IETF Logo Mail Archive

Re: [Crypto-panel] [Cfrg] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt

Watson Ladd <watsonbladd@gmail.com> Mon, 24 August 2020 12:42 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3362E3A0D7C for <crypto-panel@ietfa.amsl.com>; Mon, 24 Aug 2020 05:42:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y0X5rhHzT6v9 for <crypto-panel@ietfa.amsl.com>; Mon, 24 Aug 2020 05:42:21 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 168113A0D76 for <crypto-panel@irtf.org>; Mon, 24 Aug 2020 05:42:21 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id v12so9431963ljc.10 for <crypto-panel@irtf.org>; Mon, 24 Aug 2020 05:42:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2teg2QdsvT/tx5K4YljIzEM7F49ZuSBJJEQ/KYqHW2Y=; b=gFjYp0pOGguZoXPFZ5afUbcHCxzMz61ArJ/sL2knatr0Kc9J0pOdJPqDRPi7bDPx5y fSAtBFUC1Y15RJrkK9L76kQ7fNJt00M3TZTDfa+uKtzkzP/+Utmw+AfBDZpB+fTCUegs cTc0nAbgS/RrnbeUyBDhpyCpFz2NPIi9fSJf80bkBzERxSYOfmGOQSjSFnNwPiWOWp8I H6rORNrxB++I1+sE5r7ihEaxpH0mJwtDkUf7AgbiCSNJTy2k49arDA/I9ey5Z844FCiR 73o/xrFB5cE9hR/8GPQgGJujLa0Tvda8XDh+Liqq/3eQKuP0vyXW4AIfBCNLG0TuF2Wc +yMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2teg2QdsvT/tx5K4YljIzEM7F49ZuSBJJEQ/KYqHW2Y=; b=XQQoCcPWZlviMs+hxGxR1bP9uwtu86oZsykv2ogS3EhpRdqe9PTy6AIbSebzTc0xor vM2jnW7sBdHw4l2I5k407J7YJpGjoBv4GU7CjcMTkCJZL4FhErkNhg2FpJbjSeND84bC I0c+TWFbeSWOGhOgBi8Ma8H66O6LSBL9Z5DEx/Q7RzuiYbFHvuOKod22MoCvseq2PZxx Xadb7lPuZgNZ2BzzTfXRvJJXQ+EcJeJfbGpAOZ2MTQFLGbhCGIs2gJnG26d0d0blJUpN v2R6evLvisbvgxX2TI9kbBu0MpehqBvt71bmZ2At8YnoB8919g5cf1tkh4LHHtFeX1ti 6dRw==
X-Gm-Message-State: AOAM533V/nVvhVtAm07034FSCHSphpeKkR8+eWWblvyWga/zFgKHqL+5 QVQqyyijSsaSbLfFO+4N7LOFgDF+qw+e+jX7/AU=
X-Google-Smtp-Source: ABdhPJz+r8RnAHCkf8vOX94NGl693Y4197UgnYt4fhdWh6YUrRDadrzZhSIf6kFgD6sYelf2dnZMaFEbcC7fNCONjws=
X-Received: by 2002:a2e:9cd3:: with SMTP id g19mr2570625ljj.229.1598272939050; Mon, 24 Aug 2020 05:42:19 -0700 (PDT)
MIME-Version: 1.0
References: <159709115024.10897.5395496576031260366@ietfa.amsl.com> <CACsn0cmX=DWCP5gpmPbzS=UjXfkBP9ObNpmEXPddsZJHbbhC-g@mail.gmail.com> <CAMr0u6k0f52E0i0ds9gR-xJ=M69RCV1vcYZJXi4Ycyc8QtBV3w@mail.gmail.com> <A0F53C47-3D85-4070-8ED4-A86E50899D13@vigilsec.com> <5f6565e7-49cb-32c4-1873-bac014cee965@isode.com> <80792d11-5400-1c79-ac60-d28d2ae803f0@isode.com> <CAMr0u6=Qokwbe6uUPQbBk3ZO4yUzm+UJT6uUPdjaK20tR837cQ@mail.gmail.com> <BN7PR11MB26415022F5F2FB219554DC6DC15F0@BN7PR11MB2641.namprd11.prod.outlook.com> <BN7PR11MB26418931A9921C0C121703D3C1590@BN7PR11MB2641.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB26418931A9921C0C121703D3C1590@BN7PR11MB2641.namprd11.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 24 Aug 2020 08:42:07 -0400
Message-ID: <CACsn0cke00kmWXNyQ1emWoLjkY47Xx+iFaKiXwdR=gJCPcya7Q@mail.gmail.com>
To: "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>
Cc: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, Russ Housley <housley@vigilsec.com>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "<cfrg@ietf.org>" <cfrg@ietf.org>, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/UstQdPgGvBY5e-UJh1vQahcPnXs>
Subject: Re: [Crypto-panel] [Cfrg] Fwd: I-D Action: draft-irtf-cfrg-spake2-12.txt
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 12:42:23 -0000

On Sun, Aug 23, 2020 at 3:20 PM Scott Fluhrer (sfluhrer)
<sfluhrer=40cisco.com@dmarc.ietf.org> wrote:
>
> I looked through it (the Crypto20 crypto conference was last week, that kept me busy); it looked good, with two nits:

Thank you very much for reviewing it so quickly!

