IETF Logo Mail Archive

[kitten] SPAKE edwards25519 group

Greg Hudson <ghudson@mit.edu> Thu, 07 September 2017 17:17 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2854132992 for <kitten@ietfa.amsl.com>; Thu, 7 Sep 2017 10:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DcdIFubK20Tp for <kitten@ietfa.amsl.com>; Thu, 7 Sep 2017 10:17:02 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34BED132962 for <kitten@ietf.org>; Thu, 7 Sep 2017 10:17:02 -0700 (PDT)
X-AuditID: 12074424-2c5ff70000002172-2e-59b17f0c58a4
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id E4.C8.08562.C0F71B95; Thu, 7 Sep 2017 13:17:00 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v87HGxKd007275 for <kitten@ietf.org>; Thu, 7 Sep 2017 13:16:59 -0400
Received: from localhost (EQUAL-RITES.MIT.EDU [10.18.1.59]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v87HGwhc022943 for <kitten@ietf.org>; Thu, 7 Sep 2017 13:16:59 -0400
From: Greg Hudson <ghudson@mit.edu>
To: kitten@ietf.org
Date: Thu, 07 Sep 2017 13:16:58 -0400
Message-ID: <x7dlglqzawl.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprIIsWRmVeSWpSXmKPExsUixCmqrMtTvzHSoP2nsMXRzatYHBg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV0dX1gqnggFDFxf9RDYy9/F2MnBwSAiYSbxZ2snUxcnEICSxm klj68DqUc4xR4tXNJYwQTjuTxN1Vu9hBWtgElCXW79/KAmKLCAhL7N76jhnEFhZQlPixYy1Q nIODRUBV4vvOTJAwr4ChxP7pR1ghbEGJkzOfgLUyC0hIHHzxgnkCI/csJKlZSFILGJlWMcqm 5Fbp5iZm5hSnJusWJyfm5aUW6Zrr5WaW6KWmlG5iBIUAu4vKDsbuHu9DjAIcjEo8vBbBGyOF WBPLiitzDzFKcjApifIe1wAK8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuGVrwbK8aYkVlalFuXD pKQ5WJTEecU1GiOEBNITS1KzU1MLUotgsjIcHEoSvI51QI2CRanpqRVpmTklCGkmDk6Q4TxA w6trQYYXFyTmFmemQ+RPMUpKifM+BEkIgCQySvPgel8xigO9IMwbDZLlAcYzXNcroIFMQANL nm8AGViSiJCSamDcc7p/h5D1fV/Nx5OObPgq15fy+GO0lsbC5n2bF5e+X3jqfdnfWVLmaxIc HXq4/3kmdbHsV9tTuGEPB89n0wa/il+fpSQXhrCeYpwny6NkGXnmUubW/2xBF7+scb+66a3F MYNbsfF93E8MBVr3Ne4VnLdigYB/WXdZ5PoCFYuVNx5snrdpx/wwJZbijERDLeai4kQAoacX kaQCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ORp_EEMKm2As74qcII3EeJVajto>
Subject: [kitten] SPAKE edwards25519 group
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 17:17:04 -0000

I would like to add a SPAKE group specification using the Edwards
2^255-19 curve used by the ed25519 signature algorithm.  I was recently
able to implement this group by adapating the SPAKE2 code from
BoringSSL.

I would like to specify that the new group is the only
mandatory-to-implement group, as I believe that it is the easiest to
implement in constant time and has the potential to be the most
performant choice.  (P-256 may be more performant in practice in some
situation, as OpenSSL normally uses an optimized assembly implementation
of P-256, while the BoringSSL Edwards 25519 SPAKE code is in C.  But in
my tests they're pretty close even so.)

I would like to renumber the groups so that the new group is 1 and the
three NIST groups are 2, 3, and 4.  As we have not assigned pa-data or
key usage code points yet, there should be no interoperability issues
with renumbering the groups.

I suggest the group name "edwards25519", which is used in RFC 7748.  The
shorter name "ed25519" could create confusion with the ed25519 signature
algorithm.

Here is the registry entry (please verify that my RFC 7748 and RFC 8032
references seem correct):

* ID Number: 1
* Name: edwards25519
* Specification: [RFC7748] section 4.1 (edwards25519)
* Serialization: [RFC8032] section 3.1
* Multiplier Length: 32
* Multiplier Conversion: RFC 8032 section 3.1
* SPAKE M Constant: 5ada7e4bf6ddd9adb6626d32131c6b5c51a1e347a3478f53cfcf441b88eed12e
* SPAKE N Constant: 10e3df0ae37d8e7a99b5fe74b44672103dbddcbd06af680d71329a11693bc778

To justify the M and N values (which are the same ones used by
BoringSSL), I would like to add an appendix B titled "SPAKE M and N
Value Selection" with the text:

    The M and N constants for the edwards25519 group are the SHA-256
    hashes [RFC6234] of "edwards25519 point generation seed (M)" and
    "edwards25519 point generation seed (N)" respectively.  Both hashes
    decode to valid curve points.

(The BoringSSL SPAKE2 code includes a whole bit of Python code in a
comment which would iterate the SHA-256 hash until a valid curve point
is found.  But it turns out both seeds hash to a valid curve point
immediately.)

Convenience links:

https://tools.ietf.org/html/rfc7748
https://tools.ietf.org/html/rfc8032
https://tools.ietf.org/html/draft-ietf-kitten-krb-spake-preauth-00

v2.23.0 | Report a Bug | By Email