Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt
Watson Ladd <watsonbladd@gmail.com> Mon, 24 August 2020 12:42 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BCAE3A0D7A; Mon, 24 Aug 2020 05:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVSlXuqQBgGN; Mon, 24 Aug 2020 05:42:21 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FA0D3A0D73; Mon, 24 Aug 2020 05:42:21 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id w25so9406996ljo.12; Mon, 24 Aug 2020 05:42:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2teg2QdsvT/tx5K4YljIzEM7F49ZuSBJJEQ/KYqHW2Y=; b=gFjYp0pOGguZoXPFZ5afUbcHCxzMz61ArJ/sL2knatr0Kc9J0pOdJPqDRPi7bDPx5y fSAtBFUC1Y15RJrkK9L76kQ7fNJt00M3TZTDfa+uKtzkzP/+Utmw+AfBDZpB+fTCUegs cTc0nAbgS/RrnbeUyBDhpyCpFz2NPIi9fSJf80bkBzERxSYOfmGOQSjSFnNwPiWOWp8I H6rORNrxB++I1+sE5r7ihEaxpH0mJwtDkUf7AgbiCSNJTy2k49arDA/I9ey5Z844FCiR 73o/xrFB5cE9hR/8GPQgGJujLa0Tvda8XDh+Liqq/3eQKuP0vyXW4AIfBCNLG0TuF2Wc +yMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2teg2QdsvT/tx5K4YljIzEM7F49ZuSBJJEQ/KYqHW2Y=; b=Ea3oxEa8jaTNyaUWeQDeKbz4qrEVvSzbxy0rwm9Y9LNVT+CyQVdxBL8AdnnXSlLGD5 QFC5XAs6kPDBMMnjwfCkLEeRqgnVTBpY+Fmg1TiQMTu4RazW+nnO8HjM02kX/JCdPdET gKUHud0lOZJj3tAMwCrVqWlLZ09uJ8Ep9ZXTcXdontdKFO7zG7/rDGJ1xIsvgLZKQ3Ho FgY9oXpdt7atCLvaSrI2EhhDy++jCwnYkVUSxdXS14B5HFGdISku7KKQRoSntl5kz5vc coYBC9Iq1qaZl3FzCuRqgeWu1OPmAgESwTXksmqTWEXMwE39nIB7S5ifWjbY6ufTJ2wF 7bEQ==
X-Gm-Message-State: AOAM532f8ungUnca6cGsn9EncjxuExro2aEuFVd7Udg48N1RU/wvOyou cKNhDqcMVPR0RSaOsHdiy7mq8kUIRExutIDDVZw=
X-Google-Smtp-Source: ABdhPJz+r8RnAHCkf8vOX94NGl693Y4197UgnYt4fhdWh6YUrRDadrzZhSIf6kFgD6sYelf2dnZMaFEbcC7fNCONjws=
X-Received: by 2002:a2e:9cd3:: with SMTP id g19mr2570625ljj.229.1598272939050; Mon, 24 Aug 2020 05:42:19 -0700 (PDT)
MIME-Version: 1.0
References: <159709115024.10897.5395496576031260366@ietfa.amsl.com> <CACsn0cmX=DWCP5gpmPbzS=UjXfkBP9ObNpmEXPddsZJHbbhC-g@mail.gmail.com> <CAMr0u6k0f52E0i0ds9gR-xJ=M69RCV1vcYZJXi4Ycyc8QtBV3w@mail.gmail.com> <A0F53C47-3D85-4070-8ED4-A86E50899D13@vigilsec.com> <5f6565e7-49cb-32c4-1873-bac014cee965@isode.com> <80792d11-5400-1c79-ac60-d28d2ae803f0@isode.com> <CAMr0u6=Qokwbe6uUPQbBk3ZO4yUzm+UJT6uUPdjaK20tR837cQ@mail.gmail.com> <BN7PR11MB26415022F5F2FB219554DC6DC15F0@BN7PR11MB2641.namprd11.prod.outlook.com> <BN7PR11MB26418931A9921C0C121703D3C1590@BN7PR11MB2641.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB26418931A9921C0C121703D3C1590@BN7PR11MB2641.namprd11.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 24 Aug 2020 08:42:07 -0400
Message-ID: <CACsn0cke00kmWXNyQ1emWoLjkY47Xx+iFaKiXwdR=gJCPcya7Q@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, Russ Housley <housley@vigilsec.com>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "<cfrg@ietf.org>" <cfrg@ietf.org>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/l4lgGcL4UPLIk1yj1J9CvxE1IjI>
Subject: Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 12:42:26 -0000
On Sun, Aug 23, 2020 at 3:20 PM Scott Fluhrer (sfluhrer) <sfluhrer=40cisco.com@dmarc.ietf.org> wrote: > > I looked through it (the Crypto20 crypto conference was last week, that kept me busy); it looked good, with two nits: Thank you very much for reviewing it so quickly! > > > > Section 3.1 states “Lets G be a group in which the computational Diffie-Hellman (CDH) problem is hard”. Actually, if you go through the security proof, it appears that the slightly stronger “S-PCCDH assumption” is required. While it is plausible that, for any group where the CDH assumption holds, so does the S-PCCDH assumption, however, this is not proven. So recently https://eprint.iacr.org/2019/1194.pdf reduces to Gap Diffie-Hellman. I think I should revise that sentence of 3.1 and discuss in security considerations section exactly what is assumed and that elliptic curves in the draft are widely conjectured to satisfy it. Hopefully this won't confuse anyone more than necessary. > This draft still relies on a fixed (per group) M and N values; as we have argued before, having a global N and M value menas that breaking one discrete problem would mean breaking the entire system globally, and so that arguably too attractive as a target. Assuming that the authors aren’t willing to use a Hash2Curve method to generate N, M values, I would recommend that a paragraph be added to the document outlining the situation (and perferably giving a procedure where individual protocols can select their own N, M values) Section 5: https://tools.ietf.org/id/draft-irtf-cfrg-spake2-11.html#rfc.section.5 has M and N per user, following one of the