From nobody Tue Sep 7 01:41:42 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE79F3A14F6 for ; Tue, 7 Sep 2021 01:41:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NGFzhDpHPSb9 for ; Tue, 7 Sep 2021 01:41:38 -0700 (PDT) Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9D7A3A14F1 for ; Tue, 7 Sep 2021 01:41:37 -0700 (PDT) Received: by mail-ej1-x630.google.com with SMTP id e21so18123324ejz.12 for ; Tue, 07 Sep 2021 01:41:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:from:subject:message-id:date:user-agent:mime-version; bh=2TFLTd+HVTkepsuST/xPry5dp4XVMGoSXF//2OFkzMc=; b=Lry/j8mDSIXEMfgxMV8XDPbN/scuOBV8HPlk0F/Ei8+/mKdf9ChdE9h2mAcsX4oUDa p5+3/59IqtMoSEempf6FoalE56lKOD8g/VrIBPHDDnRsf3anMXLCjYdXZAL7E98iopcn XkrPZiwV/9hKTigKLO0xKpfUDWxaCfNL+714IqGv09h6fYzNIefGItBxXaJJixbGrYxb WM9B5tQWCLFW80j374Ljr1/k9gDY+VP3LudDQmJ2lapU/mh8+gBX6E9rArI9pYZKop0P wqJwmORcCE5R46hxq3+C5JDnnwrkEMWfUNBzpEZtZMwQIxFs4ZUFBxKzD/WN7Hr6ohTK hSpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=2TFLTd+HVTkepsuST/xPry5dp4XVMGoSXF//2OFkzMc=; b=a7BRo4TvxZkMRyXorYgv3jfNBfrf2/2dUxuyhT0yN0+3tivT6t/wM4Jr+/hAHFmdXz NHlWYwPqSu77PtXE9dGdrFZMUiWFHzvyyqwaK88EqRan9blQDFoO1GoxWgdudAEfBqvV Hua6OkY6QOuP9uQ0KMu8wxML2kKxFHsVXHRTv4ciFcRLmQywVWfdb4K9Hlmk8ri4gASq HCumN+uN88UWWu+0EwSkYZ9hq+dfhO9amKBqJqtc/vSF1H7gIrrSBwK+LYschcRGCoZH ogGTt7Z6fzo9Tvv6pgJVWkuJ8d/evg/xwm/jSqStauLZuqVBt4vHuKLSNIvfFYDaSdj7 grSA== X-Gm-Message-State: AOAM533Z73//ClHrQRHRkf/AeN10mVbIGs1LwgqKgsAonG8GT0mDVWBs SqCWJ1+jeKabUR37xpTTISo= X-Google-Smtp-Source: ABdhPJxZ32Ol+Ro7rrmCmCPZecIQjxaZWKzh5+Hq283CtPWZ661f4HyMj8b3+azrV8Au9S5BNmNQ0A== X-Received: by 2002:a17:906:ed1:: with SMTP id u17mr17806115eji.304.1631004095437; Tue, 07 Sep 2021 01:41:35 -0700 (PDT) Received: from ?IPv6:2001:620:20:16:ffff:0:8a5d:8611? ([2001:620:20:16:ffff:0:8a5d:8611]) by smtp.gmail.com with ESMTPSA id b2sm5133517ejj.124.2021.09.07.01.41.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Sep 2021 01:41:35 -0700 (PDT) To: crypto-panel@irtf.org, watsonbladd@gmail.com, kaduk@mit.edu, cfrg@ietf.org From: Julia Hesse Message-ID: Date: Tue, 7 Sep 2021 10:41:35 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------85F3B6315A9B5E6F23ABD772" Archived-At: Subject: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2021 08:41:41 -0000 This is a multi-part message in MIME format. --------------85F3B6315A9B5E6F23ABD772 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Dear all, below is a review of the latest SPAKE2 draft. I did not verify changes in test vectors. The // - questions were posted by Chris Wood here https://gist.github.com/chris-wood/2205c8e79b309adec5a785470d31226e and my * comments are about how they were addressed. Best regards, Julia // - Should we include a definition of UKS attacks inline, rather than cite draft-ietf-mmusic-sdp-uks?     * Resolved. Maybe substitute "over who is authenticated" by "over whom the key is shared with"? Because this is tied to the key. // - Should SPAKE2 require that the output length of Hash is at least 256-bits? (It's output is split in half to derive Ke and Ka, and we probably want those to have at least 128 bits.)     * Watson said he will add the requirement, but I cannot seem to find it. However, all ciphersuites use at least SHA-256 and it is very clear from the draft that the key length is half of the hash output. So I do not see the need to edit further in this regard. // - What does it mean to exchange messages symmetrically? (In the per-user M and N section)     * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?) // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include?     * Resolved // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check. // - There are currently no test vectors that include AAD -- should we add some?     * I have not verified these two. // - Why is len() a little-endian output?     * I agree with Watson to be consistent with Kerberos here // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation?     * Resolved Some more comments, not related to the IRSG review, below. I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..." The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule. p.2 The KDF has only 3 inputs, but a fourth (key length L) is described in the text p.3 servers -> serves flow figure should include "verify cA" and "verify cB", since it is a MUST. p.4 remove unnecessary variables T and S? E.g., directly set pB=w*N+Y. --------------85F3B6315A9B5E6F23ABD772 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Dear all,

below is a review of the latest SPAKE2 draft. I did not verify changes in test vectors. The // - questions were posted by Chris Wood here https://gist.github.com/chris-wood/2205c8e79b309adec5a785470d31226e
and my * comments are about how they were addressed.

Best regards,
Julia


// - Should we include a definition of UKS attacks inline, rather than cite draft-ietf-mmusic-sdp-uks?
    * Resolved. Maybe substitute "over who is authenticated" by "over whom the key is shared with"? Because this is tied to the key.

// - Should SPAKE2 require that the output length of Hash is at least 256-bits? (It's output is split in half to derive Ke and Ka, and we probably want those to have at least 128 bits.)
    * Watson said he will add the requirement, but I cannot seem to find it. However, all ciphersuites use at least SHA-256 and it is very clear from the draft that the key length is half of the hash output. So I do not see the need to edit further in this regard.

// - What does it mean to exchange messages symmetrically? (In the per-user M and N section)
    * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?)

// - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include?
    * Resolved

// - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check.
// - There are currently no test vectors that include AAD -- should we add some?
    * I have not verified these two.

// - Why is len() a little-endian output?
    * I agree with Watson to be consistent with Kerberos here

// - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation?
    * Resolved

Some more comments, not related to the IRSG review, below.

