Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20

Julia Hesse <> Fri, 10 September 2021 18:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE52B3A11FF for <>; Fri, 10 Sep 2021 11:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t0e8EwuHimCG for <>; Fri, 10 Sep 2021 11:04:20 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9456F3A0F7F for <>; Fri, 10 Sep 2021 11:04:20 -0700 (PDT)
Received: by with SMTP id g74so1801408wmg.5 for <>; Fri, 10 Sep 2021 11:04:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=pWNp4Zx1sNNQszgrJcQ4FkLxj25lLH+ebhCHQjIBxs4=; b=RZWqJx0Knhphs4Yp7YE5sjVh+Mu28PE+AZcRKcOpMTDJ1c905dVuoMEfb/7e7hPZgp B11jTRMMg8wMxH9eFeJgVVqV+l4DSTBTKyzlWB8mapun7ePbqluFqcF257BmnRf09R1q vZynOYjbxHTJSndQSahhKaTpmlDDML+W5/OgulaNr4drR6xvwYQHplZRrSvDXEZ0Wfti b66Cl7w3Um3++KhRM4jZtpNtPjhJZTwKiojPw6C+vUl+vngdbhCj86G5LTnvc0gV5kUG A622dR2bID7g2sb8yVTbG7CeWm3g/19xGBK/KSs7Cf3XIYk4rJXytsu771r+B9GdE/cs ogsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pWNp4Zx1sNNQszgrJcQ4FkLxj25lLH+ebhCHQjIBxs4=; b=mtwK5c6dlKjxA6L5gYGdIuxx4PjwqziTwfL5/SqKBOlFBTAZASXAyuxJq0wqh9t9tk oxvkX1qsd9Fi38XGfyn0Wblbq3nEjRqGGD4CHhZnQwtNPevlKQ+nQnxeHdSnp5o/uzkQ Uv0FDJlwJdjjkcedsnZ8sj4UImZ2FXEe/FI2h9/6nxFKHJSnUWs8xqp+V2msQ0cfFa+2 LURULpmR1aov6j8k3QPf1x9FGjohMf6VKuhIBTHeWsqAEW9BIJy8XuV8ojJBZrYm+7av HbihwDxhrURwhgEiGvuuVBPqaYKkiq2vsSlkHGiAZiN7PTStfVC6/p3jkKIrqyLv6XcV +Ofg==
X-Gm-Message-State: AOAM530LRNDF/gNpkxNQBpDTYlePiaJb1mz/CpPsmM/tgtmqVo8BKwEs 4VUEaAunpqg/pdu2hLkTj+Q=
X-Google-Smtp-Source: ABdhPJygJEbHxKMr4/y5s6/V/8R9nslxq6tUFdZa0h8qv1ZyMIMAfvBNP4kPyN4VqOfsppItE8RbnQ==
X-Received: by 2002:a05:600c:2193:: with SMTP id e19mr9659470wme.40.1631297057713; Fri, 10 Sep 2021 11:04:17 -0700 (PDT)
Received: from ?IPv6:2a02:aa12:a780:5480:7861:c549:9e18:d53? ([2a02:aa12:a780:5480:7861:c549:9e18:d53]) by with ESMTPSA id d9sm6644002wrb.36.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Sep 2021 11:04:17 -0700 (PDT)
To: Watson Ladd <>
Cc:, Benjamin Kaduk <>,, Colin Perkins <>
References: <> <>
From: Julia Hesse <>
Message-ID: <>
Date: Fri, 10 Sep 2021 20:04:15 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [CFRG] IRSG review draft-irtf-cfrg-spake2-20
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Sep 2021 18:04:23 -0000

Dear Watson,

>> // - What does it mean to exchange messages symmetrically? (In the per-user M and N section)
>>      * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?)
> It is needed: Magic Wormhole uses this variant. And the concern about
> who uses M and who uses N in cases where it isn't clear is best
> addressed by using this variant.

Ah, apparently I got confused here: the draft is referring to SPAKE2 as 
a symmetric PAKE, and to the case of M=N as its symmetric variant. So 
you are completely right, the sentence in question should stay, but I 
would recommend referring to the case of M=N as "parallel variant" (or 
something else) instead of assigning two different meanings to the word 

>> // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include?
>>      * Resolved
>> // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check.
>> // - There are currently no test vectors that include AAD -- should we add some?
>>      * I have not verified these two.
>> // - Why is len() a little-endian output?
>>      * I agree with Watson to be consistent with Kerberos here
>> // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation?
>>      * Resolved
>> Some more comments, not related to the IRSG review, below.
>> I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..."
>> The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule.
> I'm not sure I follow the issue. The sentence says 'A picks x randomly
> and uniformly from the integers in [0,p), and calculates X=x*P and
> S=w*M+X, then transmits pA=S to B.' Alice is hence the initiatior. If
> it's impossible to do this easily then one of the M=N variants should
> be used. Most protocols have an asymmetry here where one side is
> initiating a request and the other receiving. Happy to add clarifying
> text.
Ack to all. It would actually be good to clarify this in the draft: the 
M != N variant is for an initiator-responder variant, the M=N for a 
parallel variant that MUST (?) be used whenever the applicatoin cannot 
assign initiator and responder role to the parties. My concern was from 
a security perspective, from which we should avoid situation such as the 
following: a user generates pA wrt M, but then receives pB also 
generated wrt M, suddenly realizes that it is the responder, and 
*additionally* sends pA wrt N. This voids the security proof, so we need 
to be pretty clear here.

Best regards,

>> p.2
>> The KDF has only 3 inputs, but a fourth (key length L) is described in the text
>> p.3
>> servers -> serves
>> flow figure should include "verify cA" and "verify cB", since it is a MUST.
>> p.4
>> remove unnecessary variables T and S? E.g., directly set pB=w*N+Y.
> These editorial comments seem worthwile to fix. Side note to Colin: is
> there another set of reviews I should be waiting for at this stage? If
> not I should be able to fix these all pretty promptly.
> Sincerely,
> Watson Ladd
> --
> Astra mortemque praestare gradatim