papers in the references. I think a per-protocol option makes sense to add, but it would be nice to know if it would be used. > > > > From: Scott Fluhrer (sfluhrer) > Sent: Monday, August 17, 2020 7:50 AM > To: Stanislav V. Smyshlyaev <smyshsv@gmail.com>; Russ Housley <housley@vigilsec.com>; crypto-panel@irtf.org > Cc: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg-chairs@ietf.org > Subject: RE: [Crypto-panel] Fwd: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt > > > > I’ll take a quick look at it. > > > > From: Crypto-panel <crypto-panel-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev > Sent: Monday, August 17, 2020 4:40 AM > To: Russ Housley <housley@vigilsec.com>; crypto-panel@irtf.org > Cc: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg-chairs@ietf.org > Subject: Re: [Crypto-panel] Fwd: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt > > > > Dear Russ, dear Crypto Panel experts, > > > > Any volunteers for a quick review of the updated version of the SPAKE2 draft (before commencing a RGLC)? > > > > Regards, > > Stanislav > > > > On Tue, 11 Aug 2020 at 20:02, Alexey Melnikov <alexey.melnikov@isode.com> wrote: > > On 11/08/2020 17:47, Alexey Melnikov wrote: > > Hi Russ, > > On 11/08/2020 17:43, Russ Housley wrote: > > > We recommend the following two protocols to be selected as «recommended by the CFRG for usage in IETF protocols»: one balanced PAKE - CPace, and one augmented PAKE - OPAQUE. > > > > What was the point of the selection process if we are going to publish the ones that were not selected too? > > It is needed by Kitten WG for one of Kerberos documents. The idea is to publish it with a disclaimer that it predated PAKE selection process and was not selected as one of the finalists. > > To clarify: we don't intend to publish any other PAKE candidates that weren't finalists. > > Best Regards, > > Alexey > > > > Russ > > > > > > > > On Aug 11, 2020, at 10:57 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote: > > > > Dear Crypto Panel experts, > > > > Could someone please take a quick look at the updated version (taking into account the reviews made during the PAKE selection process)? > > > > Regards, > > Stanislav (on behalf of CFRG chairs) > > > > ---------- Пересылаемое сообщение --------- > От: Watson Ladd <watsonbladd@gmail.com> > Дата: пн, 10 авг. 2020 г. в 23:29 > Тема: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt > Кому: <cfrg@ietf.org> > > > > This fixes the comment on missing identities received during the PAKE > competition which was the only one I found. > > I think it's ready for RGLC. > > On Mon, Aug 10, 2020 at 4:27 PM <internet-drafts@ietf.org> wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Crypto Forum RG of the IRTF. > > > > Title : SPAKE2, a PAKE > > Authors : Watson Ladd > > Benjamin Kaduk > > Filename : draft-irtf-cfrg-spake2-12.txt > > Pages : 16 > > Date : 2020-08-10 > > > > Abstract: > > This document describes SPAKE2 which is a protocol for two parties > > that share a password to derive a strong shared key with no risk of > > disclosing the password. This method is compatible with any group, > > is computationally efficient, and SPAKE2 has a security proof. This > > document predated the CFRG PAKE competition and it was not selected. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-irtf-cfrg-spake2/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-irtf-cfrg-spake2-12 > > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-spake2-12 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-spake2-12 > > > > > > Please note that it may take a couple of minutes from the time of submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > https://www.irtf.org/mailman/listinfo/cfrg > > > > -- > "Man is born free, but everywhere he is in chains". > --Rousseau. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt internet-drafts
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.… Watson Ladd
- Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.… Stanislav V. Smyshlyaev
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Scott Fluhrer (sfluhrer)
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Watson Ladd
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Björn Haase
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Watson Ladd
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Stanislav V. Smyshlyaev
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Björn Haase
- Re: [Cfrg] [Crypto-panel] Fwd: I-D Action: draft-… Stanislav V. Smyshlyaev