I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..."

The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule.

p.2
The KDF has only 3 inputs, but a fourth (key length L) is described in the text

p.3
servers -> serves
flow figure should include "verify cA" and "verify cB", since it is a MUST.

p.4
remove unnecessary variables T and S? E.g., directly set pB=w*N+Y.
--------------85F3B6315A9B5E6F23ABD772-- From nobody Wed Sep 8 13:40:25 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F4E63A3742 for ; Wed, 8 Sep 2021 13:39:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWERwxs_VIjX for ; Wed, 8 Sep 2021 13:39:37 -0700 (PDT) Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 436693A3743 for ; Wed, 8 Sep 2021 13:39:37 -0700 (PDT) Received: by mail-io1-xd30.google.com with SMTP id j18so4986409ioj.8 for ; Wed, 08 Sep 2021 13:39:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=lNhUoKhx5YO6rKZSBSrQfGoC1lGrlbIAAk1SB2e/zAI=; b=SX+M5++Fw7u7GW5C3GUSfTh0pJ4E58w+fW1EuNqyRkx4TmyQW1fqFTfoaB7UTALO8r 2m+4yFe1s9xK2gDxCDTMxuOi7BgnltpsSeYxjg2oMc0tfwzwkmKLpTR7Pm/ay3AXEXH5 yLGSTXn70QGUGx0eptYfFOElQMymmN0x2Mj610AoD0Qh20nNcKuaOLU9qWrudbPAIBYc BmRPFeuyXi+H69qnY0ALUcH8VAZR457mCHjaF0BjJDOkr91c+jIj84Es8Zt9w8nugdyS FwkYmQi6M+Een+KnOqbSJqFhFOvJSrvRK/PH3Mfy9517VIKrDsSrOP0JIhnZ8iqa3gZ8 6+7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=lNhUoKhx5YO6rKZSBSrQfGoC1lGrlbIAAk1SB2e/zAI=; b=h8Sq56RwVMU/c3jatafcWEk/hCtwl5NeGYCY+j53fvsnVecwwbyxAZWOmRanhB47pH AJi556B6NYCVeHOOwVcOVpj2DYDlU0QJI+nVwZ1hDAh+gRvcRbbnxxpFRvRWTxNxIIkE 8QqLi7HzOAqaHk4D/ed4I1VCDD+AYR8/bGbzkWwh+yy85fsOdCqKRSBFdvZw73jc2gIV sXKVTYKFf6ls09Imjs19lKCrnSFz38Y8YNS6YPbp2qcy57s42r6Thx5zD1AoJqRB4g+8 sUawvZg4NzYTfLtaRogj+PGECL6rOZgW2qWakOUlL3lympCreZiiic+vqsYDnr8hLXVJ 2SLg== X-Gm-Message-State: AOAM531fF3knLSdhjdY6hh21r/TTKpKI+LLBHP6USG/pSx5cm4wU9AVY prE4QGe/DhY2MoSSQ/61IWMfnsTuwC6ScoPsrwE= X-Google-Smtp-Source: ABdhPJyk4dTktkjLfa87GwmAJ8dJpxVQXnUgCj3ZdFaX3PSbDkzH+D8tq7uoS7R+drsWBozBNLKXrZBE5z4XYX2RTbc= X-Received: by 2002:a02:9669:: with SMTP id c96mr216771jai.128.1631133575239; Wed, 08 Sep 2021 13:39:35 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Watson Ladd Date: Wed, 8 Sep 2021 16:39:24 -0400 Message-ID: To: Julia Hesse Cc: crypto-panel@irtf.org, Benjamin Kaduk , "" , Colin Perkins Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2021 20:39:42 -0000 On Tue, Sep 7, 2021 at 4:41 AM Julia Hesse wrote: > > Dear all, > > below is a review of the latest SPAKE2 draft. I did not verify changes in= test vectors. The // - questions were posted by Chris Wood here https://gi= st.github.com/chris-wood/2205c8e79b309adec5a785470d31226e > and my * comments are about how they were addressed. > > Best regards, > Julia > > > // - Should we include a definition of UKS attacks inline, rather than ci= te draft-ietf-mmusic-sdp-uks? > * Resolved. Maybe substitute "over who is authenticated" by "over who= m the key is shared with"? Because this is tied to the key. > > // - Should SPAKE2 require that the output length of Hash is at least 256= -bits? (It's output is split in half to derive Ke and Ka, and we probably w= ant those to have at least 128 bits.) > * Watson said he will add the requirement, but I cannot seem to find = it. However, all ciphersuites use at least SHA-256 and it is very clear fro= m the draft that the key length is half of the hash output. So I do not see= the need to edit further in this regard. I think it's worth adding "Keys MUST be at least 128 bits in length" to the first paragraph in section 4. > > // - What does it mean to exchange messages symmetrically? (In the per-us= er M and N section) > * Resolved. I suggest to remove "to have a symmetric variant" - it is= not needed and might cause confusion (variant of what?) It is needed: Magic Wormhole uses this variant. And the concern about who uses M and who uses N in cases where it isn't clear is best addressed by using this variant. > > // - Beyond scalar multiplication being constant time, are there any othe= r constant time considerations we should include? > * Resolved > > // - Why is Ke not included in the test vectors? It may be redundant, but= it seems useful as an additional sanity check. > // - There are currently no test vectors that include AAD -- should we ad= d some? > * I have not verified these two. > > // - Why is len() a little-endian output? > * I agree with Watson to be consistent with Kerberos here > > // - Should we clarify that the transcript assumes a particular point enc= oding scheme, and that is to be defined by the calling application or imple= mentation? > * Resolved > > Some more comments, not related to the IRSG review, below. > > I was missing a minimal list of data that A and B can start SPAKE2 from: = ciphersuite, pw, A, B, M, N - did I forget something? What about the output= key length? This can be easily included in 3.2, replacing "A and B are pro= visioned with information such as..." > > The document does not specify who uses M and who uses N. In the M\neq N v= ariant of the protocol, which is mostly described in this draft, this is re= levant, since no analysis was conducted in case A sends both xM and xN (a s= olution that implementors are not unlikely to come up with). I would includ= e an instruction in the RFC, e.g., that the application must ensure that M = and N are assigned to A and B, e.g., by having them apply some lexicographi= cally-first-... rule. I'm not sure I follow the issue. The sentence says 'A picks x randomly and uniformly from the integers in [0,p), and calculates X=3Dx*P and S=3Dw*M+X, then transmits pA=3DS to B.' Alice is hence the initiatior. If it's impossible to do this easily then one of the M=3DN variants should be used. Most protocols have an asymmetry here where one side is initiating a request and the other receiving. Happy to add clarifying text. > > p.2 > The KDF has only 3 inputs, but a fourth (key length L) is described in th= e text > > p.3 > servers -> serves > flow figure should include "verify cA" and "verify cB", since it is a MUS= T. > > p.4 > remove unnecessary variables T and S? E.g., directly set pB=3Dw*N+Y. These editorial comments seem worthwile to fix. Side note to Colin: is there another set of reviews I should be waiting for at this stage? If not I should be able to fix these all pretty promptly. