Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt

Greg Hudson <ghudson@mit.edu> Mon, 15 February 2016 16:23 UTC

Return-Path: <ghudson@mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D21631A8965 for <cfrg@ietfa.amsl.com>; Mon, 15 Feb 2016 08:23:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.507
X-Spam-Level:
X-Spam-Status: No, score=-1.507 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lo4Qqlek2WUt for <cfrg@ietfa.amsl.com>; Mon, 15 Feb 2016 08:23:03 -0800 (PST)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91CCA1A895E for <cfrg@ietf.org>; Mon, 15 Feb 2016 08:23:03 -0800 (PST)
X-AuditID: 12074425-d3bff70000004948-15-56c1fb668e8e
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 96.14.18760.66BF1C65; Mon, 15 Feb 2016 11:23:02 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id u1FGN1uR000399 for <cfrg@ietf.org>; Mon, 15 Feb 2016 11:23:02 -0500
Received: from [18.101.8.109] (vpn-18-101-8-109.mit.edu [18.101.8.109]) (authenticated bits=0) (User authenticated as ghudson@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u1FGN0h3031128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <cfrg@ietf.org>; Mon, 15 Feb 2016 11:23:01 -0500
References: <20160215145643.14144.52226.idtracker@ietfa.amsl.com>
To: cfrg@ietf.org
From: Greg Hudson <ghudson@mit.edu>
X-Enigmail-Draft-Status: N1110
Message-ID: <56C1FB64.1080309@mit.edu>
Date: Mon, 15 Feb 2016 11:23:00 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <20160215145643.14144.52226.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrIIsWRmVeSWpSXmKPExsUixG6nopv2+2CYwfOTchZHd7WxODB6LFny kymAMYrLJiU1J7MstUjfLoEr4+3sf+wF8/grTq3vYG5gbOTpYuTkkBAwkTjxfytrFyMXh5BA G5NEx4ztjBDOUUaJTcd/Qjk3mCS2rOliAWkRFrCVeD/tNxOILSTgKHHh2GK2LkYODhEBQYmO NTIgYTYBZYn1+7eyQGyQk+jtnsQCUsIroCYxe505SJhFQFViyc7PzCC2qECExOHOLnYQmxdo ysmZT8BaOQWcJBruQNjMAnoSO67/YoWw5SWat85mnsAoMAtJyywkZbOQlC1gZF7FKJuSW6Wb m5iZU5yarFucnJiXl1qka6GXm1mil5pSuokRHJIuqjsYJxxSOsQowMGoxMMbceZAmBBrYllx Ze4hRkkOJiVR3mXPDoYJ8SXlp1RmJBZnxBeV5qQWH2KU4GBWEuG1OA2U401JrKxKLcqHSUlz sCiJ8z76tTNMSCA9sSQ1OzW1ILUIJivDwaEkwXvyF1CjYFFqempFWmZOCUKaiYMTZDgP0PAf IDW8xQWJucWZ6RD5U4yKUuK8GSAJAZBERmkeXC84ZaRy5L5iFAd6RZj3/k+gKh5guoHrfgU0 mAlocMXtfSCDSxIRUlINjLZJCXV7i16vYVj8V4HJcmeNGtvz0MM2Wq+3lU2Z7aJ8cP2u/++2 5TseWen5tWi5j9DElZpfzx7iDMqriT5RfXiNo079wivndhtZKZz46bl+TfN/1uvxZbK8zQkK HEU/H8SxmHK5vs7OcWcwYV/vdYitX/+N+1zf1Xx2fj+Cpyo+f1UZ+3KGpRJLcUaioRZzUXEi ANKUD+/0AgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/6Cawa1xnDA2OhSLdqOFpqS2_t2M>
Subject: Re: [Cfrg] I-D Action: draft-irtf-cfrg-spake2-03.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2016 16:23:06 -0000

On 02/15/2016 09:56 AM, internet-drafts@ietf.org wrote:
> 	Filename        : draft-irtf-cfrg-spake2-03.txt

I am pleased to see progress on this draft.

The formatting of the new formula for K' in section 2.2 is a little off
in its use of whitespace.

SPAKE2+ doesn't use w0 or w1 in the derivation of K'.  Obviously it
can't use w1 as B doesn't have it, but can we call this an augmented
version of SPAKE2 if it more closely resembles SPAKE1?  Should it use w0?

The description of SPAKE2+ still refers to "Bob" in one place.

In section 3, the formatting of the Python code is mangled.  Calls to
ec.canon_pointstr() should be changed to canon_pointstr() since you've
defined that as a function.

In section 3, the description of the algorithm still doesn't match the
actual algorithm used, although it's closer some details.  The first
mismatch comes from these two passages:

    This string is turned into an infinite sequence of bytes by hashing
    with SHA256, and hashing that output again to generate the next 32
    bytes, and so on.

    If this is impossible, then the next non-overlapping segment of
    sufficient length is taken.

The actual algorithm doesn't use non-overlapping segments of an infinite
sequence of bytes; instead it uses overlapping concatenations of hash
blocks for successive trials.  For P-521, the first trial uses H1|H2|H3
(where H1 is hash of the string, H2 is the hash of H1, etc.) truncated
to 65 bytes; the second trial uses H2|H3|H4 truncated, etc..

The second mismatch comes from this passage:

    We multiply that point by the cofactor h, and if that is not the
    identity, output it.

The Python code multiplies the point by the generator order (p), and if
that *is* the identity, outputs the point.  The difference is that the
Python code discards points of order 2p, 4p, ..., hp.  This difference
is irrelevant for P-256 and P-521 which have cofactor 1.