New draft for CPace available that now explicitly considers ristretto255 and decaf448

Question

New draft for CPace available that now explicitly considers ristretto255 and decaf448

Opened this issue 3 years ago · 1 comments

BjoernMHaase commented 3 years ago

Hello "jesdict1",

I would like to draw your attention to the latest version of the ID regarding CPace.

https://datatracker.ietf.org/doc/draft-irtf-cfrg-cpace/

There are a couple of minor changes. Specifically,

we were requested to slightly change the encoding of the protocol messages as to allow for associated-data fields.
secondly, we have received feedback that we should prepend the length of any field in the final hashes as to rule-out the possibility of length-extension-type attacks on Merkle-Damgard hashes.

We would appreciate your feedback and review of the draft. (Best by sending a message to the CFRG list, or otherwise also by posting an "issue" at https://github.com/cfrg/draft-irtf-cfrg-cpace .

Yours,

Björn.

Answer 1 · 2021-12-08T16:23:52.000Z

Specifically, we'd appreciate feedback regarding the prepend-length function that was introduced. Currently we suggest to encode the lengths as utf-8 (which is simple for lengths below 128 bytes, but quite complex otherwise). It might also be an option to just reserve two bytes and use little-endian encodings of the lengths.