Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20

Julia Hesse <> Tue, 14 September 2021 21:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A2C5C3A2FA9 for <>; Tue, 14 Sep 2021 14:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id elTkBbZpicdE for <>; Tue, 14 Sep 2021 14:11:31 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B7DC3A2F9A for <>; Tue, 14 Sep 2021 14:11:31 -0700 (PDT)
Received: by with SMTP id s24so553922wmh.4 for <>; Tue, 14 Sep 2021 14:11:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=GCHiHrPofAuXqNXlu4W8lpd+2RvEtbqWvxkrAoDTz+o=; b=A/xIOV+u+tS7xoHzbM0+CW5mQNN3NOcqKHi7GmkvY5w01OIy/vGjttzlBBe5nqriDt TSG6s3PWycD89wS2HNupScoBDgqDgyzGENcd+qj1fJRT0WC054+VkRLtO6vbKimsE0Jz m0Fw9em6l3FIpkd9Y0j65yiO4kMdDqfL3hAh2YJO59BqF5FizAvp+Lei/7YReO0fuuKI dBFVXanWU7/efJ6Gq64B+IcWETJgvCKKVTrx24dgmvNAn/gKO5TVQQtBuwl3AwOTyiJG NEPQ99aI7iVK1AgvyXuqxXaqVvIPcBpgHdYwAJYT2wrGUaGolk2o0COmh/yUxwx4VU6J 7KGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=GCHiHrPofAuXqNXlu4W8lpd+2RvEtbqWvxkrAoDTz+o=; b=btsHUV3U3Har7F+HId5/9b9a2lz/RK0Ipx9SZdvWjZTib2Pvsfx83PiAy5s7+SwmWD KlXlSyYn0K/qVXiTOrkBZsXWdIGLRXfAQyg2aYY51uaqIYd1Ba1LF2BBljWkOwVSHlxw htgJUkpv8kUGLt4+LaeWUASkh17/IMl1xkuvwQ4SzyqnY4xuWiTypczcVpGhrnQoZWHE s5cPq0nq+J2BvabyukAYhYE38HeuN9ha5nH2Ig0lEIgqOm4h9FC2StrRN7fgzsFCFOaL caQFa2pomkA10P4xOPBQvi8gY/yq1HXiTGCww+xuBybcFWjQaEouwfMFo4fsoZKc31Xl GHvQ==
X-Gm-Message-State: AOAM532vYjvZv4/AbGBeqjbmt0XEX8DpNykLFBv4c8bt1aUa+LXif+gB kBxr4GozmGs5RsUjXZkltxs=
X-Google-Smtp-Source: ABdhPJy+lywDb9dxQJXlKt1p2kQqLKdeW1n2nyOoUcKmF+iL5G7iCpyNJLiAF9NifcsufsjF+m0jJg==
X-Received: by 2002:a7b:c745:: with SMTP id w5mr1098655wmk.17.1631653888503; Tue, 14 Sep 2021 14:11:28 -0700 (PDT)
Received: from ?IPv6:2a02:aa12:a780:5480:18e9:4d8a:c8a6:5765? ([2a02:aa12:a780:5480:18e9:4d8a:c8a6:5765]) by with ESMTPSA id r26sm2164857wmh.27.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Sep 2021 14:11:27 -0700 (PDT)
To: Watson Ladd <>
Cc:, Benjamin Kaduk <>,, Colin Perkins <>
References: <> <> <> <>
From: Julia Hesse <>
Message-ID: <>
Date: Tue, 14 Sep 2021 23:11:26 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Sep 2021 21:11:37 -0000

Hi Watson,

looks good to me, thank you!


Am 9/14/2021 um 8:45 PM schrieb Watson Ladd:
> I've opened which I think
> addresses all the comments from this review.  If this is so, I can
> merge it and upload a new copy tonight.
> On Fri, Sep 10, 2021 at 11:04 AM Julia Hesse <> wrote:
>> Dear Watson,
>>>> // - What does it mean to exchange messages symmetrically? (In the per-user M and N section)
>>>>       * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?)
>>> It is needed: Magic Wormhole uses this variant. And the concern about
>>> who uses M and who uses N in cases where it isn't clear is best
>>> addressed by using this variant.
>> Ah, apparently I got confused here: the draft is referring to SPAKE2 as
>> a symmetric PAKE, and to the case of M=N as its symmetric variant. So
>> you are completely right, the sentence in question should stay, but I
>> would recommend referring to the case of M=N as "parallel variant" (or
>> something else) instead of assigning two different meanings to the word
>> "symmetric".
>>>> // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include?
>>>>       * Resolved
>>>> // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check.
>>>> // - There are currently no test vectors that include AAD -- should we add some?
>>>>       * I have not verified these two.
>>>> // - Why is len() a little-endian output?
>>>>       * I agree with Watson to be consistent with Kerberos here
>>>> // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation?
>>>>       * Resolved
>>>> Some more comments, not related to the IRSG review, below.
>>>> I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..."
>>>> The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule.
>>> I'm not sure I follow the issue. The sentence says 'A picks x randomly
>>> and uniformly from the integers in [0,p), and calculates X=x*P and
>>> S=w*M+X, then transmits pA=S to B.' Alice is hence the initiatior. If
>>> it's impossible to do this easily then one of the M=N variants should
>>> be used. Most protocols have an asymmetry here where one side is
>>> initiating a request and the other receiving. Happy to add clarifying
>>> text.
>> Ack to all. It would actually be good to clarify this in the draft: the
>> M != N variant is for an initiator-responder variant, the M=N for a
>> parallel variant that MUST (?) be used whenever the applicatoin cannot
>> assign initiator and responder role to the parties. My concern was from
>> a security perspective, from which we should avoid situation such as the
>> following: a user generates pA wrt M, but then receives pB also
>> generated wrt M, suddenly realizes that it is the responder, and
>> *additionally* sends pA wrt N. This voids the security proof, so we need
>> to be pretty clear here.
>> Best regards,
>> Julia
>>>> p.2
>>>> The KDF has only 3 inputs, but a fourth (key length L) is described in the text
>>>> p.3
>>>> servers -> serves
>>>> flow figure should include "verify cA" and "verify cB", since it is a MUST.
>>>> p.4
>>>> remove unnecessary variables T and S? E.g., directly set pB=w*N+Y.
>>> These editorial comments seem worthwile to fix. Side note to Colin: is
>>> there another set of reviews I should be waiting for at this stage? If
>>> not I should be able to fix these all pretty promptly.
>>> Sincerely,
>>> Watson Ladd
>>> --
>>> Astra mortemque praestare gradatim