From 36bd5908db36f82acfa3843b10137b9929b57a05 Mon Sep 17 00:00:00 2001 From: sp0001 Date: Fri, 19 Jan 2024 17:35:01 +0100 Subject: [PATCH] Fixed further typos. --- TODO_review | 31 +++++++++++++++++++++---------- draft-irtf-cfrg-cpace.md | 8 ++++---- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/TODO_review b/TODO_review index ee3e561..6586636 100644 --- a/TODO_review +++ b/TODO_review @@ -65,8 +65,10 @@ that CI "may also include confidential information", which means that it is not, in fact, public. Maybe what is meant here is that it is a common value known to both parties. -6.2: "was properly generated conform with" -> "was properly generated, -in conformity with" ("conform" is a verb, it cannot be used that way). +# 6.2: "was properly generated conform with" -> "was properly generated, +# in conformity with" ("conform" is a verb, it cannot be used that way). +# +# Fixed. 6.2: "Otherwise B returns ISK = H.hash(...). B returns ISK and terminates." -> the first "returns ISK" should be "computes ISK" @@ -157,15 +159,21 @@ the quadratic twist". Or the comma could be simply removed. # # Fixed -9.2: "the length of of all" -> "the length of all" +# 9.2: "the length of of all" -> "the length of all" +# +# Fixed -9.4: "calculate mac_key as as" -> "calculate mac_key as" +# 9.4: "calculate mac_key as as" -> "calculate mac_key as" +# +# Fixed -9.4: Starting at the point, we begin to see notations like b"CPaceMac", -i.e. the Python-like syntax for character strings which really are octet -strings. This should be harmonized with the previous use of character -strings (G.DSI, "_ISK",...) since these strings also implicitly assumed -some sort of characters-to-octets conversion. +#9.4: Starting at the point, we begin to see notations like b"CPaceMac", +# i.e. the Python-like syntax for character strings which really are octet +# strings. This should be harmonized with the previous use of character +# strings (G.DSI, "_ISK",...) since these strings also implicitly assumed +# some sort of characters-to-octets conversion. +# +# Yes Removed b"" syntax in the text body 9.5: "We do so in order to reduce both, complexity of the implementation and reducing the attack surface" -> "We do so in order to reduce both the @@ -192,7 +200,10 @@ document (section 7.4.3 says "MUST BE uniformly random"; it does not say selection"). It might be worth adding a note in section 9.5 that the oversampling+reduction method is actually OK? -9.5: "begning" -> "benign" +# 9.5: "begning" -> "benign" +# +# Fixed. + 9.6: "The cofactor c' of the twist MUST BE EQUAL to or an integer multiple of the cofactor c of the curve." -> it's the opposite! The diff --git a/draft-irtf-cfrg-cpace.md b/draft-irtf-cfrg-cpace.md index d69a0b2..cff270f 100644 --- a/draft-irtf-cfrg-cpace.md +++ b/draft-irtf-cfrg-cpace.md @@ -391,7 +391,7 @@ optional associated data ADa to B. B computes a generator g = G.calculate_generator(H,PRS,CI,sid), scalar yb = G.sample\_scalar() and group element Yb = G.scalar\_pow(yb,g). B sends MSGb = network\_encode(Yb, ADb) with optional associated data ADb to A. -Upon reception of MSGa, B checks that MSGa was properly generated conform with the chosen encoding of network messages (notably correct length fields). +Upon reception of MSGa, B checks that MSGa was properly generated in conformity with the chosen encoding of network messages (notably correct length fields). If this parsing fails, then B MUST abort. (Testvectors of examples for invalid messages when using lv\_cat() as network\_encode function for CPace are given in the appendix.) B then computes K = G.scalar\_pow\_vfy(yb,Ya). B MUST abort if K=G.I. @@ -684,7 +684,7 @@ Including and checking party identifiers can fend off such relay attacks. It is RECOMMENDED to encode the (Ya,ADa) and (Yb,ADb) fields on the network by using network\_encode(Y,AD) = lv\_cat(Y,AD). I.e. we RECOMMEND to prepend an encoding of the length of the subfields. Prepending the length of -of all variable-size input strings results in a so-called prefix-free encoding of transcript strings, using terminology introduced in {{CDMP05}}. This property allows for disregarding length-extension imperfections that come with the commonly used Merkle-Damgard hash function constructions such as SHA256 and SHA512. +all variable-size input strings results in a so-called prefix-free encoding of transcript strings, using terminology introduced in {{CDMP05}}. This property allows for disregarding length-extension imperfections that come with the commonly used Merkle-Damgard hash function constructions such as SHA256 and SHA512. Other alternative network encoding formats which prepend an encoding of the length of variable-size data fields in the protocol messages are equally suitable. @@ -722,7 +722,7 @@ CMAC {{?RFC4493}} using a key mac\_key derived from ISK. One suitable option that works also in the parallel setting without message ordering is to proceed as follows. -- First calculate mac\_key as as mac\_key = H.hash(b"CPaceMac" \|\| ISK). +- First calculate mac\_key as mac\_key = H.hash("CPaceMac" \|\| ISK). - Then let each party send an authenticator tag Ta, Tb that is calculated over the protocol message that it has sent previously. I.e. let party A calculate its transmitted authentication code Ta as Ta = MAC(mac\_key, MSGa) and let party B calculate its transmitted @@ -735,7 +735,7 @@ One suitable option that works also in the parallel setting without message orde For curves over fields F\_p where p is a prime close to a power of two, we recommend sampling scalars as a uniform bit string of length field\_size\_bits. We do so in order to reduce both, complexity of the implementation and reducing the attack surface with respect to side-channels for embedded systems in hostile environments. -The effect of non-uniform sampling on security was demonstrated to be begning in {{AHH21}} for the case of Curve25519 and Curve448. +The effect of non-uniform sampling on security was demonstrated to be begnin in {{AHH21}} for the case of Curve25519 and Curve448. This analysis however does not transfer to most curves in Short-Weierstrass form. As a result, we recommend rejection sampling if G is as in {{CPaceWeierstrass}}. ## Single-coordinate CPace on Montgomery curves