>
>
>
> Section 3.1 states “Lets G be a group in which the computational Diffie-Hellman (CDH) problem is hard”.  Actually, if you go through the security proof, it appears that the slightly stronger “S-PCCDH assumption” is required.  While it is plausible that, for any group where the CDH assumption holds, so does the S-PCCDH assumption, however, this is not proven.

So recently https://eprint.iacr.org/2019/1194.pdf reduces to Gap
Diffie-Hellman. I think I should revise that sentence of 3.1 and
discuss in security considerations section exactly what is assumed and
that elliptic curves in the draft are widely conjectured to satisfy
it. Hopefully this won't confuse anyone more than necessary.

> This draft still relies on a fixed (per group) M and N values; as we have argued before, having a global N and M value menas that breaking one discrete problem would mean breaking the entire system globally, and so that arguably too attractive as a target.  Assuming that the authors aren’t willing to use a Hash2Curve method to generate N, M values, I would recommend that a paragraph be added to the document outlining the situation (and perferably giving a procedure where individual protocols can select their own N, M values)

Section 5: https://tools.ietf.org/id/draft-irtf-cfrg-spake2-11.html#rfc.section.5
has M and N per user, following one of the papers in the references.
I think a per-protocol option makes sense to add, but it would be nice
to know if it would be used.


>
>
>
> From: Scott Fluhrer (sfluhrer)
> Sent: Monday, August 17, 2020 7:50 AM
> To: Stanislav V. Smyshlyaev <smyshsv@gmail.com>; Russ Housley <housley@vigilsec.com>; crypto-panel@irtf.org
> Cc: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg-chairs@ietf.org
> Subject: RE: [Crypto-panel] Fwd: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt
>
>
>
> I’ll take a quick look at it.
>
>
>
> From: Crypto-panel <crypto-panel-bounces@irtf.org> On Behalf Of Stanislav V. Smyshlyaev
> Sent: Monday, August 17, 2020 4:40 AM
> To: Russ Housley <housley@vigilsec.com>; crypto-panel@irtf.org
> Cc: Alexey Melnikov <alexey.melnikov@isode.com>; cfrg-chairs@ietf.org
> Subject: Re: [Crypto-panel] Fwd: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt
>
>
>
> Dear Russ, dear Crypto Panel experts,
>
>
>
> Any volunteers for a quick review of the updated version of the SPAKE2 draft (before commencing a RGLC)?
>
>
>
> Regards,
>
> Stanislav
>
>
>
> On Tue, 11 Aug 2020 at 20:02, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>
> On 11/08/2020 17:47, Alexey Melnikov wrote:
>
> Hi Russ,
>
> On 11/08/2020 17:43, Russ Housley wrote:
>
> > We recommend the following two protocols to be selected as «recommended by the CFRG for usage in IETF protocols»: one balanced PAKE - CPace, and one augmented PAKE - OPAQUE.
>
>
>
> What was the point of the selection process if we are going to publish the ones that were not selected too?
>
> It is needed by Kitten WG for one of Kerberos documents. The idea is to publish it with a disclaimer that it predated PAKE selection process and was not selected as one of the finalists.
>
> To clarify: we don't intend to publish any other PAKE candidates that weren't finalists.
>
> Best Regards,
>
> Alexey
>
>
>
> Russ
>
>
>
>
>
>
>
> On Aug 11, 2020, at 10:57 AM, Stanislav V. Smyshlyaev <smyshsv@gmail.com> wrote:
>
>
>
> Dear Crypto Panel experts,
>
>
>
> Could someone please take a quick look at the updated version (taking into account the reviews made during the PAKE selection process)?
>
>
>
> Regards,
>
> Stanislav (on behalf of CFRG chairs)
>
>
>
> ---------- Пересылаемое сообщение ---------
> От: Watson Ladd <watsonbladd@gmail.com>
> Дата: пн, 10 авг. 2020 г. в 23:29
> Тема: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-12.txt
> Кому: <cfrg@ietf.org>
>
>
>
> This fixes the comment on missing identities received during the PAKE
> competition which was the only one I found.
>
> I think it's ready for RGLC.
>
> On Mon, Aug 10, 2020 at 4:27 PM <internet-drafts@ietf.org> wrote:
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts directories.
> > This draft is a work item of the Crypto Forum RG of the IRTF.
> >
> >         Title           : SPAKE2, a PAKE
> >         Authors         : Watson Ladd
> >                           Benjamin Kaduk
> >         Filename        : draft-irtf-cfrg-spake2-12.txt
> >         Pages           : 16
> >         Date            : 2020-08-10
> >
> > Abstract:
> >    This document describes SPAKE2 which is a protocol for two parties
> >    that share a password to derive a strong shared key with no risk of
> >    disclosing the password.  This method is compatible with any group,
> >    is computationally efficient, and SPAKE2 has a security proof.  This
> >    document predated the CFRG PAKE competition and it was not selected.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-irtf-cfrg-spake2/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-irtf-cfrg-spake2-12
> > https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-spake2-12
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-irtf-cfrg-spake2-12
> >
> >
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> >
> > _______________________________________________
> > Cfrg mailing list
> > Cfrg@irtf.org
> > https://www.irtf.org/mailman/listinfo/cfrg
>
>
>
> --
> "Man is born free, but everywhere he is in chains".
> --Rousseau.
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Crypto-panel mailing list
> Crypto-panel@irtf.org
> https://www.irtf.org/mailman/listinfo/crypto-panel
>
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg



--
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email