Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
Nico Williams <nico@cryptonector.com> Tue, 12 May 2015 21:47 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD821AD28D for <kitten@ietfa.amsl.com>; Tue, 12 May 2015 14:47:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.066
X-Spam-Level:
X-Spam-Status: No, score=-1.066 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_101=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3TBOYY2uPDz for <kitten@ietfa.amsl.com>; Tue, 12 May 2015 14:47:43 -0700 (PDT)
Received: from homiemail-a24.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 43A2D1A9239 for <kitten@ietf.org>; Tue, 12 May 2015 14:47:43 -0700 (PDT)
Received: from homiemail-a24.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTP id 102A52C808C; Tue, 12 May 2015 14:47:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=grew+XxynUw9Ua 9heBhyVKEnz5w=; b=nC8npNWDPa2WZzoVV+YKImYAjwvky/IzzTyuSjdDcWXBQO Fes0SIgN1xET98D9KVU5IKGAs8HZgeieFB9Ow7EuEhSoow6s68EdOtkon2bEzLnk fv6Bip3cvOn/vsEPyUCnBZcvTWbsXaUKGC5qokhCV0pj4wpVSmXtGs6tthtSA=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTPA id 7A6302C806E; Tue, 12 May 2015 14:47:42 -0700 (PDT)
Date: Tue, 12 May 2015 16:47:41 -0500
From: Nico Williams <nico@cryptonector.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20150512214740.GT7287@localhost>
References: <x7dk2wd6355.fsf@equal-rites.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <x7dk2wd6355.fsf@equal-rites.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/p8HbhMU6ipTmXPr1BebmV2-ANYs>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 21:47:44 -0000
On Tue, May 12, 2015 at 02:51:02PM -0400, Greg Hudson wrote: > For CFRG curves (when they exist), we'll be done; CFRG curves accept > uniformly distributed bytes as input and force them into appropriate > form for a scalar. For instance, for curve25519/ed25519, five bits of > the input are forced to specific values. Will that be true for other CFRG curves? I hope so, that'd be nice. > For P-256, P-384, and P-521, we need a large integer in the range of the > group order, which is not bit-aligned. The simplest option is to just > decode the bytes as a bignum and let the resulting distribution of > scalar values be somewhat non-uniform (a small fraction of scalar values > are effectively twice as likely as the other ones). I don't think this > slight non-uniformity is a problem, and so far the people I have talked > to have agreed. But I'd like to check here, and will probably also need > to solicit opinions from Walter Ladd and maybe others. Yes, this is really a question for Watson Ladd in particular and CFRG in general. My take is that the public values being of the for xG + wM, where x should be a randomly and uniformly chosen scalar, the xG term will cause the public value to be as uniformly distributed as x regardless of how non-uniform w might be. So I think there's no harm in picking a simple mapping from the long-term key to w, provided there's a way to abstract this (see below). However, don't you run into the same problem when generating the ephemeral scalars? Or does OpenSSL provide a function for that? If distributions of both w and x are uniform, then I don't know if x's mere randomness is enough (again, a question for Watson L.). > I don't know if there are likely to be additional considerations for > other old curves. For example, if the curve cofactor is not 1, do we > need to make sure the scalar value is divisible by the cofactor? This Yes. > ties into the larger question of whether we can really make SPAKE > preauth work with arbitrary non-CFRG curves without additional per-curve > specification. Can we define a curve abstraction that provides what we need? - random2scalar(r) -> scalar - randomscalar() -> scalar - dh(s) -> public # for Curve25519-like curves - dh_sharedsecret(s, public) -> secret # for Curve25519-like curves - scalarmult(s, point) -> point # generic; points are opaque - add(point1, point2) -> point - sub(point1, point2) -> point - encode_point(point) -> octet string - decode_point(octet string) -> point - point_x(point) -> x scalar - point_y(point) -> y scalar - make_point(x, y) -> point ... Ideally CFRG should be providing this for its curves. It should be pssible to implement such things for other curves too. Some of the above abstractions are a consequence of CFRG electing to leave point encoding to each curve for DH (and, if it were useful, perhaps for signatures too, though that's a debate that hasn't happened yet). > Whatever we do needs to be well-specified (or we will have > interoperability issues), and cannot contain inherent timing channels > since it operates on a secret input. Yes. Nico --
- [kitten] SPAKE preauth: generation of SPAKE2 secr… Greg Hudson
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nathaniel McCallum
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Benjamin Kaduk
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Benjamin Kaduk
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Simo Sorce
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Greg Hudson
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Nico Williams
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Watson Ladd
- Re: [kitten] SPAKE preauth: generation of SPAKE2 … Greg Hudson