Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input

Nico Williams <nico@cryptonector.com> Thu, 14 May 2015 16:11 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 923971A87A4 for <kitten@ietfa.amsl.com>; Thu, 14 May 2015 09:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Level:
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TtMvxGC7sitq for <kitten@ietfa.amsl.com>; Thu, 14 May 2015 09:11:01 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 63D0E1A87A9 for <kitten@ietf.org>; Thu, 14 May 2015 09:10:58 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id 3F089540A5; Thu, 14 May 2015 09:10:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=XqZDSKd0aNaMWz OBU//asyf6L78=; b=hGRU3jTQ94ewkGwVUIvSJneogLK17xOA+6Xj65LHpQHsMA Q1JgiaMplO6QZw/o84xMhWN04z+nrJRSHbIJKrLlkMR4q2DjGqUs1DIEMZgSebdx ULh4YhPO4mEPFkD0kRIVLn/IltsfnF/SKAKRhaJUfidGCosLfFW1189iJAFv0=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPA id 9DA345408A; Thu, 14 May 2015 09:10:57 -0700 (PDT)
Date: Thu, 14 May 2015 11:10:56 -0500
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20150514160556.GE7287@localhost>
References: <x7dk2wd6355.fsf@equal-rites.mit.edu> <20150512214740.GT7287@localhost> <1431525091.3260.26.camel@redhat.com> <CACsn0cm9AEG+oi8S+trhvyHpFFLF=-tG4Qazp5e6SgnS037K+Q@mail.gmail.com> <20150513160549.GV7287@localhost> <CACsn0cnO0To1a77x0Tp+Qk414Zv_yqnoC-wuS4vgJbQN+mV+7Q@mail.gmail.com> <alpine.GSO.1.10.1505140017320.22210@multics.mit.edu> <alpine.GSO.1.10.1505141027470.22210@multics.mit.edu> <CACsn0ckNMva3JU=6pi0CX7KUh-3bqpvSr_Zpx2XLvxVsUL3b_Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACsn0ckNMva3JU=6pi0CX7KUh-3bqpvSr_Zpx2XLvxVsUL3b_Q@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/u-A2Eg2hrLjBp-rgTUHHVK7utrg>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 16:11:02 -0000

On Thu, May 14, 2015 at 08:54:39AM -0700, Watson Ladd wrote:
> Yes, which implies that it is not uniformly distributed over the whole
> domain of strings of the length of w. Uniform distribution means
> uniform: if it only ever takes on values in some subset, it isn't
> uniform. The fact that guessing attacks are possible demonstrates,
> that after conditioning on public values, it isn't uniform over the
> entire range.

OK, fair enough, but what about x.  How critical is it that it be
uniformly distributed?  You answered "The question of how far
from uniform x may be distributed is a subtle one, but my guess is
that even gross deviations from uniformity are fine, so taking a bunch
of bytes mod the curve order is ok."  Can you refine this answer?

My guess is that indeed, x's uniformity is not that important, because
if it were a well-known constant then this protocol devolves into one
where the attacker still has to mount an off-line dictionary attack in
order to recover w and session keys, so as the range of x choices
improves, the attacker's position worsens.  But if we add in timing side
channels then x's "gross deviation" from unifomity might yield more
information, no?

Nico
--