Re: [Crypto-panel] Answers to PAKE Questions
Watson Ladd <watsonbladd@gmail.com> Mon, 10 February 2020 05:44 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB163120091 for <crypto-panel@ietfa.amsl.com>; Sun, 9 Feb 2020 21:44:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BvdrUsXEW-l8 for <crypto-panel@ietfa.amsl.com>; Sun, 9 Feb 2020 21:44:36 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EBD1120096 for <crypto-panel@irtf.org>; Sun, 9 Feb 2020 21:44:36 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id q8so5684021ljb.2 for <crypto-panel@irtf.org>; Sun, 09 Feb 2020 21:44:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=Yd0HxT4uj8m3bHzK828xZLznlWMnxhgqvhP5+oKC7nM=; b=Hpnh9jvFloLvXwS/9cjlcR60fYQyN+mbnQd5802wrXCO+DFBZdrSk5pRbPLEVjR54Y +e83R4YnuAGNcfKHKVFQAJcXSo1xkbRwOdKje8mDDV1265hGuJIT0uwNHRDf+HyJ0wff dNDBHkXwM3M0U0BijIBZ0LWU2PM66Dl5FgTanEbesp+RTw2maAaM0srJdO+RZ/lP27fI 6I1wRUmZ18EFev0gklkMvNeNZHhHQnm/SCfgBX5fUsxnT6gadTbi73ZxwDrwTedv8FzP tUgGHlb89ULvUmCpk+evkNUSvmu4Fp4uYYmCYoA/+VjPsO8kFW16+nFsTYZyV0JKIFZC MIjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=Yd0HxT4uj8m3bHzK828xZLznlWMnxhgqvhP5+oKC7nM=; b=T/NOSz95MxQMoRvueYYgLR0WDnM7M8/WT+uOwqNAgFYHdDGTi/5xta6k96FsumJ33m l+R/88Cas0bNDCYEgVtb4kWgfB0d4+22LMhnZduRMods/qSNCgt5aDT+F0XMcmTt9VqQ 9rHXxWLPIziksyxBsDaKybMcWq9JuNYqPC4dCPHJE4NdISJOFazyDNGCCUtowJgwoWGB vupwP4cyo5HiLd3+Xt1JRgHvz58EWmYMP9aysn/7vTdfRqAKpT/Y6Hik1oizSNE3OM/7 68/0oFlOta8Rr6ZFn9i+Mktv254YYpEjPf7IAwYRBNuwP4qkgKsfBXmZEDZfDpSwxX30 LqNA==
X-Gm-Message-State: APjAAAUocMdJ0IYvnqS2Rz5ye2WeQkX/nG7pjZvAA5C55+jKJ1egE6Kk SEjft6uX8pY/ZPLHyN1BtXhf2nscYJanJl74G05t10ld
X-Google-Smtp-Source: APXvYqw2Hw2e5zBlidKeuY4L+XMuCfxtSlwCNToO/0/vVeLQJJt90n8ZlE8eqqFLXEHZ4Lo7LzIX9x4a1C6P856Ze4Y=
X-Received: by 2002:a2e:b017:: with SMTP id y23mr6941626ljk.229.1581313474394; Sun, 09 Feb 2020 21:44:34 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0ck5eOQ+AZdZBSo+t2Qy28CFqiXjqMdEdnKgwF+SNeO9QA@mail.gmail.com>
In-Reply-To: <CACsn0ck5eOQ+AZdZBSo+t2Qy28CFqiXjqMdEdnKgwF+SNeO9QA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 09 Feb 2020 21:44:23 -0800
Message-ID: <CACsn0cnWWahOMJJWgGPDqbob1KJ6+fg4kiCB0jKR_5AhJ24gqg@mail.gmail.com>
To: crypto-panel@irtf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/3AYdh5UTlhASU_Tk5gWg2pOWQmw>
Subject: Re: [Crypto-panel] Answers to PAKE Questions
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2020 05:44:39 -0000
This time with correct email On Sun, Feb 9, 2020 at 9:43 PM Watson Ladd <watsonbladd@gmail.com> wrote: > > Question 1: (to SPAKE2): Can you propose a modification of SPAKE2 > (preserving all > > existing good properties of PAKE2) with a correspondingly updated security > > proof, addressing the issue of a single discrete log relationship necessary > > for the security of all sessions (e.g., solution based on using > > M=hash2curve(A|B), N=hash2curve(B|A))? > > > The next version will include an option to have M and N based on party > identities, ensuring that an attacker with the ability to solve a > discrete logarithm problem can only compromise a single session per > discrete logarithm computed. This form does introduce a dependency on > the hash2curve draft, and requires an invocation of hash2curve per > pair of participants. The proof of such a construction is in > https://eprint.iacr.org/2019/1194. > > > Question 2:Can the nominators/developers of the > > protocols please re-evaluate possible IPR conflicts between their > > candidates protocols and own and foreign patents? Specifically, can you > > discuss the impact of U.S. Patent 7,047,408 (expected expiration 10th of > > march 2023) on free use of SPAKE2 and the impact of EP1847062B1 (HMQV, > > expected expiration October 2026) on the free use of the RFC-drafts for > > OPAQUE? > > > I’m not a patent lawyer, and cannot speculate on any IPR conflicts > that may or may not exist. > > > Question 4:What can be said about the property of > > "quantum annoyance" (an attacker with a quantum computer needs to solve > > [one or more] DLP per password guess) of the PAKE? > > > An adversary needs to solve a single DLP and then carry out an online > attack to recover the password without further quantum work. > > > Question 5: What can be said about "post-quantum preparedness" of the PAKE? > > SPAKE2 is unlikely to have a post-quantum alternative. -- "Man is born free, but everywhere he is in chains". --Rousseau.
- Re: [Crypto-panel] Answers to PAKE Questions Watson Ladd
- Re: [Crypto-panel] Answers to PAKE Questions Stanislav V. Smyshlyaev