[Cfrg] Proof of SPAKE2 is sound?

Watson Ladd <watsonbladd@gmail.com> Mon, 09 September 2019 00:34 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C679E120086 for <cfrg@ietfa.amsl.com>; Sun, 8 Sep 2019 17:34:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olKOZhO14ON0 for <cfrg@ietfa.amsl.com>; Sun, 8 Sep 2019 17:34:09 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFB89120059 for <cfrg@ietf.org>; Sun, 8 Sep 2019 17:34:08 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id j16so10978009ljg.6 for <cfrg@ietf.org>; Sun, 08 Sep 2019 17:34:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=qUm03Ah9cisKEzAurel2e19uI+tDo2lfxpBGPUWTGSI=; b=CLXc0bdxC2R2UgWk9on0xU3wXvbc3RgEmdzml7886Av9gzZQEdudQUV6dG2ALunisa 07RRd1V+EPqPfY/EIpnOE8PaOVlz8tBdPU8P09pkdwH65faCLWZHHTNLwNWXJx8/Gfwg 868DwoSlWtkN9DheUnRFyaMwLUMJ3Sctwye/DUCXrze5XqJjJz0DSF0Rw1FKnlsHCko8 bivg7BSMaxCpMQFJ2TmqvTBmmlzY5sJEsl5YQnjPxeYnH2TgfuaOOdFkvfcoY23YD8IF mkNbUWEu1baJu24qIo4fiMcM0T/0zb0cIbTRisOLMnTI4ltcj7LUCq8NZwxnz/PnJplc U+kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qUm03Ah9cisKEzAurel2e19uI+tDo2lfxpBGPUWTGSI=; b=HB85a06Pqj6wwW/V7REIHM2YrykklxA4XhhOvTnlstdijU+LrY5BOvGDI4EzO8RXtG CJj4gNicDGP+owz92qPwCRj8AiWXtQyLnw5nNAuSXdbmJv3feEbwHTZjr5DAQSkY5X95 +It3t51B57WgKFVejUlehYMtWwvi8uTBDGedlxj0Fw8fqWGVjh3zMp1nr4Qln6vNv36O BAd+ewwoOoyMLIwz725y7Gw8q9Pfu0v2C57wUkbCHsTVXkRFvrGCL7zFmdR1VdFCKzHt LaRzpGivbgLUOxbb5bjqXx9LDLTsiVlsQ3FWklXRWUCz+G6YO4T5I1leOMpIytNCZMFp 6rPg==
X-Gm-Message-State: APjAAAWjF3xz1wOsuDPrh9NEWZvHM2hSnFfpDnuUrsd6J2wXFswjcoQf +b//Nemz14Qsk4rgC6NZyxaTc+JL944o1KCBZFuRxHwS
X-Google-Smtp-Source: APXvYqyFKX7fQfB0gmL7un/xQ0Dvblg9BL/T9iGBiwbdnG48TW4o7r9dYWbRHl2NlT+081Y0xtYv0jwX+K+AMTi7eEM=
X-Received: by 2002:a2e:8592:: with SMTP id b18mr13104757lji.18.1567989246802; Sun, 08 Sep 2019 17:34:06 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 8 Sep 2019 17:33:56 -0700
Message-ID: <CACsn0cmFmX5VFer5-YMbBsPzyyYG12KzMDwYR7m38uHOb_AORA@mail.gmail.com>
To: cfrg@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/jBUSpq9xOOyOuwVUhd5E55_89TU>
Subject: [Cfrg] Proof of SPAKE2 is sound?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2019 00:34:11 -0000

Dear all,

I've spent the weekend looking at the paper and examining Scott
Fluhrer's claimed flaw. My conclusion is that the paper is sound and
Scott's claimed attacks result from a misreading of the security
claim.

Scott claims the theorem is invalid and one error is in the transition
from Experiment 2 to Experiment 3. However, the only change is in a
query for sessions that haven't been tampered with: there is no
problem with the switch.

Offline he claimed Theorem 8 was wrong because it didn't accommodate
an attacker who knows a discrete log of M or N. I disagree: that's
what the s-pccdh Advantage term captures/ the entire proof is based on
extracting a discrete log from an attacker who breaks the protocol.

It's entirely possible that I'm misrecalling the objection and would
appreciate clarification/more eyes on the paper.

Sincerely,
Watson Ladd