From a1a47ab45c88b786a48e6ef03e82a14deb2f4efa Mon Sep 17 00:00:00 2001 From: Andrew Thoelke Date: Mon, 29 Jan 2024 22:36:06 +0000 Subject: [PATCH 1/2] Correct the SPAKE2+ flow description * Flow diagram had reversed two of the calls in the Prover * Clarify that the presented sequence of calls is mandatory * Fix some incorrect comments in the demonstration code --- doc/ext-pake/api/pake.rst | 18 ++++++++++------ doc/ext-pake/figure/spake2plus.pdf | Bin 39764 -> 39855 bytes doc/ext-pake/figure/spake2plus.pdf.license | 2 +- doc/ext-pake/figure/spake2plus.puml | 24 +++++++++------------ doc/ext-pake/figure/spake2plus.svg | 2 +- doc/ext-pake/figure/spake2plus.svg.license | 2 +- 6 files changed, 24 insertions(+), 24 deletions(-) diff --git a/doc/ext-pake/api/pake.rst b/doc/ext-pake/api/pake.rst index 039a11e7..40ffb3c3 100644 --- a/doc/ext-pake/api/pake.rst +++ b/doc/ext-pake/api/pake.rst @@ -1,4 +1,4 @@ -.. SPDX-FileCopyrightText: Copyright 2022-2023 Arm Limited and/or its affiliates +.. SPDX-FileCopyrightText: Copyright 2022-2024 Arm Limited and/or its affiliates .. SPDX-License-Identifier: CC-BY-SA-4.0 AND LicenseRef-Patent-license Password-authenticated key exchange (PAKE) @@ -1650,7 +1650,11 @@ The following steps demonstrate the application code for both Prover and Verifie Key exchange ^^^^^^^^^^^^ -After setup, the key exchange and confirmation flow for SPAKE2+ is as follows: +After setup, the key exchange and confirmation flow for SPAKE2+ is as follows. + +.. note:: + + The sequence of calls for the Prover, and the sequence for the Verifier, must be in exactly this order. **Prover** To get the key share to send to the Verifier, call: @@ -1661,7 +1665,7 @@ After setup, the key exchange and confirmation flow for SPAKE2+ is as follows: psa_pake_output(&spake2p_p, PSA_PAKE_STEP_KEY_SHARE, ...); **Verifier** - To provide and validate the Prover key share, call: + To provide and validate the key share received from the Prover, call: .. code-block:: xref @@ -1679,7 +1683,7 @@ After setup, the key exchange and confirmation flow for SPAKE2+ is as follows: psa_pake_output(&spake2p_v, PSA_PAKE_STEP_CONFIRM, ...); **Prover** - To provide and validate the Verifier key share, and confirm the Verifier key, call: + To provide and validate the key share and verify the confirmation value received from the Verifier, call: .. code-block:: xref @@ -1693,15 +1697,15 @@ After setup, the key exchange and confirmation flow for SPAKE2+ is as follows: .. code-block:: xref - // Get confirmV + // Get confirmP psa_pake_output(&spake2p_p, PSA_PAKE_STEP_CONFIRM, ...); **Verifier** - To confirm the Prover key, call: + To verify the confirmation value received from the Prover, call: .. code-block:: xref - // Set shareP + // Set confirmP psa_pake_input(&spake2p_v, PSA_PAKE_STEP_CONFIRM, ...); **Prover** diff --git a/doc/ext-pake/figure/spake2plus.pdf b/doc/ext-pake/figure/spake2plus.pdf index 3ada1f967c2c4e80110dcd8e7643b96e47bd53dc..581501beef22b35b3d9a88c774e5a90c34d710e0 100644 GIT binary patch delta 6894 zcmZu!byybdv!**lQo0r7g|~s1lI{*Ekq)K1WRdO^q&uWjkrt4Ul#&vV66p@fqrbS$ zcl7N3v2)!!^W5{yJlDOm6Ynsp8ZhFNfO*3$2YP;zTT!6fcZ=6CYqMfBm--tmh4jUH zMLIU?c&e8*@9OM5b|&1@R@=oA^5C;x+xaI&8;JegeSX%^1i1)$n}^TQZ&lcR1=eVn zr1p!9%F7nHM|D{O0}TQr_u9+FM95Fdgscl%D;9O~ZU}DtN{l9&(9y*Fa8lQkfRgqK zpo~L=(=WiW1b)CZNi*|h3x%$Z`=n~q>cm6R1XFxAOr}&q4Fie&iS~BBjTQNFGcsht z58XLk{ZoaVzV+QpTmqE(=Z87kW^Q?fEPRP#I zVVPBVGnd?BNLx)B{kV8*b9{i@DPYCRTdy@mBs2TR%+A%vLHq9-gMQheGtxnRqSpj- z{gpdcQYf)Y8{}i>Q%^THrx#BbmrsT^O?l_HivU~ds+lh z=ri&P17(kuX?AW^v$o742)gj0JdLWNw@#LfPEm?1rM@=>CinRdDs>~)BP~w<_1aB+ zDK4I9p}JAGjNuz&rQu>KZg*F2iR_Vz4z7A9ovJb62=Y(LqCT#sV&oEivOjeo-SAt> z%d713nYy3hUCE40D;@T}MZnkcn8zA{>gbIUhZsC%b$3Rw$n;G%m$1{6*#hFnnn%kZ zE(&d{))HSnH7G&xia=4-(9uQ-yBWoNm~_P8r)CUsmqSnxdMetEBo`>2Qx6kU+s>R# z&p$%5DpB+xm4N|aiaO~*N|e&mymyJTW+WB%7a^X?>}MgBz+#R`2fq1FM1w_7$UfDM zMB3|e;+l*N7Jid$#G#iD0mF~12I>r=G^y85DE*#3UAWUK+T7m6l5=Afy%Z7QjOw0KCB8bEE=op=u2umOLj6c90$r!E6!P#+s!FDC43K?VZ)o*4QyDWJ&6QEP zfK>EkoJRk$RB8`)C(*CeRgsq@1{9!WM0|bhdp@DO8 z$#PxEgO4Wf;R{!