/l6AGZ5TG2Ev9PvAl5sC3x Yi5Q==
MIME-Version: 1.0
X-Received: by with SMTP id 40mr23229916yho.172.1418669240146; Mon, 15 Dec 2014 10:47:20 -0800 (PST)
Received: by with HTTP; Mon, 15 Dec 2014 10:47:20 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Mon, 15 Dec 2014 10:47:20 -0800
Message-ID: <>
From: Watson Ladd <>
To: Dan Harkins <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Adoption of draft-ladd-spake2 as a RG document
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Dec 2014 18:47:55 -0000

On Mon, Dec 15, 2014 at 10:19 AM, Dan Harkins <> wrote:
>   Hello,
> On Sun, December 14, 2014 8:41 am, Alexey Melnikov wrote:
>> Hi,
>> This message starts 3 weeks adoption call for draft-ladd-spake2. Please
>> reply to this message or directly to CFRG chairs, stating one of the
>> following
>> 1) that you are happy to adopt the draft as a starting point
>> 2) that you are not happy to adopt this draft
>> or
>> 3) that you think the document needs more work before the RG should
>> consider adopting it
>   I'm in favor of another PAKE being documented but I'm not sure
> why SPAKE2 is the one.
>> While detailed document reviews are generally welcome, this not a call to
>> provide detailed comments on the document.
>   SPAKE2 seems to be the Dual_EC_DRBG of PAKEs (and I'm very surprised
> the author isn't being accused by a bunch of people on twitter, and some
> hack tech blogger, of being an NSA plant out to subvert the Internet). There
> are 2 constant elements used in the calculation and knowledge of the scalar
> used to generate either of them would allow an attacker to break the
> exchange. This draft will need to go through a rigorous NUMS procedure in
> order to populate (the currently empty) section 3, a contentious step that
> other PAKEs would not need to go through.

Google has deployed this protocol with parameters generated by the
following code:

Do you see any way in which the discrete logarithm could be determined
from this or any other substantially similar procedure? If so, please
provide the procedure to this list, give us a week or two to think
about it, and then reveal the logarithm of the generated points.

>   There are other PAKEs out there so it would be nice to know why SPAKE2
> is the one that should be pursued.

I understand there is an AugPAKE draft already. But AugPAKE is
patented. There are alternatives, and I'm not committed to the
particular choice of PAKE: I've been informed of a few others to look
at and am examining them to see if they offer any advantages to
switch. I do think we need a PAKE with a solid security proof, and
several people have placed augmentation on the list of desiderata.

Watson Ladd

>   regards,
>   Dan.
> _______________________________________________
> Cfrg mailing list

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin