Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input

Nico Williams <> Thu, 14 May 2015 16:11 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 923971A87A4 for <>; Thu, 14 May 2015 09:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TtMvxGC7sitq for <>; Thu, 14 May 2015 09:11:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 63D0E1A87A9 for <>; Thu, 14 May 2015 09:10:58 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 3F089540A5; Thu, 14 May 2015 09:10:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=XqZDSKd0aNaMWz OBU//asyf6L78=; b=hGRU3jTQ94ewkGwVUIvSJneogLK17xOA+6Xj65LHpQHsMA Q1JgiaMplO6QZw/o84xMhWN04z+nrJRSHbIJKrLlkMR4q2DjGqUs1DIEMZgSebdx ULh4YhPO4mEPFkD0kRIVLn/IltsfnF/SKAKRhaJUfidGCosLfFW1189iJAFv0=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id 9DA345408A; Thu, 14 May 2015 09:10:57 -0700 (PDT)
Date: Thu, 14 May 2015 11:10:56 -0500
From: Nico Williams <>
To: Watson Ladd <>
Message-ID: <20150514160556.GE7287@localhost>
References: <> <20150512214740.GT7287@localhost> <> <> <20150513160549.GV7287@localhost> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <>
Subject: Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 May 2015 16:11:02 -0000

On Thu, May 14, 2015 at 08:54:39AM -0700, Watson Ladd wrote:
> Yes, which implies that it is not uniformly distributed over the whole
> domain of strings of the length of w. Uniform distribution means
> uniform: if it only ever takes on values in some subset, it isn't
> uniform. The fact that guessing attacks are possible demonstrates,
> that after conditioning on public values, it isn't uniform over the
> entire range.

OK, fair enough, but what about x.  How critical is it that it be
uniformly distributed?  You answered "The question of how far
from uniform x may be distributed is a subtle one, but my guess is
that even gross deviations from uniformity are fine, so taking a bunch
of bytes mod the curve order is ok."  Can you refine this answer?

My guess is that indeed, x's uniformity is not that important, because
if it were a well-known constant then this protocol devolves into one
where the attacker still has to mount an off-line dictionary attack in
order to recover w and session keys, so as the range of x choices
improves, the attacker's position worsens.  But if we add in timing side
channels then x's "gross deviation" from unifomity might yield more
information, no?