+)3c*$geuDr;lLc#q%ik*pXbCB&vTg} zYcjyBPu2Ar-|q(XI3*eV0?3Mvk2*a~40WYm1;YfF;j4Vs zoApt7W`=91r40KgW3=+m`_ufV@G|Btvb}sHMP23^2h1(vxK;2wICP_n9F)s5Xu=Cu z;%cVKje{lzBW+|-GIcq-Ej6ROEE^tFaoqob4By1Z9Z|Mp&W!4F4st*VYJd>Lx-aPR zHJl5Y0Q{~|5BNUG5xSif-^PWT4E;34GPUb+;CL{NyM4@d^(dPG!URC;#80^pW0B0}Q-IJYFz{vkL`>wc^3m=} z7wcSl$BqE2t%xej+&Yd2tJ!Eg;?hyH)cvWACXHuF{k;bw8Sr$@9k`J+&s=h898$I~J~&7qqqOu%@=? zaP-frvf~b`7gO(r`7FigE6}u^BrMu8 zJ7cw}>U)#g*Y$%Ram@6iy5U8`3MFP-Y5vzeW~g2ja*XhJ$AzdC`s)NEO>aD}gG=|y z&u@j#<*}Zf2MS~3b1Zw<0@8&KSrO2q^#S7vFeh&l{#zk zNV&tI#A5F4P;5-7jDF1e-5QOM5okBCxCo3Cw`3O^Z^FBq5D?TSE)j!;uQK~CHivBb zNwwqnVROHdayhjHxuyT6&V~&Rre5AqMUUrcD(B#ZdW4b&vb%EgYbUIl9;&>DYuspD zLZWR)r+-E^iE)?Un)E55EwGVqbpUcArbLJ`MeOLRi}j5UF;z(Q8(ujW0g=M_TYS!n z+xdR6=X<=KZ~V{nrRs`HN7gHJXym%D}jMgQsUgz6C?yvr4yA zyuexwGnr^>F)wq~jRkwwNuFm8+k&eXQ*28ZdBjMax!5`ydWLlb03{Pdc@eGfBT2PM zsl~2ESLN#Lja@uT+J3q%P1dwGppNohf3tjdi{_F^ni2F4q8$Uu8TGn8R+66q8N>fXQhQEbTJX`SbN*vBSEx*!X>6p-X6<0oNp5cy^WNc zEa7V&+L@SN3F$1*q9zy}oVR>T@uiA0v~yyHo`Af1(bIOOTnWayKb>(3bVt5oIwOgq zdMdw)6;)#Q(kZcHi7Pf!kFkMvMUWXh7GP-UrKk362^({O1sEUxU`;IL8(p^6OG6`# zcazii{(U2(APnJTxJi}#?c^vwvj;6bT=vj>fz|TkMtxN}*_<_U5s+5b9?Lc^s#+7 zF6-x+eP0$PknpOSi7=;||Ko25a|WpH5gt)jI)E_x+(N|jUeaJw1|3Twfj3Rp z74Jb~qKV_8LJ6mKuyDx$bACu@n~UlSmPrP8w|y6aMd+QUEDZ-yeTwBOm-0{%%~=h} zJ8ZTmcPGgg><(xPY4l?DcfKwoIuYUuN?_5f$Dp52t|XJ#Wpz!XEn$#qG#u1Sf8q|F zt{d8_1AyKJ0vQVgdMBR^{Ajt;3GnxJRFp2| z-Z;7l93>Q8?E0+1lV8&H6*OD$@jue_)5mpH<)SMGG49Xx*U za;CXs>FtWNNHf3re8?R?=OR76BF*gmHx1>RL%fWF6Ey_VZvvhBZ2@;oR7gAaU~Y`i zY%mHZLao7qr$~|^6dRkPy3WMWXjyXd&QA}(X@n2UZaIrdzs0*?=lo19yqi9@cx!ZX zB|eMik)bQgdAjJGFOLD?L8nP2%V1Tb~~v@_H*jTXB(DQe2Y1Qt3yG4q$}M*r0?~@GP_6NgwMxwd*?1#_W_RTBS(V{ zDQ)3#A9_1U%3v*VdbN+YjidC$VHY`=Q(wY*$`0>8#GhGe1K6T;;5~a+@k-BreL?*% z^;Z(#WbJppsIW8_>}(i+Q4!KPEVOk0YlCnpO!(+->}EV z!YB1gV$oyQzDyn9x9(|`I`fNh!aCEc?s@s>Am*Ks;cVzj?Pt5^>n&!_X|gucS_`tR zMq~3w><@r%YCyqVpY3K{Qm<^67LJ5Bpi5qn5ULD)71&4Ogx}(x4Zho;#&hE*rZ7X1 ze)h!nIgKt!s{2l}E-sOR+_kY-_XS}@UZ?>z|5EpzXTuJ(I!S=Mdf>KakvRMw6YtwLsA#KL)@aNFi73#KH9-F_!(Z6 z-5y-uB?{5pXqro|1j2|SS*yvxSqJA7SiMqq;U7eB9#~eSTZZLA-_owkh+znkCA?Cu z5yX%ZvbpzrM>5~gK4oEQW(zEypXqsiY++*e+j1~{ zMu1=jGyi@vGc&^k;QVzQq!