IETF Logo Mail Archive

Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-06.txt

Nico Williams <nico@cryptonector.com> Sat, 01 December 2018 23:36 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3EF130E66 for <cfrg@ietfa.amsl.com>; Sat, 1 Dec 2018 15:36:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJVQCtD5QDDH for <cfrg@ietfa.amsl.com>; Sat, 1 Dec 2018 15:36:37 -0800 (PST)
Received: from indri.birch.relay.mailchannels.net (indri.birch.relay.mailchannels.net [23.83.209.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 085A9130E62 for <cfrg@ietf.org>; Sat, 1 Dec 2018 15:36:36 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id F2DB850286E; Sat, 1 Dec 2018 23:36:35 +0000 (UTC)
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (unknown [100.96.19.78]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id BA505501838; Sat, 1 Dec 2018 23:36:35 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.16.2); Sat, 01 Dec 2018 23:36:35 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Spot-Stop: 7107a4987f0da018_1543707395867_2651649182
X-MC-Loop-Signature: 1543707395867:785691014
X-MC-Ingress-Time: 1543707395866
Received: from pdx1-sub0-mail-a26.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a26.g.dreamhost.com (Postfix) with ESMTP id 870A57F837; Sat, 1 Dec 2018 15:36:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=PojDyMeDfXZOZa pM1v4aUURo1tE=; b=YXppfpgon3axe5of8BHr/CYqBPxTps7xnLmVzZTWYLZWuA eSWDW/qcUDQYeBOOF/5uPW7zmAlEYh+iMN86m74iYr5Xde1u13cMYh12I+YeZSsP WVKhs1GaK0T+fiv0yaVxD0mSiVQ1ybYSCQCiWxpx9K1v1Ii+qFFTKiEoSOeGQ=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 93B1C7F836; Sat, 1 Dec 2018 15:36:33 -0800 (PST)
Date: Sat, 01 Dec 2018 17:36:30 -0600
X-DH-BACKEND: pdx1-sub0-mail-a26
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Benjamin Kaduk <kaduk@mit.edu>, cfrg@ietf.org
Message-ID: <20181201233630.GB15561@localhost>
References: <153434759643.14400.9943392813751876897@ietfa.amsl.com> <20180815154402.GP40887@kduck.kaduk.org> <20181201211038.GA15561@localhost> <c0799f2c-8079-c066-9a19-c9640f00c93e@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <c0799f2c-8079-c066-9a19-c9640f00c93e@mit.edu>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtkedruddvjedgudejkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/y7gIIDZhyNathX4zRC8tKTKdaRo>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-06.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Dec 2018 23:36:39 -0000

On Sat, Dec 01, 2018 at 05:10:04PM -0500, Greg Hudson wrote:
> On 12/01/2018 04:10 PM, Nico Williams wrote:
> >    But in SPAKE2 we have X=x*G and T=w*M+X, while in SPAKE2+ we have
> >    X=x*G+w0*M, but X is not reused in the text in SPAKE2.
> [...]
> >         A picks x randomly and uniformly from the integers in [0,ph)
> >     -   divisible by h, and calculates X=x*G and T=w*M+X, then transmits T to
> >     +   divisible by h, and calculates X=w*m+x*G, then transmits X to
> >         B.
> 
> This change would have some minor downstream ripples:
> 
> * draft-ietf-kitten-krb-spake-preauth contains X, Y, T, and S values in its
> test vectors.
> 
> * MIT krb5's shipped implementation of the above draft uses T and S in
> comments and variable names.
> 
> While those are fixable without any interop impact, my preference is to
> change the SPAKE2+ terminology rather than the SPAKE2 terminology.  I also
> think it is mildly useful to have separate names for the unmasked and masked
> DH points.

That's quite fair.

Speaking of SPAKE2+, I said draft-ietf-kitten-krb-spake-preauth uses
SPAKE2+, but it's SPAKE2.  I'm wondering how to extend krb-spake-preauth
to use SPAKE2+ some day.  I think we might need to overload the group ID
to mean {PAKE, group} rather than just {group}.  But we can do that some
time in the future.

> The other SPAKE2 implementation I am aware of (BoringSSL's, which isn't
> draft-conformant for reasons having to do with M and N generation and
> cofactors) uses P and Pstar as variable names, so wouldn't really be
> affected.
> 
> >    SPEKE/B-SPEKE would have made implementation easier by requiring only
> >    scalar point multiplication, thus enabling cheap curve25519
> >    implementations.
> 
> I know that in discussions of PAKE algorithms for Kerberos, we wanted to
> avoid requiring hash-to-curve if possible.  From what I can find online, if
> you use SPEKE with curve25519 and simply hash to the x coordinate, you leak
> one bit of the hashed password, which isn't necessarily a huge problem but
> isn't an attractive property.

Can you explain this a bit more, that is, how hash-to-curve leaks a bit?

A leak of one bit per-exchange is absolutely disastrous if it means that
with each exchange an eavesdropper can eliminate half the passwords in
their dictionary, as then observing N exchanges lets you eliminate all
but 2^-N of passwords in your dictionary.

> I believe I wound up with a SPAKE2-edwards25519 implementation based
> on the BoringSSL 25519 code which is pretty competitive with X25519
> implementations, although I don't have test results handy.  Point
> addition and subtraction are not expensive operations; they're just
> not necessarily part of a crypto API geared towards X25519 or ed25519.
> But neither is hash-to-curve.

OK.

Nico
--

v2.23.0 | Report a Bug | By Email