Further rephrasing for Thomas Pornin's recommendations.

cfrg · Jan 19, 2024 · 1f9e4db · 1f9e4db
1 parent e54bc5a
commit 1f9e4db
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 18 deletions.
diff --git a/TODO_review b/TODO_review
@@ -73,9 +73,11 @@ appendix.
 #
 # Fixed.
 
-6.2: "Otherwise B returns ISK = H.hash(...). B returns ISK and terminates."
--> the first "returns ISK" should be "computes ISK"
--> idem for "Otherwise A returns ISK" in the next paragraph
+# 6.2: "Otherwise B returns ISK = H.hash(...). B returns ISK and terminates."
+# -> the first "returns ISK" should be "computes ISK"
+# -> idem for "Otherwise A returns ISK" in the next paragraph
+#
+# Fixed.
 
 6.2: the specification uses lv_cat on the concatenation of two character
 strings (G.DSI and "_ISK") but lv_cat expects octet strings, so that
@@ -141,15 +143,17 @@ otherwise some text that says "MSGa is the pair of values (Ya, ADa),
 sent to the peer with an unambiguous encoding format appropriate for the
 used transport medium".)
 
-7.1: maybe add a sentence to assert that the zero padding should not be
-considered as a requirement that the length of PRS be limited so that
-DSI||PRS||padding always fits on exactly one block? There are already
-too many systems out there that enforce _maximum_ password lengths at 8
-or 10 characters, for mostly mythical reasons. It might be good to
-preach the good word and state that PRS length should not be
-artificially limited, notwithstanding the zero padding. In particular,
-password managers tend to generate large high-entropy random passwords,
-and limitations on password length are a usual annoyance for them.
+# 7.1: maybe add a sentence to assert that the zero padding should not be
+# considered as a requirement that the length of PRS be limited so that
+# DSI||PRS||padding always fits on exactly one block? There are already
+# too many systems out there that enforce _maximum_ password lengths at 8
+# or 10 characters, for mostly mythical reasons. It might be good to
+# preach the good word and state that PRS length should not be
+# artificially limited, notwithstanding the zero padding. In particular,
+# password managers tend to generate large high-entropy random passwords,
+# and limitations on password length are a usual annoyance for them.
+#
+# Fixed. Note was added.
 
 7.2.1: "on either, the curve or the quadratic twist" -> the comma looks
 misplaced. With the Oxford comma, it should be "on either the curve, or

diff --git a/draft-irtf-cfrg-cpace.md b/draft-irtf-cfrg-cpace.md
@@ -402,12 +402,12 @@ Upon reception of MSGa, B checks that MSGa was properly generated in conformity
 If this parsing fails, then B MUST abort. (Testvectors of examples for invalid messages when using lv\_cat() as network\_encode function for
 CPace are given in the appendix.)
 B then computes K = G.scalar\_mult\_vfy(yb,Ya). B MUST abort if K=G.I.
-Otherwise B returns
+Otherwise B calculates
 ISK = H.hash(lv\_cat(G.DSI \|\| b"\_ISK", sid, K)\|\|transcript(MSGa, MSGb)). B returns ISK and terminates.
 
 Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and checks for a valid encoding.
 If this parsing fails, then A MUST abort. A then computes K = G.scalar\_mult\_vfy(ya,Yb). A MUST abort if K=G.I.
-Otherwise A returns
+Otherwise A calculates
 ISK = H.hash(lv\_cat(G.DSI \|\| b"\_ISK", sid, K) \|\| transcript(MSGa, MSGb)). A returns ISK and terminates.
 
 The session key ISK returned by A and B is identical if and only if the supplied input parameters PRS, CI and sid match on both sides and transcript view (containing of MSGa and MSGb) of both parties match.
@@ -426,12 +426,13 @@ lv\_cat(DSI, PRS, zero\_bytes(len\_zpad), CI, sid).
 - len\_zpad = MAX(0, s\_in\_bytes - len(prepend\_len(PRS)) - len(prepend\_len(G.DSI)) - 1)
 
 The zero padding of length len\_zpad is designed such that the encoding of DSI and PRS together with the zero padding field completely
-fills the first input block (of length s\_in\_bytes) of the hash.
-As a result for the common case of short PRS the number of bytes to hash becomes independent of the actual length of the password (PRS). (A reference implementation and test vectors are provided in the appendix.)
+fills at least the first input block (of length s\_in\_bytes) of the hash.
+As a result for the common case of short PRS the number of bytes to hash becomes independent of the actual length of the password (PRS). (A reference implementation and test vectors are provided in the appendix.) 
 
 The introduction of a zero-padding within the generator string also helps mitigating attacks of a side-channel adversary that
-analyzes correlations between publicly known variable information with the low-entropy PRS string.
-Note that the hash of the first block is intentionally made independent of session-specific inputs, such as sid or CI.
+analyzes correlations between publicly known variable information with a short low-entropy PRS string.
+Note that the hash of the first block is intentionally made independent of session-specific inputs, such as sid or CI and that there is no limitation
+regarding the maximum length of the PRS string.
 
 ## CPace group objects G\_X25519 and G\_X448 for single-coordinate Ladders on Montgomery curves {#CPaceMontgomery}