{QF2na6(0Re*{%t$Db7mNf8^26&;cQRQ4B!Q?X!GBip z%*fPHwlLVEAlrZ})cWW(j;OCf=?B;1tHMYaaDd6ie&pK6lj! zGaL|eapP!csgKK4HpBtmb;0kVwh~8^ z4hd7O92^W&mH3A6+0MPIAjw8qD|8PZJAXRJ8eQ0#Y?O0mrOA+!`L3h7Fna5oF|;|? zD~2$NX6FpZ+jqA2I!e`I6}>unT)eLNX>fAY*AEP(0R(T3OC%f*`}ZB4q37iXyZ0Mj zE8(7iX}bn*tZ!mWw~bhc6r)UipE;Wfqwa2Qy#-~bX;Tra;NrrgA(kn#>|FTWPql1stA>m#1Q9Sp0uI>?R6qP)* z{NYU~DPr1|cJY$_s3VoAx#v4Iwa(k0w&v5jX3PO8?>HafkVRoL?U70|8Ht>q@RRc? z>FNtiz{VDRW#0!`+1xDG>1svElpk{5$}4aXven>Q~q z6rfC7Oyrp@R&5>^sz)^@S$?jERPpSgdvd$G`10wK^ZNQwn)g@6nzZ4s3)H z^ZVDnTOv3K-#&OP$g%be!F!!_5u?OC`EdEAC2)v)aV1(NbKryJWN>iVTmOXQ zS3v!$%#(UnZZ7Szw=Qgr-{lM_3WFmjv=ekTWVB}sCs@1qu(0s19LUIauW%#uE73PjJt;?jbbyIbre)gNaW(n7t&*J1Uf-y@Ft2JA%Oa|_ zy!kM?qE0_eibXxSoZaT+j;my8eLcf6Z*`2fHw`77{rH%M&4!Edwv!jWjbU(fJDqmN zky=__kNaLq!%JmV7g_*Y2KVe2cEq5_5mEHKdXtecf{61hwD^fti`!Sn7 zy`yr0dg9pJ@>lUalq~e|5bYs$s4vM^rf01&14%Da$D4Qp?(1_jXLf+ael3wc^U}F3D^r`wl#bb`NBcZ#)lGM!gSzouAE%`JE|baH8%V2gZv?)ls;BF)MCJz<;4=a6H|7oT`l) zk=Ao|Kwv9YEvmJM7wfwU&$o-A*1P9IbqO`>$W>|b*|hL=zbN4Bm%Z_?ER6BSnGm7r zXmz({ujr4om?i>A-=fzlCte7$VnD%(j3_xkZNR>Z`A*9brH>K`*|gPwMv{^54@sv> zbQ&sZE}Z%v+}jt_^o1Ia117<+GLtnoPlkXIW-+cbGME4p&k`*^6pwsZG^_}FOW7~S zJ6-xd%Z%{u^BxO4-iS&}FEi(%`mT-c9{dpuv{hU^b|y=K7f*XvY`$tVtpudi>3$$2RzwUe|);*PVXEq|8Eg_t0s(?6w1Qwy-d5J6a?nuyGQ zUuTFM>k-1i5U3y&3WGyoiRrJc9wPW5%;4V_vpqAxzYH)O0vGrbg9##`iJ%k?KoIsT zoB!hvfg+H9t^tMpy8rY;2>hCe{%*7p5OlMbM~A$XDS=ee$=DIt052Q99?OJPHyg^Zz*tLu2)N&Ig~3jWb$)M zCUaEMMD|aqs!5yb)_-`Xo-HpAxrM79$X3&os>e8*+uMEu(|tH)E8aEg>|iBil-}cL z{5%i$GQ53R+{;6c-byWwxRJjdh$=B#lwzH~zBVb?6A-o;D$sQT%~x5x9^#G-L-C zcmr%KN#Om+#J@YLtw<1|39^d3F+$=x86IK0;C%*G$(x}%DKRD5S^*~yK!N}XS@inA z;^$??>K+yJ+YysTo(RJ?Cnrkus|bdUvP^+Y-godJtV;foPa?eSW+cN~eWax#M)DJe<2=;Cgvbi%$JW%& zN9yyqP8K3Z&Z)FPC!n9x)v>`VDU>#?yyN<&3KWF~iW4clXZZFaABR|uNdW={Oul@j z?ef~#KR;pB2z$O9S$#EBQM4mNv;8Mn!WbT*x;;^nIVe)XI;<}7#&<(fPh}_KO7BZg z?VZcbHDg^&(O_O6pYeVnW*gETOh(}aAE!vf`-+c&lB$6dYN_jf(WzjN%$|ch6Dgku zTtNz+TdD?8Y-l?TM#%v7EyCZb_L4iIUZloyODkvS1~GeqRi+CpZ_q6Mn6-Zsw_Isv`V`^k?jIl@dHo9-P&u+( zR=n!