Re: [kitten] SPAKE edwards25519 group
Benjamin Kaduk <kaduk@mit.edu> Mon, 11 September 2017 15:25 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4932B1323F7 for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 08:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6V8ekNIsY1z for <kitten@ietfa.amsl.com>; Mon, 11 Sep 2017 08:25:33 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E6411330C2 for <kitten@ietf.org>; Mon, 11 Sep 2017 08:25:32 -0700 (PDT)
X-AuditID: 1209190d-f7dff70000001ead-db-59b6aaeba6f9
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 51.E9.07853.BEAA6B95; Mon, 11 Sep 2017 11:25:31 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id v8BFPUhP013219; Mon, 11 Sep 2017 11:25:30 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v8BFPQx7016399 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 11 Sep 2017 11:25:29 -0400
Date: Mon, 11 Sep 2017 10:25:26 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Cc: kitten@ietf.org
Message-ID: <20170911152526.GD96685@kduck.kaduk.org>
References: <x7dlglqzawl.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <x7dlglqzawl.fsf@equal-rites.mit.edu>
User-Agent: Mutt/1.8.3 (2017-05-23)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrAIsWRmVeSWpSXmKPExsUixCmqrft61bZIg2uHlSyObl7F4sDosWTJ T6YAxigum5TUnMyy1CJ9uwSujL7ur2wFTyUrVm3uYm9gvCHSxcjJISFgInFu4TvWLkYuDiGB xUwSB86+Y4NwNjJK7Dr0gQXCucokceXQL0aQFhYBVYlpf86ygdhsAioSDd2XmUFsEQFFiWer 5rKA2MwCwhLL10DUCAvoSWzbtokdxOYFWre1oQesXkjAUGLL1pmsEHFBiZMzn0D1aknc+PeS qYuRA8iWllj+jwPE5BQwkpjYBTZRVEBZYt6+VWwTGAVmIWmehaR5FkLzAkbmVYyyKblVurmJ mTnFqcm6xcmJeXmpRbpGermZJXqpKaWbGMEBKcm7g/HfXa9DjAIcjEo8vA292yKFWBPLiitz DzFKcjApifK+O74lUogvKT+lMiOxOCO+qDQntfgQowQHs5IIb8dCoHLelMTKqtSifJiUNAeL kjivuEZjhJBAemJJanZqakFqEUxWhoNDSYL32EqgRsGi1PTUirTMnBKENBMHJ8hwHqDh4SA1 vMUFibnFmekQ+VOMilLivDErgBICIImM0jy4XlDCkMjeX/OKURzoFWHesyDtPMBkA9f9Cmgw E9BgnktbQAaXJCKkpBoYz/5IXP4oonbb9+1rMiyPlpk3rD8x9Zhx68zLmrGH3ogL51sIXdk2 /Q7Ty7luj02eq7qpRfQFel2yjmMVy10QeDr8kYhnku2LZRvmnA/jPuV2ZM71eTVS88rqC9N9 E3tdLJRZn0RNnHyjpFv92osgl8Wbr8Rf/J7b9JHtteKmsMTM5vx/kdq8SizFGYmGWsxFxYkA eGBOu/MCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/3sLk6oscspNyhB7y7VtL0BhS62A>
Subject: Re: [kitten] SPAKE edwards25519 group
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Sep 2017 15:25:36 -0000
On Thu, Sep 07, 2017 at 01:16:58PM -0400, Greg Hudson wrote: > I would like to add a SPAKE group specification using the Edwards > 2^255-19 curve used by the ed25519 signature algorithm. I was recently > able to implement this group by adapating the SPAKE2 code from > BoringSSL. > > I would like to specify that the new group is the only > mandatory-to-implement group, as I believe that it is the easiest to > implement in constant time and has the potential to be the most > performant choice. (P-256 may be more performant in practice in some > situation, as OpenSSL normally uses an optimized assembly implementation > of P-256, while the BoringSSL Edwards 25519 SPAKE code is in C. But in > my tests they're pretty close even so.) In general I support this proposal. > I would like to renumber the groups so that the new group is 1 and the > three NIST groups are 2, 3, and 4. As we have not assigned pa-data or > key usage code points yet, there should be no interoperability issues > with renumbering the groups. Seems reasonable. > I suggest the group name "edwards25519", which is used in RFC 7748. The > shorter name "ed25519" could create confusion with the ed25519 signature > algorithm. Sure. > Here is the registry entry (please verify that my RFC 7748 and RFC 8032 > references seem correct): > > * ID Number: 1 > * Name: edwards25519 > * Specification: [RFC7748] section 4.1 (edwards25519) Yes, that's the right section for edwards25519, even though the section title is Curve25519. RFC 7748 does have an external reference for ed25519 (and the edwards25519 curve), which is a Springer publication, so the RFC is probably better. > * Serialization: [RFC8032] section 3.1 RFC 8032 seems to refer to bit-string serializations, whereas our group elements are represented as octet strings. RFC 8032 does describe packing bit strings into octet strings in section 2, so perhaps the given reference suffices. > * Multiplier Length: 32 > * Multiplier Conversion: RFC 8032 section 3.1 > * SPAKE M Constant: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e > * SPAKE N Constant: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778 > > To justify the M and N values (which are the same ones used by > BoringSSL), I would like to add an appendix B titled "SPAKE M and N > Value Selection" with the text: Sure. > The M and N constants for the edwards25519 group are the SHA-256 > hashes [RFC6234] of "edwards25519 point generation seed (M)" and > "edwards25519 point generation seed (N)" respectively. Both hashes > decode to valid curve points. > > (The BoringSSL SPAKE2 code includes a whole bit of Python code in a > comment which would iterate the SHA-256 hash until a valid curve point > is found. But it turns out both seeds hash to a valid curve point > immediately.) > > Convenience links: > > https://tools.ietf.org/html/rfc7748 > https://tools.ietf.org/html/rfc8032 > https://tools.ietf.org/html/draft-ietf-kitten-krb-spake-preauth-00 It would be good to hear some additional feedback before pushing an updated version of the document. Does anyone want to speak for or against adding the edwards25519 curve and making it MTI? -Ben
- [kitten] SPAKE edwards25519 group Greg Hudson
- Re: [kitten] SPAKE edwards25519 group Benjamin Kaduk
- Re: [kitten] SPAKE edwards25519 group Simo Sorce
- Re: [kitten] SPAKE edwards25519 group Henry B (Hank) Hotz, CISSP