Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)

"Hao, Feng" <> Wed, 20 November 2019 10:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 88D1D1208EA for <>; Wed, 20 Nov 2019 02:52:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rs78FgY_sHQ1 for <>; Wed, 20 Nov 2019 02:52:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 67ED1120814 for <>; Wed, 20 Nov 2019 02:52:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=ZglXXEVR1Q1hSkiUUwLC/uHcZZeirHdC3VjEO5jg7xBxVi520nW5jdfRuRJuay5huxHyUskgqZVl7uvoDBXsIsiN/UvN2x1xWRp7hi8dePVqHHyM1nt5a9wSCx9t/oX/cT7N+RqUZou80LRJKpGJNr4FE1AJFRfUqPEFPAHxFZQhMtKzXJBb1IBsPOjxgE+rclmrT9/NapN8woyBidqfvNPDbtKaHb2iCvl13S1ldqdb/9ZAzBOyrBc/lQTEEtM74NXW/l2eABBHiSBK+F11Ug/PtM3eJegB5INpSk+8ReT5pZFROdj/XSWgSVKdu6mifBDjHMkCLztlxhoVoXv5LA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wXpRxHGCIVWoebzfbRXaCYdQHK39WLAnG6NjQxJsSb0=; b=Zxnd21mNemW8SANdnHBB6srhVS1mC1meP5HdnwcPG8RHYbs4jTn3tM4jbi+zZ1+1Sy71G5yFLjbjmYq/PO8//xH3Y3D9a91tQl6aFQmYjwAXgVeK8j/LLxgchnOsb94JyJErByFYk8LP6Z+OwjTALw848ReIRly0jXDuCUNb5lPkI4h7v5xYMyCLd9AQZ7hjp5eQ56LMZDuIVjc+JhDi2UR+3/Eim2fg+USo4MuyyCvGJWHK5MO3SY++lffuOoujkzV+y6cF5eN2k4+NOWUkynUYSsYMc3ulbwVKhx1SGpTKty2g41CLNwJWcBZHHkntXIDjhY8VmzrJBOIfrjYqnw==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.26; Wed, 20 Nov 2019 10:52:44 +0000
Received: from ([fe80::e925:ac07:6d27:3073]) by ([fe80::e925:ac07:6d27:3073%7]) with mapi id 15.20.2474.015; Wed, 20 Nov 2019 10:52:43 +0000
From: "Hao, Feng" <>
To: "Stanislav V. Smyshlyaev" <>, CFRG <>
Thread-Topic: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
Thread-Index: AQHVn3ZL2zRxvU7sNUet//DENB1gSaeT4liA
Date: Wed, 20 Nov 2019 10:52:43 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 890adb55-f9a7-45a7-dd66-08d76da7c5a4
x-ms-traffictypediagnostic: DB7PR01MB5292:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02272225C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(346002)(136003)(376002)(366004)(199004)(189003)(6506007)(53546011)(186003)(256004)(446003)(58126008)(14454004)(99286004)(14444005)(11346002)(76116006)(71190400001)(71200400001)(9326002)(102836004)(81156014)(86362001)(7736002)(81166006)(66946007)(26005)(5660300002)(8676002)(478600001)(229853002)(66476007)(66556008)(64756008)(66446008)(476003)(6486002)(6512007)(33656002)(76176011)(786003)(486006)(91956017)(6306002)(54896002)(25786009)(2906002)(316002)(6116002)(6246003)(110136005)(3846002)(6436002)(8936002)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB5292;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +pEMtatiEXk7I7WkWagAMuKgONz7DCSKGoCrj8xHj0js4IDcg0Sgz93cYxvT1r3Ao8koUgVrWgBsYFk4rTQQl0ZPI90azoLKO+I9b8/wKY0eVcXNDiw3x7G+tJfBTNDz0ZuP5tWG8i0ETANNnSAFyr56q2SNe5CsXVrMXYQ6NJkxnrfC89cmXKgJg6jaVYPMF3a2nT2f2jyZ4bCykYOOy5NFV9f7TO0XRqnNZwEb+gVEsqO2CA0QFmOOhhaoQmLAcaxNeR7qnbEdEdQBJ52Cb+jtW2GCi5+FjIvVvkylxUp+/+6TdyUOn3uYMMkc8yGCu5grzWT3ly6Hzy6SIy/nc1p9S/uee5umh3Zpk1LEefiXRAtLEoeOGzBKG8Tub2KaYoQr2jFpcMyJi1Ng5t9ynYbFGr1AXu9fDpSno6v+gSK/Muz7JPdfqmNP9/X8nWQ5
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CAF4450CC42143EFA3E5978E129B1D09livewarwickacuk_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 890adb55-f9a7-45a7-dd66-08d76da7c5a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2019 10:52:43.7517 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MA9CsSQBwHmIN/EFWvTlPo1RKMKxNyPZjpHca49cYSzY15P4E8r7R8wXjwKvQLn0voaGu4K0+wZ1J/UKyl6C2/QDLOH+98kKb4fZrJbKdsk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB5292
Archived-At: <>
Subject: Re: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 20 Nov 2019 10:52:50 -0000


I’m not involved in the panel review, but the following is my personal observation.

It seems to me that this standardization process is tangled with modifying protocols and fixing issues as they arise along the way. The changes raised below are not anything trivial. As we should all know well, designing a cryptographic protocol is extremely delicate and error-prone – it often takes several years of public scrutiny to uncover flaws; even for protocols that are “provably secure”, the proofs may contain errors or invalid assumptions, which can also take several years for them to be discovered. If a protocol is to be considered for standardization, first of all, it should really need to be “completely” specified, and “fixed” (no movable parts). Then, give plenty time for public scrutiny and time for maturity. If no attacks are found, the public confidence on the security on the protocol will grow over time. In most cases, designers of a protocol only have a chance to get it right – either at the start or never. Allowing heuristic or retrospective changes would not help increase public confidence.


From: Cfrg <> on behalf of "Stanislav V. Smyshlyaev" <>
Date: Wednesday, 20 November 2019 at 07:44
To: "" <>
Subject: [Cfrg] A question to be added to the Round 2 questions list for nominated PAKEs (about SPAKE2)

Dear CFRG,

I've just sent two questions to be considered to be added to the Round 2 questions list, including: "Can you propose a modification of SPAKE2 (preserving all existing good properties of SPAKE2) with a correspondingly updated security proof, addressing the issue of a single discrete log relationship necessary for the security of all sessions (e.g., solution based on using M=hash2curve(A|B), N=hash2curve(B|A))?"

We've had a discussion with Dan Harkins about possible improvements of SPAKE2 (many thanks to him for such a fruitful discussion!): it seems that the only major issue about SPAKE2 can be solved by using M=hash2curve(A|B), N=hash2curve(B|A)). It seems that there can't be any additional side-channel issues (like occured in Dragonfly), since the proposed modification needs only calculations based on publicly available information.

Of course, such a modification requires additional security analysis of SPAKE2, modified accordingly.

Best regards,