#Wcb;w!hvUlCyFy-&!PC!N6`fraiAhopNA{2oFr5>uPHPu#lh zw`^e%DdJ?XhDBQ%C5<%4dbi`j+wDQTrX&gxxfIJmO`rLRICj6Qa1*O^JwA1^-(M4t zJGs!DviD5;fTM(kCIXYLjU%QMN4rhK0t9!5UQUktTj`#l2r3A%7Xw=8(aqP<%yRizng{=Sr^RlW$s8-f&zO?i^vI%Fvu>Os4X zV<$!-6{Enm?ins)#(reNVJSf)ty+6T(Q5Uh5NaiQ`)O#4e0F=7&)}n3`T~nvz&TB~ zT1J_#mppKbEQkhe$iQ`38ofi)-(Y2$^b?vZK%;mdRVQAoFB93hu(hAaCPQs%y53Sc z80+g1{BA?qWeLg0gHT>QKhxw$K-dZs<$b|B`6Q z1VTS01!M(qW(m47Xeiw>p9+2sUipPv!ML)ep&HUeWsXEzle6iy1-NA?1e3YsaH@rs zVUVW>bEbCt@jrRKGpQOKOQy_^dyMszQ)pIu$>e>(%ijth<0ncf#m>`mu3subIE~G< z+h81Y5FQ+6M#o7pW-5h}x7szrU9DBdq0^Z)?gC|4LpfE6g7LB(L-1gi7YVh3KOmL^ z2kGw<`_GX0;WdnQYv?wQrvyw#Pt#&?vvndR^R_7EZ@^u7R!=6^oTbADBwAN{+J3~( zn78GozrZWozD)d483HLnmsqqU#FQpnmgM96sj10+hevE_1D#%s`I%c5#fBPw`W>Fn z>>FamqWs!TSy_BIHgEPQRwFr}V&i~N{I|#EGk6g48%b`(_Ej!Z-mFKW7Q8HZ8E4vqGKDif3WS9`gAIjlX}zcgBYwudLp{dO@#YG(@vkum%El0SKJgL5OYyz2Y;c| zFC&ShZG#nUC7tJmP__#)}{ElBvIK?1@c5X6|^Ksnn}Y;*X^&;4PJ7G&GXfdF~()I(e$7j zL!4)b3=;IfEH#crrSo_80p&&rpU-r2Mdt(+T6`|{00N$fBl+<8!n%syGyd`2^?Ck1 zG^tv>GBN?gEBA89$MoQ_c;($-3!}>EWZZ$e@UHPlNYJF$>!TH}|n(wGFE&is#Y^I-0ZG+qgwvmFME9 zJ?kD1duKQ)UK5~tB8C-GaH0*ZwxVLYSvl>Y>Rw6Ts>6RaO?KHP0Cf+>bFF*eYLL>) zDLIFzG))uAmZPV7k7%NAmOId9+B>Z%?G+otMQCm!NJJ;cevh}@l%Ff61lsQu062ES(~_a(gZB*-MD=NaH1aOZ}IJk1hZ} zrt0q@wi%o%OD~Pobr!|d46H*@9P4x(WxG^g7)TEYNS}gwM&_p$^^;*msA)qz_vGy4 z*9~uT4+92cWz%(qlg5kq1*NU7k!)1>SEQEwcm!-O_yU9C!g$$iX1>BCC`o$oPU^ps z#rYX5zCXe3l`#)k?Zr-!_^VQwiclkpi-d_8v^5Q|V$H)moeBfj- zrh!}erC)*j8iT4;fc zqCyScMR_+t96Kp2BT9~eE_t7+=G$)5SlN|}E~t9AiKdg44m#eREF03SxbQZ+Sk*7! z8kn?YHs%66L|19f?oVc!eZlHOgjXz^Td!P$|UylIH`uwE~;=~Q7>@I{U}w8dnK^u#-bsoo_?{!kaX zMD5xYFmK)NcE>M@ltixn+45ly*z4MFp-$SujpkT4d40l?Om8c0C4-ImPWv>pHGkYG z&h1?d1NJ6q4GrKI3QnhMf?JcBJ?}SV#hd~C9#L@ssV+?L^`- z>KSkWNc0bz6sukZ0}#L|nQ!FgXCdzy&PEkp^+yPP&hoaR0{}8mPOp*?Hr*@qoR$(n z)BB>$99ReI+Xky4c;$;F%@d`yZv%JspEwS&O)bHhA<|1N}TFmXK zyrWr5zcxpu256%NpbX&yKKrD)nL4T=T?asp7U7>soj*)otG(3^A|(>^E~1a(64LZf zF0eGfB6FKLH%DNf`?5%1_>OQ<09ifPJJDt~2dFlajgTu#o6ad=hP3Yc`d_Dgo?(bz z_#$g-eUx)=U0&v^S zL5#ZaTwQIPwI`fMafcK>8MFt=BS~b8_1QY5O(=E%w!M_+msp3`S#r6)Q1cY#5mJ?^ zbsLY+8zhFdl0))jpx;v!t5^RS&pv>I>`YyXi6Kd6i=(Fp#D(Sl)4{U!c9sOP;l+GL z$zQ+N=Y3O^JxjyD3B64HT}Z_nQdqkkVpI6uJl+s5y_q-9rbrGij?){U+#V^GQ!NX$m(~Y))#gv>9 zNh!