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim From nobody Wed Sep 8 15:17:33 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76DBE3A0B22 for ; Wed, 8 Sep 2021 15:17:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.1 X-Spam-Level: X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTq1FIZGocRk for ; Wed, 8 Sep 2021 15:17:24 -0700 (PDT) Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71F713A0B21 for ; Wed, 8 Sep 2021 15:17:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=To:Date:From:Subject; bh=jzJdYILw+JK60S8pGhZyrGcZiBtKqdWSqLC9c4lfAsM=; b=niKCmLqRQg/PaL5IfFMxSFPRGX aXwqlgAHbw5lHQwS3nfKAweVqUUlS+tCq5q4hMg20uFnJ3djAWo4abdIiIZbgmkBN8ifpIUGYzOYv 5ceOhuQYir8QEx5WVrAbRa+4aYEE8FB81Zeb9h0QSA6kNPlayj9wDCniPAk9lkpG9Y0KqIdKExteV bVvxw+630PQ9P/IELbodk3nnVJuEzzEs72dBdnK76s7dKDiwdVdncmP349ZYNGFuexZccSOiHKSwz Yi20yrlIuqLnctjSMHrCweeGulwNJ6zkb9iyPyGtaj3RzVdhnlpPbxY5EgLQFwPmN+1X8U1uWvx+/ YYCogfmg==; Received: from [81.187.2.149] (port=38309 helo=[192.168.0.83]) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mO5sX-0004U7-S5; Wed, 08 Sep 2021 23:17:18 +0100 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\)) From: Colin Perkins In-Reply-To: Date: Wed, 8 Sep 2021 23:17:08 +0100 Cc: Julia Hesse , crypto-panel@irtf.org, Benjamin Kaduk , "" Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Watson Ladd X-Mailer: Apple Mail (2.3445.104.21) X-BlackCat-Spam-Score: 4 Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2021 22:17:32 -0000 Hi, Thanks, Julia, for the review! > On 8 Sep 2021, at 21:39, Watson Ladd wrote: > On Tue, Sep 7, 2021 at 4:41 AM Julia Hesse = wrote: >>=20 >> Dear all, >>=20 >> below is a review of the latest SPAKE2 draft. I did not verify = changes in test vectors. The // - questions were posted by Chris Wood = here https://gist.github.com/chris-wood/2205c8e79b309adec5a785470d31226e >> and my * comments are about how they were addressed. >>=20 >> Best regards, >> Julia ... > These editorial comments seem worthwile to fix. Side note to Colin: is > there another set of reviews I should be waiting for at this stage? If > not I should be able to fix these all pretty promptly. I believe this was the final review, although I=E2=80=99ll let the RG = chairs confirm in case I missed anything. Colin= From nobody Wed Sep 8 23:55:06 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826933A1EAF for ; Wed, 8 Sep 2021 23:55:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKDVQIWAiSbz for ; Wed, 8 Sep 2021 23:54:58 -0700 (PDT) Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 224033A1EB1 for ; Wed, 8 Sep 2021 23:54:58 -0700 (PDT) Received: by mail-ed1-x536.google.com with SMTP id j13so1197322edv.13 for ; Wed, 08 Sep 2021 23:54:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kcrtRfFWMlQvi1t1CvIQ779gphjwWMU/plTPTe3OAKU=; b=gIzJD+w2fi1iMP3NGdEG638hh7gcLnAay8cd20dRKiC/DvmVkf8vR1bgQK1uoXxMEZ qYIB093ReXnnKKPbQZC7FVzlWf0ROzh7TC7baC34Bq0U1Z26485oNSItR7h0Nh60mmJx Plt+lHEIvPccNdtGO17Wo0WghNHqK/KSuU3NOjxHWHBKVrOgoqth/0TjQgvRXY7MPa+c aAYHQ4yN3cIqj25C++bC765U8vX8J7vb5fADMpF6toN2e1NwZLfl0g1VGqIn33KsBUgt 3ZBWyATwAbPG+Q33myd3/ZoHm5dRUYLu1yO56fBYt+2sGERp4Km5Wsqq7Z8Sih9Fd8IX a2kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kcrtRfFWMlQvi1t1CvIQ779gphjwWMU/plTPTe3OAKU=; b=jZ8myqNknAThZixnXORnIcvvRsw7ixiPNegOG/eGeZmTnEPugwZx6Fnu4cWaz9j8uh Dx+IMVYPqUIf+/RBKRxNM3qa/Tva36rSl3pZiT4n2IbN5h4GiqgLiSrHHWF2hqCyuq5u CRvf7+AnLt03uKpqSpGf7qHCcfcUwlS74I6or4m5ynmmqXbIBi3c2kb6Gha1DflIfU32 4KBioszY7SrX6mH1DHXyPL8aYW2wKkqX29nWNObHKGOgZCp3IfwtTLHeKopQvaMAS42c 8SmpaN4SLJ7fUWnRiV6l2phxERc1QALbQBEoUpnmVJ7ureXyszAoHgLrXhbLADHhGOVb +x3w== X-Gm-Message-State: AOAM53267P78uDYma/sPbiWw8GiyADNChJ99CPci8iONh7Gm/I10Le8s J5YTZyjqK2RbUtZ3P29KYHWz/8I9qQjK5M/VIGQ= X-Google-Smtp-Source: ABdhPJzB2KST2X+pO5tZULrbTXb1XNnRftJpdqb49Leb1rkE7mT1PkUDgpN4sTeZ1aBfEWyXvK+srZ2V0p7OZFdZ9DI= X-Received: by 2002:aa7:c7c2:: with SMTP id o2mr1614500eds.166.1631170495003; Wed, 08 Sep 2021 23:54:55 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Stanislav V. Smyshlyaev" Date: Thu, 9 Sep 2021 09:53:03 +0300 Message-ID: To: Colin Perkins Cc: Watson Ladd , crypto-panel@irtf.org, Julia Hesse , "" , Benjamin Kaduk Content-Type: multipart/alternative; boundary="000000000000ec403605cb8a792c" Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2021 06:55:04 -0000 --000000000000ec403605cb8a792c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable >> I believe this was the final review, although I=E2=80=99ll let the RG c= hairs confirm in case I missed anything. Yes, that was the only review that we were waiting for (thanks a lot, Julia!). Regards, Stanislav On Thu, 9 Sept 2021 at 01:17, Colin Perkins wrote: > Hi, > > Thanks, Julia, for the review! > > > On 8 Sep 2021, at 21:39, Watson Ladd wrote: > > On Tue, Sep 7, 2021 at 4:41 AM Julia Hesse > wrote: > >> > >> Dear all, > >> > >> below is a review of the latest SPAKE2 draft. I did not verify changes > in test vectors. The // - questions were posted by Chris Wood here > https://gist.github.com/chris-wood/2205c8e79b309adec5a785470d31226e > >> and my * comments are about how they were addressed. > >> > >> Best regards, > >> Julia > ... > > These editorial comments seem worthwile to fix. Side note to Colin: is > > there another set of reviews I should be waiting for at this stage? If > > not I should be able to fix these all pretty promptly. > > I believe this was the final review, although I=E2=80=99ll let the RG cha= irs > confirm in case I missed anything. > > Colin > _______________________________________________ > Crypto-panel mailing list > Crypto-panel@irtf.org > https://www.irtf.org/mailman/listinfo/crypto-panel > --000000000000ec403605cb8a792c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
>>=C2=A0 I believe this was the final review, although I=E2=80=99ll let the RG chair= s confirm in case I missed anything.=C2=A0
Yes, that was the only=C2=A0= review that we were waiting for (thanks a lot, Julia!).

