[Cfrg] On the topic of the SPAKE2 draft

Paul Lambert <paul@marvell.com> Fri, 23 January 2015 21:44 UTC

Return-Path: <paul@marvell.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACD431ABB1A for <cfrg@ietfa.amsl.com>; Fri, 23 Jan 2015 13:44:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.667
X-Spam-Level:
X-Spam-Status: No, score=-1.667 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oHlCH_l5Vtd for <cfrg@ietfa.amsl.com>; Fri, 23 Jan 2015 13:44:04 -0800 (PST)
Received: from mx0b-0016f401.pphosted.com (mx0b-0016f401.pphosted.com [67.231.156.173]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2D2F1A9172 for <cfrg@irtf.org>; Fri, 23 Jan 2015 13:44:03 -0800 (PST)
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.14.5/8.14.5) with SMTP id t0NLeKU5003016; Fri, 23 Jan 2015 13:44:03 -0800
Received: from sc-owa.marvell.com ([199.233.58.135]) by mx0b-0016f401.pphosted.com with ESMTP id 1s2a34xjhs-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 23 Jan 2015 13:44:03 -0800
Received: from SC-vEXCH2.marvell.com ([10.93.76.134]) by SC-OWA.marvell.com ([::1]) with mapi; Fri, 23 Jan 2015 13:44:02 -0800
From: Paul Lambert <paul@marvell.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Date: Fri, 23 Jan 2015 13:44:00 -0800
Thread-Topic: On the topic of the SPAKE2 draft
Thread-Index: AdA2fd5Jvir6oS19SP2ZcwPObldMRQA1pVdA
Message-ID: <7BAC95F5A7E67643AAFB2C31BEE662D020E24D780D@SC-VEXCH2.marvell.com>
References: <BF9DADF6-003F-454D-8E96-4A28A060CA72@isode.com> <B31EEDDDB8ED7E4A93FDF12A4EECD30D40DF8FE3@GLKXM0002V.GREENLNK.net> <CAMfhd9Vu6AwRsbPAkK2OZXnSkYw3dkXUoYVqYgVxz9x7tkuJAw@mail.gmail.com> <D0E695AD.59A55%paul@marvell.com>
In-Reply-To: <D0E695AD.59A55%paul@marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-01-23_06:2015-01-23, 2015-01-23, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1501230204
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/zzcjwYws5yilrjjC4BOjHaTo468>
Cc: "paul@nymbus.net" <paul@nymbus.net>
Subject: [Cfrg] On the topic of the SPAKE2 draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 21:44:04 -0000

The draft-irtf-cfrg-spake2-00.txt text says:

   Both A and B calculate a group element K. A calculates it as x(S-wN),
   while B calculates it as y(T-wM). A knows S because it has received
   it, and likewise B knows T.

How does A know to use N and B to use M?

The protocol is not symmetric and the different values define different roles in the protocol.

What happens if both sides pick the same value?

Can the protocol specification be made symmetric ...


Also in the draft:

   Note that
   the choice of M and N is critical: anyone who is aware of an x such
   that xN=M, or xG=N or M can break the scheme above.

By 'anyone', does that include party A in its choice of N?
If A picked x and knew that xG=N is it still a issue?


Paul