At the moment the PAKE operations for J-PAKE and SPAKE2+ present an ordering of the calls to the API to perform the PAKE protocol. However, the specification is not clear about whether these are strict requirements relating to the call sequence (which restricts the application behavior), or if there is some flexibility.
There seems to be a reasonable case for documenting where an implementation must provide some flexibility in the ordering, to satisfy application use cases; as well as making it clear where the ordering is essential to preserve the correct operation and protocol behavior.
J-PAKE
As an example of where flexibility would be valuable for applications, consider J-PAKE being conducted between participants A and B, trying to minimize the number of messages. (The following description refers to steps as numbered in p40-42 of the Beta.2 Release candidate PDF in #141)
- A sets up a PAKE operation (step 1 in the specification) and extracts the six round-1 output values (step 2).
- A then sends these values to B.
- When B receives the message from A, it sets up its own PAKE operation (step 1). What happens next:
- MUST B extract the six round-1 outputs (step 2), and only then provide the six round-1 inputs received from A (step 3)? - OR
- Is B permitted (instead) to first provide the six round-1 inputs received from A (step 3), and then extract the six round-1 outputs (step 2)?
- B now also extracts the six round-2 outputs (step 4).
- B sends all of its round-1 and round-2 outputs to A.
- When A receives the message from B, it MUST input the round-1 values (step 3) before extracting the six round-2 values (step 4), as the latter are [computationally] dependent on the round-1 inputs. However:
- MUST A extract the six round-2 outputs (step 4), and only then provide the six round-2 inputs received from B (step 5)? - OR
- Is A permitted (instead) to first provide the six round-2 inputs received from B (step 5), and then extract the six round-2 outputs (step 4)?
- A sends its round-2 outputs to B.
- When B receives the message from A, it inputs the round-2 values (step 5).
- Both A and B can now extract the shared key (step 6)
From an application point of view, it is helpful to be able to input data received in a message before extracting data to send in a reply - even when the outputs do not depend on the inputs. I.e. Application developers would benefit from the flexibility to carry out step 3 before step 2, and/or step 5 before step 4; note that the API depends on inputs being provided in-order (step 2 before step 4), and outputs extracted in-order (step 3 before step 5), and the protocol requires step 3 before step 4, and steps 4 and 5 before step 6.
SPAKE2+
There is a similar issue for SPAKE2+. In this case the flow in the specification (p48-51) shows the round-1 shareP from the Prover/Client being input the Verifier/Server operation before extracting the Verifier round-1 shareV. Is this ordering mandated, or can the Verifier application extract shareV before input of shareP?
There is another related issue for SPAKE2+, although in this case, the argument is about which participant might need more protection against online dictionary attacks. The operational flow (in p48-51 of the same document) matches the SPAKE2+ RFC, where it shows a 3-message protocol, where shareV and confirmV are transmitted together by the Verifier/Server. It can be imagined that for some uses of the SPAKE2+ algorithm, it is more important to protect the Verifier/Server from an online dictionary attack, and have the Prover/Client send it's confirmP value to the Verifier before the Verifier sends confirmV. In that case, the Prover operation must be output confirmP, before confirmV is input (in contrast to the order shown in the specification).
At the moment the PAKE operations for J-PAKE and SPAKE2+ present an ordering of the calls to the API to perform the PAKE protocol. However, the specification is not clear about whether these are strict requirements relating to the call sequence (which restricts the application behavior), or if there is some flexibility.
There seems to be a reasonable case for documenting where an implementation must provide some flexibility in the ordering, to satisfy application use cases; as well as making it clear where the ordering is essential to preserve the correct operation and protocol behavior.
J-PAKE
As an example of where flexibility would be valuable for applications, consider J-PAKE being conducted between participants A and B, trying to minimize the number of messages. (The following description refers to steps as numbered in p40-42 of the Beta.2 Release candidate PDF in #141)
From an application point of view, it is helpful to be able to input data received in a message before extracting data to send in a reply - even when the outputs do not depend on the inputs. I.e. Application developers would benefit from the flexibility to carry out step 3 before step 2, and/or step 5 before step 4; note that the API depends on inputs being provided in-order (step 2 before step 4), and outputs extracted in-order (step 3 before step 5), and the protocol requires step 3 before step 4, and steps 4 and 5 before step 6.
SPAKE2+
There is a similar issue for SPAKE2+. In this case the flow in the specification (p48-51) shows the round-1 shareP from the Prover/Client being input the Verifier/Server operation before extracting the Verifier round-1 shareV. Is this ordering mandated, or can the Verifier application extract shareV before input of shareP?
There is another related issue for SPAKE2+, although in this case, the argument is about which participant might need more protection against online dictionary attacks. The operational flow (in p48-51 of the same document) matches the SPAKE2+ RFC, where it shows a 3-message protocol, where shareV and confirmV are transmitted together by the Verifier/Server. It can be imagined that for some uses of the SPAKE2+ algorithm, it is more important to protect the Verifier/Server from an online dictionary attack, and have the Prover/Client send it's confirmP value to the Verifier before the Verifier sends confirmV. In that case, the Prover operation must be output confirmP, before confirmV is input (in contrast to the order shown in the specification).