Regards,
Stanislav

On Thu, 9 Sept 2021 at 01:17, Colin= Perkins <csp@csperkins.org>= wrote:
Hi,

Thanks, Julia, for the review!

> On 8 Sep 2021, at 21:39, Watson Ladd <watsonbladd@gmail.com> wrote:
> On Tue, Sep 7, 2021 at 4:41 AM Julia Hesse <juliahesse2@gmail.com> wrote: >>
>> Dear all,
>>
>> below is a review of the latest SPAKE2 draft. I did not verify cha= nges in test vectors. The // - questions were posted by Chris Wood here https://gist.github.com/chris-wood/2= 205c8e79b309adec5a785470d31226e
>> and my * comments are about how they were addressed.
>>
>> Best regards,
>> Julia
...
> These editorial comments seem worthwile to fix. Side note to Colin: is=
> there another set of reviews I should be waiting for at this stage? If=
> not I should be able to fix these all pretty promptly.

I believe this was the final review, although I=E2=80=99ll let the RG chair= s confirm in case I missed anything.

Colin
_______________________________________________
Crypto-panel mailing list
Crypto-panel@irt= f.org
https://www.irtf.org/mailman/listinfo/crypto-panel=
--000000000000ec403605cb8a792c-- From nobody Fri Sep 10 11:04:32 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2623A0F7F for ; Fri, 10 Sep 2021 11:04:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.85 X-Spam-Level: X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ll0eQBasWX4k for ; Fri, 10 Sep 2021 11:04:21 -0700 (PDT) Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC6943A1201 for ; Fri, 10 Sep 2021 11:04:20 -0700 (PDT) Received: by mail-wm1-x335.google.com with SMTP id s24so1802072wmh.4 for ; Fri, 10 Sep 2021 11:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=pWNp4Zx1sNNQszgrJcQ4FkLxj25lLH+ebhCHQjIBxs4=; b=RZWqJx0Knhphs4Yp7YE5sjVh+Mu28PE+AZcRKcOpMTDJ1c905dVuoMEfb/7e7hPZgp B11jTRMMg8wMxH9eFeJgVVqV+l4DSTBTKyzlWB8mapun7ePbqluFqcF257BmnRf09R1q vZynOYjbxHTJSndQSahhKaTpmlDDML+W5/OgulaNr4drR6xvwYQHplZRrSvDXEZ0Wfti b66Cl7w3Um3++KhRM4jZtpNtPjhJZTwKiojPw6C+vUl+vngdbhCj86G5LTnvc0gV5kUG A622dR2bID7g2sb8yVTbG7CeWm3g/19xGBK/KSs7Cf3XIYk4rJXytsu771r+B9GdE/cs ogsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=pWNp4Zx1sNNQszgrJcQ4FkLxj25lLH+ebhCHQjIBxs4=; b=dKBHXe2T0AMmgFIxP4NwpEF1s7KYo5Bd6TbaOqP9/pKvhnohevT+Y+s0l0sSeVX+ii rlqHxrYs6CLhYPvoQnhExAuTkp6ZKetb0hRoAOrKD6+9D7pEuySYerjl4KQVrn7zLaCf H4+XwO6lg/fScIMdkod+j0EA20dg/b3NBaDzHLGIu9l82Tf8hsxfYivxd/uwteED2tXB MMiZ6QStipzJ6DTpZDQKke7ZD2XTgZ/cWwGJq4fDKe+jspwhAyNFNfowAisTmTqsqZoD 4Zb7WxyTZ597m74NUxKNpk0RstpN/MdzqmzKhQMF+wsy1nLr0ZhML1uZijg1q0uVhxdr zepA== X-Gm-Message-State: AOAM531Mb3+BQn+tATkriI8HBN/5uiZpzidE8ep2CRhANQeyFWY8vjnd BG6ePs1AYCfGVrht8k46bR4= X-Google-Smtp-Source: ABdhPJygJEbHxKMr4/y5s6/V/8R9nslxq6tUFdZa0h8qv1ZyMIMAfvBNP4kPyN4VqOfsppItE8RbnQ== X-Received: by 2002:a05:600c:2193:: with SMTP id e19mr9659470wme.40.1631297057713; Fri, 10 Sep 2021 11:04:17 -0700 (PDT) Received: from ?IPv6:2a02:aa12:a780:5480:7861:c549:9e18:d53? ([2a02:aa12:a780:5480:7861:c549:9e18:d53]) by smtp.gmail.com with ESMTPSA id d9sm6644002wrb.36.2021.09.10.11.04.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Sep 2021 11:04:17 -0700 (PDT) To: Watson Ladd Cc: crypto-panel@irtf.org, Benjamin Kaduk , cfrg@ietf.org, Colin Perkins References: From: Julia Hesse Message-ID: <172dcce4-017f-f9dd-2ee3-b57652bcdd41@gmail.com> Date: Fri, 10 Sep 2021 20:04:15 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2021 18:04:24 -0000 Dear Watson, >> // - What does it mean to exchange messages symmetrically? (In the per-user M and N section) >> * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?) > It is needed: Magic Wormhole uses this variant. And the concern about > who uses M and who uses N in cases where it isn't clear is best > addressed by using this variant. Ah, apparently I got confused here: the draft is referring to SPAKE2 as a symmetric PAKE, and to the case of M=N as its symmetric variant. So you are completely right, the sentence in question should stay, but I would recommend referring to the case of M=N as "parallel variant" (or something else) instead of assigning two different meanings to the word "symmetric". >> // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include? >> * Resolved >> >> // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check. >> // - There are currently no test vectors that include AAD -- should we add some? >> * I have not verified these two. >> >> // - Why is len() a little-endian output? >> * I agree with Watson to be consistent with Kerberos here >> >> // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation? >> * Resolved >> >> Some more comments, not related to the IRSG review, below. >> >> I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..." >> >> The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule. > I'm not sure I follow the issue. The sentence says 'A picks x randomly > and uniformly from the integers in [0,p), and calculates X=x*P and > S=w*M+X, then transmits pA=S to B.' Alice is hence the initiatior. If > it's impossible to do this easily then one of the M=N variants should > be used. Most protocols have an asymmetry here where one side is > initiating a request and the other receiving. Happy to add clarifying > text. Ack to all. It would actually be good to clarify this in the draft: the M != N variant is for an initiator-responder variant, the M=N for a parallel variant that MUST (?) be used whenever the applicatoin cannot assign initiator and responder role to the parties. My concern was from a security perspective, from which we should avoid situation such as the following: a user generates pA wrt M, but then receives pB also generated wrt M, suddenly realizes that it is the responder, and *additionally* sends pA wrt N. This voids the security proof, so we need to be pretty clear here. Best regards, Julia >> p.2 >> The KDF has only 3 inputs, but a fourth (key length L) is described in the text >> >> p.3 >> servers -> serves >> flow figure should include "verify cA" and "verify cB", since it is a MUST. >> >> p.4 >> remove unnecessary variables T and S? E.g., directly set pB=w*N+Y. > These editorial comments seem worthwile to fix. Side note to Colin: is > there another set of reviews I should be waiting for at this stage? If > not I should be able to fix these all pretty promptly. > > Sincerely, > Watson Ladd > > > -- > Astra mortemque praestare gradatim From nobody Tue Sep 14 11:45:54 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B40783A28C3 for ; Tue, 14 Sep 2021 11:45:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oz1bRoCY7ME2 for ; Tue, 14 Sep 2021 11:45:47 -0700 (PDT) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C1A03A28C4 for ; Tue, 14 Sep 2021 11:45:47 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id x22so483893ejj.8 for ; Tue, 14 Sep 2021 11:45:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gmVgcinyqTZ280MGKQn2hVNg0cubOVLQ7KvAdxqZi58=; b=Sqwd8wxm+TCtPkHP1Et845TnlikxcO3KF9gXzROoSQ2C5g7kMVdpfU3hDlvOZ9ke9x 7AU0NbyaIuCWWL3ZqYOsO6fBis/+JdVuSw2suIYaT2vFabF1HEbET+ugHsFOGBxNtP4d h89Gs3Y9vA3txrXcZgeIn+fOUNxX0Bb0zA2hNTHaeW/fgRKcxhXCZCj2w3DzToFcbGkM js+tE3U5a7uQH3X45jEC4gEGYgh+sLMJRNHQ25ruWDr8X/eHSB2biv5Nppi6rq4GyWx/ RXHbdNpoA+FqT/9PnJ4L5BOwGhCJJzPMMGAjHl1ZeALXDbpFP8reNG+qkjT+X5pSuc6i gX/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gmVgcinyqTZ280MGKQn2hVNg0cubOVLQ7KvAdxqZi58=; b=flf5gaLyVsGkiwBHnH8N9Pj9aJu+r0Q3mx/w7JddVI2OY5RUDGXVC5GU1xS6KnkHJM h7Km5A9wo9R2umSlQtdwUxSfWZpcaTPHUil72h99wBVrNOpqTWe/Bq9zhsqV2lYUA5fq TJAZvdbBSu+Ymh/1oYdcvAMVAWIQRXk9ARK6IoaqD4zJ21mJa0WzeLIjctinMV5wMej6 rFypikcWS0RISc6sFX1jC8SnqB9atLu3Cx/J9gj75oieNd0sOTN8DjB4lD+pnr3gof/i gK42fhHdIU7ScvXQdbuvuVs9mw+p1QekLMeXfXYiv2v/TlrbZgpxohCltZcPVzldfqv1 6f2w== X-Gm-Message-State: AOAM533j/5RDWig8iRmH6fkt7Pov63JtXh6E3HZBdH3Br+RtFXIOmQEQ BLQTO63dTDafVOIg7ogUQC7+ZmtgNg8DW/RW6ok= X-Google-Smtp-Source: ABdhPJxQnsOmNj8SWt4WCeux+pQo0T0A9C0Qcu7MkYtiWN45j/rJ9Y+0/Re/Aa3cibUlbDIUJGaD0neoKPTLK8W+q08= X-Received: by 2002:a17:906:f906:: with SMTP id lc6mr11051294ejb.487.1631645144454; Tue, 14 Sep 2021 11:45:44 -0700 (PDT) MIME-Version: 1.0 References: <172dcce4-017f-f9dd-2ee3-b57652bcdd41@gmail.com> In-Reply-To: <172dcce4-017f-f9dd-2ee3-b57652bcdd41@gmail.com> From: Watson Ladd Date: Tue, 14 Sep 2021 11:45:32 -0700 Message-ID: To: Julia Hesse Cc: crypto-panel@irtf.org, Benjamin Kaduk , "" , Colin Perkins Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 18:45:51 -0000 I've opened https://github.com/kaduk/spake2/pull/24 which I think addresses all the comments from this review. If this is so, I can merge it and upload a new copy tonight. On Fri, Sep 10, 2021 at 11:04 AM Julia Hesse wrote: > > Dear Watson, > > >> // - What does it mean to exchange messages symmetrically? (In the per= -user M and N section) > >> * Resolved. I suggest to remove "to have a symmetric variant" - i= t is not needed and might cause confusion (variant of what?) > > It is needed: Magic Wormhole uses this variant. And the concern about > > who uses M and who uses N in cases where it isn't clear is best > > addressed by using this variant. > > Ah, apparently I got confused here: the draft is referring to SPAKE2 as > a symmetric PAKE, and to the case of M=3DN as its symmetric variant. So > you are completely right, the sentence in question should stay, but I > would recommend referring to the case of M=3DN as "parallel variant" (or > something else) instead of assigning two different meanings to the word > "symmetric". > > >> // - Beyond scalar multiplication being constant time, are there any o= ther constant time considerations we should include? > >> * Resolved > >> > >> // - Why is Ke not included in the test vectors? It may be redundant, = but it seems useful as an additional sanity check. > >> // - There are currently no test vectors that include AAD -- should we= add some? > >> * I have not verified these two. > >> > >> // - Why is len() a little-endian output? > >> * I agree with Watson to be consistent with Kerberos here > >> > >> // - Should we clarify that the transcript assumes a particular point = encoding scheme, and that is to be defined by the calling application or im= plementation? > >> * Resolved > >> > >> Some more comments, not related to the IRSG review, below. > >> > >> I was missing a minimal list of data that A and B can start SPAKE2 fro= m: ciphersuite, pw, A, B, M, N - did I forget something? What about the out= put key length? This can be easily included in 3.2, replacing "A and B are = provisioned with information such as..." > >> > >> The document does not specify who uses M and who uses N. In the M\neq = N variant of the