Script updating gh-pages from 40c3309. [ci skip]

cfrg · Jan 19, 2024 · e93a6a8 · e93a6a8
1 parent 599a477
commit e93a6a8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 15 deletions.
diff --git a/draft-irtf-cfrg-cpace.html b/draft-irtf-cfrg-cpace.html
@@ -1955,11 +1955,11 @@ <h3 id="name-cpace-protocol-instructions">
 If this parsing fails, then B MUST abort. (Testvectors of examples for invalid messages when using lv_cat() as network_encode function for
 CPace are given in the appendix.)
 B then computes K = G.scalar_mult_vfy(yb,Ya). B MUST abort if K=G.I.
-Otherwise B returns
+Otherwise B calculates
 ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, K)||transcript(MSGa, MSGb)). B returns ISK and terminates.<a href="#section-6.2-3" class="pilcrow">¶</a></p>
 <p id="section-6.2-4">Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and checks for a valid encoding.
 If this parsing fails, then A MUST abort. A then computes K = G.scalar_mult_vfy(ya,Yb). A MUST abort if K=G.I.
-Otherwise A returns
+Otherwise A calculates
 ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid, K) || transcript(MSGa, MSGb)). A returns ISK and terminates.<a href="#section-6.2-4" class="pilcrow">¶</a></p>
 <p id="section-6.2-5">The session key ISK returned by A and B is identical if and only if the supplied input parameters PRS, CI and sid match on both sides and transcript view (containing of MSGa and MSGb) of both parties match.<a href="#section-6.2-5" class="pilcrow">¶</a></p>
 <p id="section-6.2-6">(Note that in case of a symmetric protocol execution without clear initiator/responder roles, transcript(MSGa, MSGb) needs to be implemented using ordered concatenation for generating a matching view by both parties.)<a href="#section-6.2-6" class="pilcrow">¶</a></p>
@@ -1988,11 +1988,12 @@ <h3 id="name-common-function-for-computi">
 </li>
         </ul>
 <p id="section-7.1-3">The zero padding of length len_zpad is designed such that the encoding of DSI and PRS together with the zero padding field completely
-fills the first input block (of length s_in_bytes) of the hash.
+fills at least the first input block (of length s_in_bytes) of the hash.
 As a result for the common case of short PRS the number of bytes to hash becomes independent of the actual length of the password (PRS). (A reference implementation and test vectors are provided in the appendix.)<a href="#section-7.1-3" class="pilcrow">¶</a></p>
 <p id="section-7.1-4">The introduction of a zero-padding within the generator string also helps mitigating attacks of a side-channel adversary that
-analyzes correlations between publicly known variable information with the low-entropy PRS string.
-Note that the hash of the first block is intentionally made independent of session-specific inputs, such as sid or CI.<a href="#section-7.1-4" class="pilcrow">¶</a></p>
+analyzes correlations between publicly known variable information with a short low-entropy PRS string.
+Note that the hash of the first block is intentionally made independent of session-specific inputs, such as sid or CI and that there is no limitation
+regarding the maximum length of the PRS string.<a href="#section-7.1-4" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="CPaceMontgomery">

diff --git a/draft-irtf-cfrg-cpace.txt b/draft-irtf-cfrg-cpace.txt
@@ -622,14 +622,15 @@ Table of Contents
    (Testvectors of examples for invalid messages when using lv_cat() as
    network_encode function for CPace are given in the appendix.)  B then
    computes K = G.scalar_mult_vfy(yb,Ya).  B MUST abort if K=G.I.
-   Otherwise B returns ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid,
+   Otherwise B calculates ISK = H.hash(lv_cat(G.DSI || b"_ISK", sid,
    K)||transcript(MSGa, MSGb)).  B returns ISK and terminates.
 
    Likewise upon reception of MSGb, A parses MSGb for Yb and ADb and
    checks for a valid encoding.  If this parsing fails, then A MUST
    abort.  A then computes K = G.scalar_mult_vfy(ya,Yb).  A MUST abort
-   if K=G.I.  Otherwise A returns ISK = H.hash(lv_cat(G.DSI || b"_ISK",
-   sid, K) || transcript(MSGa, MSGb)).  A returns ISK and terminates.
+   if K=G.I.  Otherwise A calculates ISK = H.hash(lv_cat(G.DSI ||
+   b"_ISK", sid, K) || transcript(MSGa, MSGb)).  A returns ISK and
+   terminates.
 
    The session key ISK returned by A and B is identical if and only if
    the supplied input parameters PRS, CI and sid match on both sides and
@@ -658,18 +659,19 @@ Table of Contents
 
    The zero padding of length len_zpad is designed such that the
    encoding of DSI and PRS together with the zero padding field
-   completely fills the first input block (of length s_in_bytes) of the
-   hash.  As a result for the common case of short PRS the number of
-   bytes to hash becomes independent of the actual length of the
-   password (PRS).  (A reference implementation and test vectors are
-   provided in the appendix.)
+   completely fills at least the first input block (of length
+   s_in_bytes) of the hash.  As a result for the common case of short
+   PRS the number of bytes to hash becomes independent of the actual
+   length of the password (PRS).  (A reference implementation and test
+   vectors are provided in the appendix.)
 
    The introduction of a zero-padding within the generator string also
    helps mitigating attacks of a side-channel adversary that analyzes
-   correlations between publicly known variable information with the
+   correlations between publicly known variable information with a short
    low-entropy PRS string.  Note that the hash of the first block is
    intentionally made independent of session-specific inputs, such as
-   sid or CI.
+   sid or CI and that there is no limitation regarding the maximum
+   length of the PRS string.
 
 7.2.  CPace group objects G_X25519 and G_X448 for single-coordinate
       Ladders on Montgomery curves