IETF Logo Mail Archive

Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input

Nico Williams <nico@cryptonector.com> Wed, 13 May 2015 16:05 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB5001A8AC0 for <kitten@ietfa.amsl.com>; Wed, 13 May 2015 09:05:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AySn_g3eYR9y for <kitten@ietfa.amsl.com>; Wed, 13 May 2015 09:05:54 -0700 (PDT)
Received: from homiemail-a24.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id AD9AA1A8A48 for <kitten@ietf.org>; Wed, 13 May 2015 09:05:52 -0700 (PDT)
Received: from homiemail-a24.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTP id 7D5322C8094; Wed, 13 May 2015 09:05:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=GHqk8XYfvccRD2 dJacqnifYRXVo=; b=uFeso2B8R9gkRr6itgIbR8opzKPb+IH1xJqLM9MoaJG7eF GGooDhF6oVJaQFGZlgXnaVA74yJYxfy8yscPIVJ3Ge4LSYIDa6trhZsdkR0prjG5 gM33T9kHG8VaZKkrfHMJU8lzyMKaSngiKJ+L9qwTgM+tmfHQ2ql9IZ5qGyLP4=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a24.g.dreamhost.com (Postfix) with ESMTPA id 002292C808C; Wed, 13 May 2015 09:05:51 -0700 (PDT)
Date: Wed, 13 May 2015 11:05:51 -0500
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20150513160549.GV7287@localhost>
References: <x7dk2wd6355.fsf@equal-rites.mit.edu> <20150512214740.GT7287@localhost> <1431525091.3260.26.camel@redhat.com> <CACsn0cm9AEG+oi8S+trhvyHpFFLF=-tG4Qazp5e6SgnS037K+Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0cm9AEG+oi8S+trhvyHpFFLF=-tG4Qazp5e6SgnS037K+Q@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/kitten/y3fwz8RkNYyjzLIc29afdoIaE2A>
Cc: kitten@ietf.org
Subject: Re: [kitten] SPAKE preauth: generation of SPAKE2 secret input
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 16:05:59 -0000

On Wed, May 13, 2015 at 07:17:59AM -0700, Watson Ladd wrote:
> >> My take is that the public values being of the for xG + wM, where x
> >> should be a randomly and uniformly chosen scalar, the xG term will
> >> cause
> >> the public value to be as uniformly distributed as x regardless of
> >> how
> >> non-uniform w might be.  So I think there's no harm in picking a
> >> simple
> >> mapping from the long-term key to w, provided there's a way to
> >> abstract
> >> this (see below).
> 
> w is not distributed uniformly: far from it. The question of how far

That depends on how its salted.  For our purposes, in practice it's not.

> from uniform x may be distributed is a subtle one, but my guess is
> that even gross deviations from uniformity are fine, so taking a bunch
> of bytes mod the curve order is ok. But rejection sampling or modular
> reduction of longer strings are both easy to implement to sidestep
> this issue.

That's what I thought.

> SPAKE2 requires addition be supported. That rules out Kummer lines.
> The CFRG has not specified a model and how to encode points on that
> for addition to work. When they do I will modify the draft
> accordingly.
> 
> However, I don't understand why the above abstraction isn't an
> implementation detail only. All one has to provide to use this draft
> are two generators and how to encode group elements. The algorithms
> for addition, multiplication etc. will be documented in the CFRG
> eventually. It's true that many groups only come with one canonical
> generator, but any sort of hashing method will give you two
> generators.

It absolutely could be an implementation-only abstraction.  If it will
be useful for many implementations though, it'd be useful to write that
up.  In particular, adding curves to an implementation will be easy if
there is such an abstraction internally.

(This was in response to an off-list question by an implementor about
how to make it easy to add curves to their implementation given that
they are using OpenSSL, without first having to add them to OpenSSL.
Two simple answers are: don't, or add such an abstraction.)

Nico
--

v2.23.0 | Report a Bug | By Email