protocol, which is mostly described in this draft, this is= relevant, since no analysis was conducted in case A sends both xM and xN (= a solution that implementors are not unlikely to come up with). I would inc= lude an instruction in the RFC, e.g., that the application must ensure that= M and N are assigned to A and B, e.g., by having them apply some lexicogra= phically-first-... rule. > > I'm not sure I follow the issue. The sentence says 'A picks x randomly > > and uniformly from the integers in [0,p), and calculates X=3Dx*P and > > S=3Dw*M+X, then transmits pA=3DS to B.' Alice is hence the initiatior. = If > > it's impossible to do this easily then one of the M=3DN variants should > > be used. Most protocols have an asymmetry here where one side is > > initiating a request and the other receiving. Happy to add clarifying > > text. > Ack to all. It would actually be good to clarify this in the draft: the > M !=3D N variant is for an initiator-responder variant, the M=3DN for a > parallel variant that MUST (?) be used whenever the applicatoin cannot > assign initiator and responder role to the parties. My concern was from > a security perspective, from which we should avoid situation such as the > following: a user generates pA wrt M, but then receives pB also > generated wrt M, suddenly realizes that it is the responder, and > *additionally* sends pA wrt N. This voids the security proof, so we need > to be pretty clear here. > > Best regards, > Julia > > >> p.2 > >> The KDF has only 3 inputs, but a fourth (key length L) is described in= the text > >> > >> p.3 > >> servers -> serves > >> flow figure should include "verify cA" and "verify cB", since it is a = MUST. > >> > >> p.4 > >> remove unnecessary variables T and S? E.g., directly set pB=3Dw*N+Y. > > These editorial comments seem worthwile to fix. Side note to Colin: is > > there another set of reviews I should be waiting for at this stage? If > > not I should be able to fix these all pretty promptly. > > > > Sincerely, > > Watson Ladd > > > > > > -- > > Astra mortemque praestare gradatim > --=20 Astra mortemque praestare gradatim From nobody Tue Sep 14 14:11:35 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5601D3A2F9B for ; Tue, 14 Sep 2021 14:11:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.85 X-Spam-Level: X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RgA0YSBNf5I for ; Tue, 14 Sep 2021 14:11:31 -0700 (PDT) Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CA313A2F99 for ; Tue, 14 Sep 2021 14:11:31 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id d207-20020a1c1dd8000000b00307e2d1ec1aso515028wmd.5 for ; Tue, 14 Sep 2021 14:11:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=GCHiHrPofAuXqNXlu4W8lpd+2RvEtbqWvxkrAoDTz+o=; b=A/xIOV+u+tS7xoHzbM0+CW5mQNN3NOcqKHi7GmkvY5w01OIy/vGjttzlBBe5nqriDt TSG6s3PWycD89wS2HNupScoBDgqDgyzGENcd+qj1fJRT0WC054+VkRLtO6vbKimsE0Jz m0Fw9em6l3FIpkd9Y0j65yiO4kMdDqfL3hAh2YJO59BqF5FizAvp+Lei/7YReO0fuuKI dBFVXanWU7/efJ6Gq64B+IcWETJgvCKKVTrx24dgmvNAn/gKO5TVQQtBuwl3AwOTyiJG NEPQ99aI7iVK1AgvyXuqxXaqVvIPcBpgHdYwAJYT2wrGUaGolk2o0COmh/yUxwx4VU6J 7KGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=GCHiHrPofAuXqNXlu4W8lpd+2RvEtbqWvxkrAoDTz+o=; b=BhxZ/J/DeHUuCnCAX3H1MLVKjDS8pg4Pc+CtdNDS5p3Bbm7pYMKho5pNPCRSFIECnw ibkqblKi1aJ0Q5uKzN6HaOoUbu1Z4FeVxT/EiLJ7MgOIJju3Zu1mxVEUhcvY2VQp1/wE h3OsQJ2F4M9nZCU54AaVYI77H/7NhM7H8Mu9hb2jhF+QY4xC8EcdAxJIDV+1FE6vo3y0 3K95ecvOPTDY941ZNpDEOU+1zTXiAlIKpbYeMidc+8wOOhyvSMNK4J7Wa1J08S2h7QOH giVqQARYfOSDuqYJOXcLgVZkBWpgYRMCT1iUQb0q94ggZ5n7H2T/pKmkgkUx7bVJYTIM pdmA== X-Gm-Message-State: AOAM530U0r1+wfx7PQPdwvCACLFBX7bh84/IrO5K5LXgDR40Axm6eCIK meycJnUm1/OnUzjSgCb833s= X-Google-Smtp-Source: ABdhPJy+lywDb9dxQJXlKt1p2kQqLKdeW1n2nyOoUcKmF+iL5G7iCpyNJLiAF9NifcsufsjF+m0jJg== X-Received: by 2002:a7b:c745:: with SMTP id w5mr1098655wmk.17.1631653888503; Tue, 14 Sep 2021 14:11:28 -0700 (PDT) Received: from ?IPv6:2a02:aa12:a780:5480:18e9:4d8a:c8a6:5765? ([2a02:aa12:a780:5480:18e9:4d8a:c8a6:5765]) by smtp.gmail.com with ESMTPSA id r26sm2164857wmh.27.2021.09.14.14.11.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Sep 2021 14:11:27 -0700 (PDT) To: Watson Ladd Cc: crypto-panel@irtf.org, Benjamin Kaduk , cfrg@ietf.org, Colin Perkins References: <172dcce4-017f-f9dd-2ee3-b57652bcdd41@gmail.com> From: Julia Hesse Message-ID: <08ec7619-f7d4-81d8-f73d-a3ab86164bbb@gmail.com> Date: Tue, 14 Sep 2021 23:11:26 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Sep 2021 21:11:34 -0000 Hi Watson, looks good to me, thank you! Julia Am 9/14/2021 um 8:45 PM schrieb Watson Ladd: > I've opened https://github.com/kaduk/spake2/pull/24 which I think > addresses all the comments from this review. If this is so, I can > merge it and upload a new copy tonight. > > On Fri, Sep 10, 2021 at 11:04 AM Julia Hesse wrote: >> Dear Watson, >> >>>> // - What does it mean to exchange messages symmetrically? (In the per-user M and N section) >>>> * Resolved. I suggest to remove "to have a symmetric variant" - it is not needed and might cause confusion (variant of what?) >>> It is needed: Magic Wormhole uses this variant. And the concern about >>> who uses M and who uses N in cases where it isn't clear is best >>> addressed by using this variant. >> Ah, apparently I got confused here: the draft is referring