Re: [Cfrg] Question about Spake2

Watson Ladd <> Mon, 17 February 2020 16:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B436612087F for <>; Mon, 17 Feb 2020 08:25:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5BwKOOvoLh2b for <>; Mon, 17 Feb 2020 08:25:24 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D51C0120881 for <>; Mon, 17 Feb 2020 08:25:23 -0800 (PST)
Received: by with SMTP id x14so19506348ljd.13 for <>; Mon, 17 Feb 2020 08:25:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=hj6nNMUdBxuk+v9cX2NQpn8F3loHFVZIf+Cm+G+KFoA=; b=mXxnY4wpA9S6NKwXAzIbnK0KiPeTcVZ2oUUDaAXgHrg2wOibrVso8dtXgbSpYCDbj2 Ama0qGDLHQeJM4EBcFK+1aa4micQXKzmkvvt7QaccVrJKd5r5jVTVejnLlxJnmBMktCB snZIQxmL5lUCFzNcxKIX42z0Gt8fhnjwJLyslqFrJUu0f9UOmBXFeX3PVD/81djJeqBw u51XGjZRwEpRoSm3FNhOQA4MD0JBOX5Yru+PVbOfeRBCuqQwYL2WAqPsYbiK08rC7Wgp OmLFRLI5f9W2nK4mXCsHtHtY0LCfwfdKhwIWOFnWimFGV9CnT4Ed8+1YhnNaQccHi1Lu 4U3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=hj6nNMUdBxuk+v9cX2NQpn8F3loHFVZIf+Cm+G+KFoA=; b=RhYEIwZVqE9KlayYHKVAD56ppuxhSvUI51ripvPHQ7S7W8gkyaNcPJmTKiDYiTduM1 0zTznDyWe0Ot53srgZ+Pn3KvBReq7Rct0qkVuvtmOdQkTNL0xo7YPmn+DwMl6eSw+Rr+ fV9V2mkDkh1lcKNle51gpynFbmDtK6cOJvoP4CgYhnJCxeBnrI+e8XSMwDX0kbzACAME U/EyZ4/EtDBng8loItSVexbwn1FAFEHS2Ow/lqHFnbwedY/YX0v0a9jGGxHOQoiIPNu/ op2xe1Dv8IonbjRGMIOnz6ZoyFKAUslKZ2g644G2tIa6jw2KNAgJyG+zyASlnBjAJ/nb EI6Q==
X-Gm-Message-State: APjAAAXRwt9XaqMDIIcdogyc7/a2lYi9Mj9FooxkSJrOMMRiAnt5Ez2S BH3UxTIe2REhWLzcK2W+tbH1bE3GrwCyFlL1IWQ=
X-Google-Smtp-Source: APXvYqzwgkyj6jIkUHLUN2xldewGiZ22luujkEWBHuT6BIEDrrUcFvN/F+GvK84jsXRcfLzixrAQRkbL1FeEDIS+P3o=
X-Received: by 2002:a2e:e12:: with SMTP id 18mr10667930ljo.123.1581956721773; Mon, 17 Feb 2020 08:25:21 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Mon, 17 Feb 2020 08:25:10 -0800
Message-ID: <>
To: "Scott Fluhrer (sfluhrer)" <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cfrg] Question about Spake2
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Feb 2020 16:25:28 -0000

On Mon, Feb 17, 2020 at 6:51 AM Scott Fluhrer (sfluhrer)
<> wrote:
> In your answer to Question 1 of the Round 2 questions, you stated:
> The next version will include an option to have M and N based on party
> identities, ensuring that an attacker with the ability to solve a
> discrete logarithm problem can only compromise a single session per
> discrete logarithm computed.
> The current draft of Spake2 (draft-irtf-cfrg-spake2-09) does not include this option.  Will there be a version of the draft that would include this option that we could review?

I'm working on getting the text out and fixing some minor typos that
were detected in earlier revisions. The suggestion is made in and I'll be following that. It's
just M=H(A, B, 1), N=H(A, B, 2) with appropriate domain separation.

> BTW: my personal opinion is that this shouldn’t be an option, instead it should be mandatory.  An option means that it is selectable by the protocol, and I distrust forcing the protocol designers to make decisions with security implications that they might not fully understand.

Including M and N per identity forces a dependency on hash2curve,
which is a barrier to implementation. The difference in number of
discrete logs required is a few months of Moore's law and linear in
number of associations.


"Man is born free, but everywhere he is in chains".