Skip to content

Commit

Permalink
Considered further review comments.
Browse files Browse the repository at this point in the history
  • Loading branch information
BjoernMHaase committed Jan 19, 2024
1 parent 907fd56 commit c125d6b
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 39 deletions.
81 changes: 46 additions & 35 deletions TODO_review
Original file line number Diff line number Diff line change
Expand Up @@ -4,49 +4,60 @@ Thomas

Detailed comments below:

1.1: "Section 4 gives an overview over" -> "... an overview of"

5.1: "the default output size in bytes corresponding to the symmetric
security level of the hash function": this sentence is a bit confusing
because hash function security has several meanings that would call for
distinct output sizes. E.g. SHA-256 and SHAKE-128 are normally said to
offer "128-bit security" but here H.b_in_bytes is asserted to be 32 for
these functions. At this point in the document I suppose that what is
meant is "the minimal output size needed for collision resistance at the
expected security level" (i.e. you need at least 32 bytes to get 128-bit
security against collisions).

5.1: "input block size": maybe add a remark that this "block size" is
the same concept as the one used in HMAC (with a reference to RFC 2104).

5.2: "returning a representation of a scalar (referred to as 'scalar'
from now on)": this feels weirdly circular. The word "scalar" was not
defined before in the document, and the definition of a scalar should
not be "it is a scalar". I suppose that the sentence should read as:
"... returning a representation of an integer (referred to as 'scalar'
from now on)"
# 1.1: "Section 4 gives an overview over" -> "... an overview of"
#
# Fixed

# 5.1: "the default output size in bytes corresponding to the symmetric
# security level of the hash function": this sentence is a bit confusing
# because hash function security has several meanings that would call for
# distinct output sizes. E.g. SHA-256 and SHAKE-128 are normally said to
# offer "128-bit security" but here H.b_in_bytes is asserted to be 32 for
# these functions. At this point in the document I suppose that what is
# meant is "the minimal output size needed for collision resistance at the
# expected security level" (i.e. you need at least 32 bytes to get 128-bit
# security against collisions).
#
# Fixed.

# 5.1: "input block size": maybe add a remark that this "block size" is
# the same concept as the one used in HMAC (with a reference to RFC 2104).
#
# Fixed

#5.2: "returning a representation of a scalar (referred to as 'scalar'
#from now on)": this feels weirdly circular. The word "scalar" was not
#defined before in the document, and the definition of a scalar should
#not be "it is a scalar". I suppose that the sentence should read as:
#"... returning a representation of an integer (referred to as 'scalar'
#from now on)"
#
# Fixed.

5.2: the document uses multiplicative notation for the group operation,
but the function scalar_mult is called scalar_mult and not pow or exp.


5.3: LEB128 and lv_cat are specified in an appendix. Shouldn't that be
moved to the main document? It feels weird to have these parts in an
appendix.

5.3: sample_random_bytes(n) is defined as "a function that returns n
octets uniformly distributed between 0 and 255", which can be understood
in several ways. It can be "n octets, each selected with a uniform
distribution between 0 and 255, and the octets are sampled independently
of each other" (this is what is meant in the document). But it can also
be read as "n copies of a single value which is sampled uniformly
between 0 and 255". Or even "n octets out of the 256 that are between 0
and 255", i.e. implicitly n distinct octets. I suggest making the
wording a bit more precise, under the assumption that the document
reader may be an implementer who is not ncessarily a professional
cryptographer. This matters in particular for random selection of
values, because bad sampling code will still "work", and thus may evade
detection through functional testing (there are known precedents, e.g.
when Sony was generating ECDSA signatures with a fixed secret scalar k).
# 5.3: sample_random_bytes(n) is defined as "a function that returns n
# octets uniformly distributed between 0 and 255", which can be understood
# in several ways. It can be "n octets, each selected with a uniform
# distribution between 0 and 255, and the octets are sampled independently
# of each other" (this is what is meant in the document). But it can also
# be read as "n copies of a single value which is sampled uniformly
# between 0 and 255". Or even "n octets out of the 256 that are between 0
# and 255", i.e. implicitly n distinct octets. I suggest making the
# wording a bit more precise, under the assumption that the document
# reader may be an implementer who is not ncessarily a professional
# cryptographer. This matters in particular for random selection of
# values, because bad sampling code will still "work", and thus may evade
# detection through functional testing (there are known precedents, e.g.
# when Sony was generating ECDSA signatures with a fixed secret scalar k).
#
# Fixed.

6.1: The diagram shows "[CI]" as being "public", but section 3.1 said
that CI "may also include confidential information", which means that it
Expand Down
8 changes: 4 additions & 4 deletions draft-irtf-cfrg-cpace.md
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ and functions as detailed below. In this document we use multiplicative notation
- G.calculate\_generator(H,PRS,CI,sid) denotes a function that outputs a representation of a generator (referred to as "generator" from now on) of the group
which is derived from input octet strings PRS, CI, and sid and with the help of the hash function H.

- G.sample\_scalar() is a function returning a representation of a scalar (referred to as "scalar" from now on) appropriate as a
- G.sample\_scalar() is a function returning a representation of an integer (referred to as "scalar" from now on) appropriate as a
private Diffie-Hellman key for the group.

- G.scalar\_mult(y,g) is a function operating on a scalar
Expand Down Expand Up @@ -339,16 +339,16 @@ representation of the group element g^y. Additionally, scalar\_mult\_vfy specifi
Other encodings, such as the network encoding used for the client-hello and server-hello messages in TLS MAY also be used when
following the guidance given in the security consideration section.

- sample\_random\_bytes(n) denotes a function that returns n octets uniformly distributed between 0 and 255.
- sample\_random\_bytes(n) denotes a function that returns n octets, each of which is to be independently sampled from an uniform distribution between 0 and 255.

- zero\_bytes(n) denotes a function that returns n octets with value 0.

- o_cat(bytes1,bytes2) denotes a function for ordered concatenation of octet strings. It places the lexiographically larger octet
- o\_cat(bytes1,bytes2) denotes a function for ordered concatenation of octet strings. It places the lexiographically larger octet
string first and prepends the two bytes from the octet string "oc" to the result. (Explicit reference code for this function is given in the appendix.)

- transcript(MSGa,MSGb) denotes function outputing a string for the protocol transcript with messages MSGa and MSGb.
In applications where CPace is used without clear initiator and responder roles, i.e. where the ordering of messages is
not enforced by the protocol flow, transcript(MSGa,MSGb) = o_cat(MSGa,MSGb) SHALL be used.
not enforced by the protocol flow, transcript(MSGa,MSGb) = o\_cat(MSGa,MSGb) SHALL be used.
In the initiator-responder setting transcript(MSGa,MSGb) SHALL BE implemented such that the later message is appended to the
earlier message, i.e., transcript(MSGa,MSGb) = MSGa\|\|MSGb if MSGa is sent first.

Expand Down

0 comments on commit c125d6b

Please sign in to comment.