to SPAKE2 as >> a symmetric PAKE, and to the case of M=N as its symmetric variant. So >> you are completely right, the sentence in question should stay, but I >> would recommend referring to the case of M=N as "parallel variant" (or >> something else) instead of assigning two different meanings to the word >> "symmetric". >> >>>> // - Beyond scalar multiplication being constant time, are there any other constant time considerations we should include? >>>> * Resolved >>>> >>>> // - Why is Ke not included in the test vectors? It may be redundant, but it seems useful as an additional sanity check. >>>> // - There are currently no test vectors that include AAD -- should we add some? >>>> * I have not verified these two. >>>> >>>> // - Why is len() a little-endian output? >>>> * I agree with Watson to be consistent with Kerberos here >>>> >>>> // - Should we clarify that the transcript assumes a particular point encoding scheme, and that is to be defined by the calling application or implementation? >>>> * Resolved >>>> >>>> Some more comments, not related to the IRSG review, below. >>>> >>>> I was missing a minimal list of data that A and B can start SPAKE2 from: ciphersuite, pw, A, B, M, N - did I forget something? What about the output key length? This can be easily included in 3.2, replacing "A and B are provisioned with information such as..." >>>> >>>> The document does not specify who uses M and who uses N. In the M\neq N variant of the protocol, which is mostly described in this draft, this is relevant, since no analysis was conducted in case A sends both xM and xN (a solution that implementors are not unlikely to come up with). I would include an instruction in the RFC, e.g., that the application must ensure that M and N are assigned to A and B, e.g., by having them apply some lexicographically-first-... rule. >>> I'm not sure I follow the issue. The sentence says 'A picks x randomly >>> and uniformly from the integers in [0,p), and calculates X=x*P and >>> S=w*M+X, then transmits pA=S to B.' Alice is hence the initiatior. If >>> it's impossible to do this easily then one of the M=N variants should >>> be used. Most protocols have an asymmetry here where one side is >>> initiating a request and the other receiving. Happy to add clarifying >>> text. >> Ack to all. It would actually be good to clarify this in the draft: the >> M != N variant is for an initiator-responder variant, the M=N for a >> parallel variant that MUST (?) be used whenever the applicatoin cannot >> assign initiator and responder role to the parties. My concern was from >> a security perspective, from which we should avoid situation such as the >> following: a user generates pA wrt M, but then receives pB also >> generated wrt M, suddenly realizes that it is the responder, and >> *additionally* sends pA wrt N. This voids the security proof, so we need >> to be pretty clear here. >> >> Best regards, >> Julia >> >>>> p.2 >>>> The KDF has only 3 inputs, but a fourth (key length L) is described in the text >>>> >>>> p.3 >>>> servers -> serves >>>> flow figure should include "verify cA" and "verify cB", since it is a MUST. >>>> >>>> p.4 >>>> remove unnecessary variables T and S? E.g., directly set pB=w*N+Y. >>> These editorial comments seem worthwile to fix. Side note to Colin: is >>> there another set of reviews I should be waiting for at this stage? If >>> not I should be able to fix these all pretty promptly. >>> >>> Sincerely, >>> Watson Ladd >>> >>> >>> -- >>> Astra mortemque praestare gradatim > From nobody Sat Sep 18 08:33:41 2021 Return-Path: X-Original-To: crypto-panel@ietfa.amsl.com Delivered-To: crypto-panel@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DB73A1208 for ; Sat, 18 Sep 2021 08:33:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fER4jH27f9jp for ; Sat, 18 Sep 2021 08:33:35 -0700 (PDT) Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB023A1204 for ; Sat, 18 Sep 2021 08:33:35 -0700 (PDT) Received: by mail-ed1-x52b.google.com with SMTP id v5so41408763edc.2 for ; Sat, 18 Sep 2021 08:33:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=d6olGUMoMZ78b0313JOX0xO4t/fP1Mtzv1wVUg+EviA=; b=Z10l+Sm/nEM3QS2ZCjlUba5mnfEfKlyyR/5t/1EYswR4z91uWbmS5kKkh2lrTjGWgV MNBMXJKTnduiZwOILphaFm8CYMzBAnj3MY1IyLowvCXQrGaY9HIhCTf81a+GDoraPZ1d q/0jd+qqnTW4xGk8y+fBJ1azz1F4ai5MnwzcXB0g82lDW6j9McoMnbNQlx/rhoXV1lT8 uoz8NoM4Pf/2yqVQxnAfuyc3eoEc7vut07HzpYJ4++4VjqYtzIwZdYrxeAYom/C31adD /I3kHtE4bfcFsAR6P8E2aKNJ62XpaTzoj87HLmC+jZXcmPm1WxcQyVsxdxgC+l9GgM+E FAGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=d6olGUMoMZ78b0313JOX0xO4t/fP1Mtzv1wVUg+EviA=; b=WehzV7vVReWusvjUP9R8olAFWlIJ5tOzV5fZulFv/zUOrRQ2jlWbZc2sUjsPpmDwsR bKN1pmaaArwffIEqPLAD1YKbeZdQb429LCXnruaonTL6ymT5JYinvn7q141DIyWV5EAn eYlDvVRe+/yLCY/3AvYEE6DKWqJCwUMJpwqapiREQSN6a1yHmU6/SsMsFyLXMTyoq3gS Nqjkedk7AuxW+6P3LmXVjoNgqhQWUYRLe+uR8T67Lk87mXRtepDHw33rwB+IhdYDBmxM nhU/zELZfFhZi94Yu5O7sZqqKJSTWGLT/OyNmQUSxCsGzz5fkcmiw/T582EVzLnAp27N 5wiQ== X-Gm-Message-State: AOAM533QAMZ/xbS9KXBvC/hF+RRMMrdXKSmmyAOryi20wbjSwJgx+ixO n+NsxayT0TPIqKDny0YHjOAVLud86Rx35oDOjo4= X-Google-Smtp-Source: ABdhPJwwcSOcTmmc13fS00ohW/xqLhPrdsYSz6XJxQHcWsJWYNQR7wmyZIvmKB6lbaY3EHTo4wbJysMQCmyfhJh76ek= X-Received: by 2002:a17:906:7d42:: with SMTP id l2mr18817568ejp.467.1631979213449; Sat, 18 Sep 