$h!KSbmeA#RVH>%=FxtpVuYELZ-+P9;#w>Z0wB&qF*7wYp>y=kAL+)D^1;6989fYOHeD^FiBf0t|hU>dk{yQjQ`7=bX zv%~&2XoSIz>|o@1vfcFG)tawnvXSeGUiV%1^1IenGqUFLssTJ!NB3t^Pb&Lr-+~{n z#JOnSjB4SdFR`09Qph1CxRUP>ngI7vb~XRxWlOB)D-teJG2_=wgZCd(n1XrXE+}FILW~ z)%YzZW9{G@aLvK<<`5kE8~hP8SD$fN7B!#6ik2Va|LMG(gi)-gv#-)KJineTI4=|& zMtO_a_k+rXI7Xb@?j#wLhq2p>@348FJDw$I5iy_(2?1){iO?RCf+75ZP$1y%&=Ld! z`2``uK%tsQ;tUof2v0%+&%@K*+QJ#nH$CHpi4&_nxx}fYceOH|=m=_KOT_2Ecl}G6 z2y$d9t@%zl@ldvAGI;-mYTwno{2ck%hup3SJX~CAhWL6WP5e2$&~5Z_ui$6iX4~j8 zIBcOk#%8`HJ+z;-!?qQ0m+9}>YNc}xQc^rd#J5C$r=Kn&2jXSq9>b+*2%V4zfhqTN zSKRLdsHcXO?hgEan>CpQ1|;G_6*aWlH? zz5h>*Y(}XL#MV+L?S*meliP^VgBG*d3Z9MvqHM`vm!;Btwi?}_YrP>~ zqLP+!3Y)r~uKK`-+|prTX(w8Pb96h1~(sxvaPvL+6{zzU#fQ9=S+L(_ubWi6oVth>kzkXNYGhO{wW9 zA_eR`WS>SBcPK|C0TCysENV~kX5-?+YA!=qFQ7(}rXwfWy^=VHT>&Tv6$T#0hTg#W zCO*}C&+Xh94J>&UolCpRri}aT+4ll&5WxTg;n03swVK|vzn6_j`QxGyOl2bUHwkaW zD3@`8b0L4sWUq~xJ8pC%UxLrR#jxs0Zn)wYBL6tyz=L)McUWcwqHnm|OTrO7YDGsf zq9chWk7#wrt0^FhfOFoR>p#?Z_Tf3oHg-n%vJ#fw>UUCcSEFhQO@%`O{ADGlv)fgZ zMS(box%5ZWzFZXWYRL_;X86%yC5LG$U{a~kHoxO4uGz!aU8lusfGXN)!=4M}Aq&`1$D??Pnk6qBw-nqb$teWzNGS(O*@nj7 zmQ<+}%bwM5kjs1e&;_K%K*JLqtc|%o@>Ql&!21-qmmuejea{F@lfGRx4ZOc09g-%@ zh?R*sg;ReC=OKHSlQ|yaj)^8PC8y~iAd4@fim$^#?9e*1qzZo2MBSs#r8V*h3yJXE zKDNy3j5nsL0rDrp6}{(<8xd{ch`s*m!zgTH+d4>8S1WJghwMq&QNrT!F83(EuOhoU zTAyc*QVUa6@aMz6^jWdzAF~PGx#$WH%5GY^`7A_zt2zzj*-xyponYAp)sKw0AH(Bn zdMQh?1Vun)eeAj%!8J0}sj4xi$Rs{AAwK@jiaNyD{_|uq?rWYb|4qG2$BSpO{WDwD zVxui9+tT7m6t^xmuq+C6%Cg)OXW!6;LX|PtV3k)Efde9M%wTJ;wVj>JRE$nDF$af) zz>-%BLXW&F(bR5vOJK{p{7B`}>7(@@FAjoiZf*`S;hnCxyYG8Ff703GBHxs~;I;hV zjmvtPah1v$OVYcpY+6TE{;`#w|4jQ0_UV+07j`vg6Gnr`$=b#dv^E~yR(+(0|H>fH zPWp9Lo~GC=SoVW-FUyl{CjL?ALZ?wgpMz~Am9pHYZgU{Xfx9n*-jgdEi&K`Vsmtb` zB$K%7NyiTqfwgDSi9c|szwA22_HoW&o}Tf zFg@WCYwn-kf2>?R+Hg#32GVgqv-zGi_?dV8al}{xH^Sz|HZ!WtLl7 zzFb!><4Hb`jIWzMK_UNwei!+wF1mkGkJQ_&^Ulv8mPgZrCW2mbL`as^#xDeyOENJ{ z>a?zbC{*(~N)gf|@8^3;7jeEYYE^fkkj!