[Cfrg] Answers to round 2 for SPAKE2

Watson Ladd <watsonbladd@gmail.com> Mon, 10 February 2020 18:31 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6AFD212004F for <cfrg@ietfa.amsl.com>; Mon, 10 Feb 2020 10:31:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id fzE2mlZkvRNT for <cfrg@ietfa.amsl.com>; Mon, 10 Feb 2020 10:31:00 -0800 (PST)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 080CB120019 for <cfrg@irtf.org>; Mon, 10 Feb 2020 10:31:00 -0800 (PST)
Received: by mail-lf1-x12d.google.com with SMTP id f24so4971944lfh.3 for <cfrg@irtf.org>; Mon, 10 Feb 2020 10:30:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=opBXzg/au6vTl3bTpcejncGF/sDQZUpWe0kMqrSd6mQ=; b=lQZk3x2aY0RiwnJHuL4PyACGVApxUtI/KogcTnQfVrpmxom9OMbIBHlcVIH+VvitMQ OrjrgqkLs4lx3udbtBRxANBb5JXzYwV0TQZNlSdbVtaYTTCTIfhL42DDl3q4nixJ7ue0 wg/ImxsajBuyiOZlOMmYMC5I6CDQXUw4yCANWn73Y4pFyEblxwu2kjMiCqVTxflDARJk FASaHT+l2br1Q6s3R+TLO32bl/6mdz3SgiJgKU+ek7xlHaZmzGdjYGvv2vYMnk3HUgnp mDwZ316HMp7pukygshB1+mxbj9W/DYc85UgsS/SK2c7viKlWXuCjFPMy1CzYRPE4iPHy l10g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=opBXzg/au6vTl3bTpcejncGF/sDQZUpWe0kMqrSd6mQ=; b=eVxKUnqGkdAffTyPZJP0LrOySw6vgRtkQDzPUUsNHYlRd+RDr2mS3N2jNgDjxWAPb7 VA1fuf5i1ScAaVIPKH8puql5uycVVxQAVAriVeTrf2Qn7jGhgEqIvgHFWO+v4XJBTZXe G4zji/PMMjVI397ejJH1UxYARyRHv/KSZbLMxTveEbxqnK5F8JCp1syBq/BmplXsMjxQ 2hedkzleOzMv69fvU/BiTMrvMXqT6hq2d2h9LgKVLlP5xc1x/832/bgVunhKJmBp31Fc 8uu3VHEfgYIh4sc39r6HB8Q9uv6aco+nUwmdQeoP0HKmJdtT2/VPqDmoaKuMehYWx5Y5 msYA==
X-Gm-Message-State: APjAAAXKlujehG+m8ANkWAckdtDIlvdeOYrQ//0CJc0j6yJGSKEWnseK G8gwssN60ouiJgjxcooGSIdCcRjyctVEqnX2FSI=
X-Google-Smtp-Source: APXvYqxHa7K7Ic3iAwlXkT7mOy0sYGvkOnpN8ucB77PR3nGp1Qch+t/UhZC48EaeDimPKRiTP/KHVmpQpqkdrJZt55A=
X-Received: by 2002:a19:a40a:: with SMTP id q10mr1401787lfc.204.1581359458190; Mon, 10 Feb 2020 10:30:58 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 10 Feb 2020 10:30:47 -0800
Message-ID: <CACsn0c=h2QGx1ebES8TZ6minbZYBvqZjHWS131Df3e21C2nNrw@mail.gmail.com>
To: cfrg-chairs@ietf.org, CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/senXefqczpUZo26B35ekz8d3iLo>
Subject: [Cfrg] Answers to round 2 for SPAKE2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 18:31:03 -0000

Dear all,
Apologies if you may receive this email multiple times: there have
been some technical difficulties.

Question 1: (to SPAKE2): Can you propose a modification of SPAKE2
(preserving all existing good properties of PAKE2) with a
correspondingly updated security
proof, addressing the issue of a single discrete log relationship necessary
for the security of all sessions (e.g., solution based on using
M=hash2curve(A|B), N=hash2curve(B|A))?

The next version will include an option to have M and N based on party
identities, ensuring that an attacker with the ability to solve a
discrete logarithm problem can only compromise a single session per
discrete logarithm computed. This form does introduce a dependency on
the hash2curve draft, and requires an invocation of hash2curve per
pair of participants. The proof of such a construction is in

Question 2:Can the nominators/developers of the
protocols please re-evaluate possible IPR conflicts between their
candidates protocols and own and foreign patents? Specifically, can you
discuss the impact of U.S. Patent 7,047,408 (expected expiration 10th of
march 2023) on free use of SPAKE2 and the impact of EP1847062B1 (HMQV,
expected expiration October 2026) on the free use of the RFC-drafts for

I’m not a patent lawyer, and cannot speculate on any IPR conflicts
that may or may not exist.

Question 4:What can be said about the property of
"quantum annoyance" (an attacker with a quantum computer needs to solve
[one or more] DLP per password guess) of the PAKE?

An adversary needs to solve a single DLP and then carry out an online
attack to recover the password without further quantum work. It's
possible better attacks exist.

Question 5: What can be said about "post-quantum preparedness" of the PAKE?

SPAKE2 is unlikely to have a post-quantum alternative.

Watson Ladd