2021 08:33:33 -0700 (PDT) MIME-Version: 1.0 References: <172dcce4-017f-f9dd-2ee3-b57652bcdd41@gmail.com> <08ec7619-f7d4-81d8-f73d-a3ab86164bbb@gmail.com> In-Reply-To: <08ec7619-f7d4-81d8-f73d-a3ab86164bbb@gmail.com> From: Watson Ladd Date: Sat, 18 Sep 2021 08:33:21 -0700 Message-ID: To: Julia Hesse Cc: crypto-panel@irtf.org, Benjamin Kaduk , "" , Colin Perkins Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [Crypto-panel] IRSG review draft-irtf-cfrg-spake2-20 X-BeenThere: crypto-panel@irtf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Sep 2021 15:33:39 -0000 Draft 22 is now uploaded. On Tue, Sep 14, 2021 at 2:11 PM Julia Hesse wrote: > > Hi Watson, > > looks good to me, thank you! > > Julia > > Am 9/14/2021 um 8:45 PM schrieb Watson Ladd: > > I've opened https://github.com/kaduk/spake2/pull/24 which I think > > addresses all the comments from this review. If this is so, I can > > merge it and upload a new copy tonight. > > > > On Fri, Sep 10, 2021 at 11:04 AM Julia Hesse wr= ote: > >> Dear Watson, > >> > >>>> // - What does it mean to exchange messages symmetrically? (In the p= er-user M and N section) > >>>> * Resolved. I suggest to remove "to have a symmetric variant" = - it is not needed and might cause confusion (variant of what?) > >>> It is needed: Magic Wormhole uses this variant. And the concern about > >>> who uses M and who uses N in cases where it isn't clear is best > >>> addressed by using this variant. > >> Ah, apparently I got confused here: the draft is referring to SPAKE2 a= s > >> a symmetric PAKE, and to the case of M=3DN as its symmetric variant. S= o > >> you are completely right, the sentence in question should stay, but I > >> would recommend referring to the case of M=3DN as "parallel variant" (= or > >> something else) instead of assigning two different meanings to the wor= d > >> "symmetric". > >> > >>>> // - Beyond scalar multiplication being constant time, are there any= other constant time considerations we should include? > >>>> * Resolved > >>>> > >>>> // - Why is Ke not included in the test vectors? It may be redundant= , but it seems useful as an additional sanity check. > >>>> // - There are currently no test vectors that include AAD -- should = we add some? > >>>> * I have not verified these two. > >>>> > >>>> // - Why is len() a little-endian output? > >>>> * I agree with Watson to be consistent with Kerberos here > >>>> > >>>> // - Should we clarify that the transcript assumes a particular poin= t encoding scheme, and that is to be defined by the calling application or = implementation? > >>>> * Resolved > >>>> > >>>> Some more comments, not related to the IRSG review, below. > >>>> > >>>> I was missing a minimal list of data that A and B can start SPAKE2 f= rom: ciphersuite, pw, A, B, M, N - did I forget something? What about the o= utput key length? This can be easily included in 3.2, replacing "A and B ar= e provisioned with information such as..." > >>>> > >>>> The document does not specify who uses M and who uses N. In the M\ne= q N variant of the protocol, which is mostly described in this draft, this = is relevant, since no analysis was conducted in case A sends both xM and xN= (a solution that implementors are not unlikely to come up with). I would i= nclude an instruction in the RFC, e.g., that the application must ensure th= at M and N are assigned to A and B, e.g., by having them apply some lexicog= raphically-first-... rule. > >>> I'm not sure I follow the issue. The sentence says 'A picks x randoml= y > >>> and uniformly from the integers in [0,p), and calculates X=3Dx*P and > >>> S=3Dw*M+X, then transmits pA=3DS to B.' Alice is hence the initiatior= . If > >>> it's impossible to do this easily then one of the M=3DN variants shou= ld > >>> be used. Most protocols have an asymmetry here where one side is > >>> initiating a request and the other receiving. Happy to add clarifying > >>> text. > >> Ack to all. It would actually be good to clarify this in the draft: th= e > >> M !=3D N variant is for an initiator-responder variant, the M=3DN for = a > >> parallel variant that MUST (?) be used whenever the applicatoin cannot > >> assign initiator and responder role to the parties. My concern was fro= m > >> a security perspective, from which we should avoid situation such as t= he > >> following: a user generates pA wrt M, but then receives pB also > >> generated wrt M, suddenly realizes that it is the responder, and > >> *additionally* sends pA wrt N. This voids the security proof, so we ne= ed > >> to be pretty clear here. > >> > >> Best regards, > >> Julia > >> > >>>> p.2 > >>>> The KDF has only 3 inputs, but a fourth (key length L) is described = in the text > >>>> > >>>> p.3 > >>>> servers -> serves > >>>> flow figure should include "verify cA" and "verify cB", since it is = a MUST. > >>>> > >>>> p.4 > >>>> remove unnecessary variables T and S? E.g., directly set pB=3Dw*N+Y. > >>> These editorial comments seem worthwile to fix. Side note to Colin: i= s > >>> there another set of reviews I should be waiting for at this stage? I= f > >>> not I should be able to fix these all pretty promptly. > >>> > >>> Sincerely, > >>> Watson Ladd > >>> > >>> > >>> -- > >>> Astra mortemque praestare gradatim > > > --=20 Astra mortemque praestare gradatim