IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-06.txt

Greg Hudson <ghudson@mit.edu> Sat, 01 December 2018 22:10 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AD6C130E61 for <cfrg@ietfa.amsl.com>; Sat, 1 Dec 2018 14:10:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0FJ5ggV6njW for <cfrg@ietfa.amsl.com>; Sat, 1 Dec 2018 14:10:18 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2C0130E55 for <cfrg@ietf.org>; Sat, 1 Dec 2018 14:10:16 -0800 (PST)
X-AuditID: 12074425-c15ff70000000335-60-5c0306c4600d
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 37.B3.00821.5C6030C5; Sat, 1 Dec 2018 17:10:14 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.14.7/8.9.2) with ESMTP id wB1MA8TR011382; Sat, 1 Dec 2018 17:10:09 -0500
Received: from [18.101.8.224] (VPN-18-101-8-224.MIT.EDU [18.101.8.224]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id wB1MA4OP009042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 1 Dec 2018 17:10:06 -0500
To: Nico Williams <nico@cryptonector.com>, Benjamin Kaduk <kaduk@mit.edu>
Cc: cfrg@ietf.org
References: <153434759643.14400.9943392813751876897@ietfa.amsl.com> <20180815154402.GP40887@kduck.kaduk.org> <20181201211038.GA15561@localhost>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <c0799f2c-8079-c066-9a19-c9640f00c93e@mit.edu>
Date: Sat, 01 Dec 2018 17:10:04 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20181201211038.GA15561@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IRYrdT0T3Gxhxj8HuXiMXRXW0sFqeuHWFz YPJ4eeoco8eSJT+ZApiiuGxSUnMyy1KL9O0SuDJm7jvKWNAjUNH3ULSB8SJPFyMnh4SAicSX owsYQWwhgTVMEtu+qHcxcgHZGxglLv3rZIZwjjBJTG6eDFYlLGArMaPzFTuILSLgKXGyeRmQ zcHBLCAo8WyqBUT9REaJcxsWg9WwCShLrN+/lQXE5hWwkui+/IUVxGYRUJHYc+AmM4gtKhAh ce/8JzaIGkGJkzOfgNVzCuhLLHy1AWwvs4CZxLzND5khbHGJW0/mM0HY8hLb385hnsAoOAtJ +ywkLbOQtMxC0rKAkWUVo2xKbpVubmJmTnFqsm5xcmJeXmqRroVebmaJXmpK6SZGcFi7qO5g nPPX6xCjAAejEg+vwwumGCHWxLLiytxDjJIcTEqivL+2AoX4kvJTKjMSizPii0pzUosPMUpw MCuJ8LptAcrxpiRWVqUW5cOkpDlYlMR5/4g8jhYSSE8sSc1OTS1ILYLJynBwKEnw3vwP1ChY lJqeWpGWmVOCkGbi4AQZzgM0XOAxyPDigsTc4sx0iPwpRkUpcd5vf4ESAiCJjNI8uF5w2knl ePCKURzoFWHeyqtAVTzAlAXX/QpoMBPQ4Bywq4tLEhFSUg2MizPtPmxcwOF+M11O9dSz9pX5 c7Wc+r+9mflvuX77psUSTKvTrr1PWfvujkjx5M6Utbx+9kscr15n0f+3+v5Go/+c2yWsU9p2 /Gg2aBcOV9wpm9rw9JvDi1cLTk3Qv2pR/iWyr//Bpojp59VkdiTvuyUVlRZxcHnd/ZTTEnFa LJN6uo5bnosSU2Ipzkg01GIuKk4EACkIABYWAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/vwR9HUhNtXWHJS1kk7PUpxqEJkU>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Dec 2018 22:10:19 -0000

On 12/01/2018 04:10 PM, Nico Williams wrote:
>     But in SPAKE2 we have X=x*G and T=w*M+X, while in SPAKE2+ we have
>     X=x*G+w0*M, but X is not reused in the text in SPAKE2.
[...]
>          A picks x randomly and uniformly from the integers in [0,ph)
>      -   divisible by h, and calculates X=x*G and T=w*M+X, then transmits T to
>      +   divisible by h, and calculates X=w*m+x*G, then transmits X to
>          B.

This change would have some minor downstream ripples:

* draft-ietf-kitten-krb-spake-preauth contains X, Y, T, and S values in 
its test vectors.

* MIT krb5's shipped implementation of the above draft uses T and S in 
comments and variable names.

While those are fixable without any interop impact, my preference is to 
change the SPAKE2+ terminology rather than the SPAKE2 terminology.  I 
also think it is mildly useful to have separate names for the unmasked 
and masked DH points.

The other SPAKE2 implementation I am aware of (BoringSSL's, which isn't 
draft-conformant for reasons having to do with M and N generation and 
cofactors) uses P and Pstar as variable names, so wouldn't really be 
affected.

>     SPEKE/B-SPEKE would have made implementation easier by requiring only
>     scalar point multiplication, thus enabling cheap curve25519
>     implementations.

I know that in discussions of PAKE algorithms for Kerberos, we wanted to 
avoid requiring hash-to-curve if possible.  From what I can find online, 
if you use SPEKE with curve25519 and simply hash to the x coordinate, 
you leak one bit of the hashed password, which isn't necessarily a huge 
problem but isn't an attractive property.

I believe I wound up with a SPAKE2-edwards25519 implementation based on 
the BoringSSL 25519 code which is pretty competitive with X25519 
implementations, although I don't have test results handy.  Point 
addition and subtraction are not expensive operations; they're just not 
necessarily part of a crypto API geared towards X25519 or ed25519.  But 
neither is hash-to-curve.

v2.23.0 | Report a Bug | By Email