(%RLJyva87iy*SZO~RMF7(%Oy;wx(g5f zb?RtpmkhcdtwhPhO%6oci57S(lX^~zZcU)_om|$$RsUJL&sTN*cCep!HfyuU9GaoisxV)%0_PgS zj9=D1d)%I4+@yQWVOSgHD*v(Y*tr#L{`U~k=I>6cG^aTmuy52ypjEp73pw3(egmgj zk1eOh=T-z6j)TMQXIrTyS*-=f2>5te>&tL;eVsGccDB;hgjE631alEWG@wv|tB6v9 z_p8H%Qqd=m!3oWxFf1KiJsoY`1StT2!jd&f0!(c5|3FW~QxnR><^T6>&2RBDLwqn0 z1cd!FRV5Sh%5gb9KkJOhFtFz^Em z1O`GL?g4}f0Uv6C1i>)D2V5`=0E9lk01zmdJs!hiMu{?kBU|3nRh0%5R+WGD#uuL}^Nhi(C(FrkO8fhc5iBSr8<_AWa<)CM1N%&MvQ^ GfcHNz7{n(4 diff --git a/doc/ext-pake/figure/spake2plus.pdf.license b/doc/ext-pake/figure/spake2plus.pdf.license index 9a9052df..22ae5f88 100644 --- a/doc/ext-pake/figure/spake2plus.pdf.license +++ b/doc/ext-pake/figure/spake2plus.pdf.license @@ -1,2 +1,2 @@ -SPDX-FileCopyrightText: Copyright 2023 Arm Limited and/or its affiliates +SPDX-FileCopyrightText: Copyright 2023-2024 Arm Limited and/or its affiliates SPDX-License-Identifier: CC-BY-SA-4.0 AND LicenseRef-Patent-license diff --git a/doc/ext-pake/figure/spake2plus.puml b/doc/ext-pake/figure/spake2plus.puml index b706c8b3..4766300d 100644 --- a/doc/ext-pake/figure/spake2plus.puml +++ b/doc/ext-pake/figure/spake2plus.puml @@ -1,4 +1,4 @@ -' SPDX-FileCopyrightText: Copyright 2023 Arm Limited and/or its affiliates +' SPDX-FileCopyrightText: Copyright 2023-2024 Arm Limited and/or its affiliates ' SPDX-License-Identifier: CC-BY-SA-4.0 AND LicenseRef-Patent-license @startuml @@ -22,11 +22,11 @@ Verifier -> Verifier: ""psa_pake_input()"" for //shareP// note left: Validate //shareP// - Verifier -> Verifier: ""psa_pake_output()"" for //shareV// = //Y// and //confirmV// + Verifier -> Verifier: ""psa_pake_output()"" for //shareV// = //Y// + note left: Generate key share //Y// + Verifier -> Verifier: ""psa_pake_output()"" for //confirmV// note left - Generate key share //Y// - Compute //K_shared//, - //confirmP'// and //confirmV// + Compute //K_shared//, //confirmP'// and //confirmV// end note Verifier ->> Prover: (//shareV//, //confirmV//) @@ -34,24 +34,20 @@ Prover -> Prover: ""psa_pake_input()"" for //shareV// note left: Validate //shareV// - Prover -> Prover: ""psa_pake_output()"" for //confirmP// + Prover -> Prover: ""psa_pake_input()"" for //confirmV// note left Compute //K_shared//, - //confirmP// and //confirmV'// + //confirmP// and //confirmV'// + Verify //confirmV'// = //confirmV// end note + Prover -> Prover: ""psa_pake_output()"" for //confirmP// Prover ->> Verifier: (//confirmP//) - Prover -> Prover: ""psa_pake_input()"" for //confirmV// - note left - Verify that - //confirmV'// = //confirmV// - end note Prover -> Prover: ""psa_pake_get_shared_key()"" to extract //K_shared// Verifier -> Verifier: ""psa_pake_input()"" for //confirmP// note left - Verify that - //confirmP'// = //confirmP// + Verify //confirmP'// = //confirmP// end note Verifier -> Verifier: ""psa_pake_get_shared_key()"" to extract //K_shared// diff --git a/doc/ext-pake/figure/spake2plus.svg b/doc/ext-pake/figure/spake2plus.svg index ac1bfc49..2937fc5a 100644 --- a/doc/ext-pake/figure/spake2plus.svg +++ b/doc/ext-pake/figure/spake2plus.svg @@ -1 +1 @@ -Prover(Client role)Verifier(Server role)Shared information : cipher suite,ProverId,VerifierId, andContextRegistration record (w0,L) derived from passwordProver 'key pair' (w0,w1) derived from passwordpsa_pake_setup()with key (w0,w1)psa_pake_set_role(PSA_PAKE_ROLE_CLIENT)psa_pake_set_user(ProverId)psa_pake_set_peer(VerifierId)psa_pake_set_context(Context)psa_pake_output()forshareP=XGenerate key shareX(shareP)psa_pake_setup()with key (w0,L) or key (w0,w1)psa_pake_set_role(PSA_PAKE_ROLE_SERVER)psa_pake_set_user(VerifierId)psa_pake_set_peer(ProverId)psa_pake_set_context(Context)psa_pake_input()forsharePValidatesharePpsa_pake_output()forshareV=YandconfirmVGenerate key shareYComputeK_shared,confirmP'andconfirmV(shareV,confirmV)psa_pake_input()forshareVValidateshareVpsa_pake_output()forconfirmPComputeK_shared,confirmPandconfirmV'(confirmP)psa_pake_input()forconfirmVVerify thatconfirmV'=confirmVpsa_pake_get_shared_key()to extractK_sharedpsa_pake_input()forconfirmPVerify thatconfirmP'=confirmPpsa_pake_get_shared_key()to extractK_shared \ No newline at end of file +Prover(Client role)Verifier(Server role)Shared information : cipher suite,ProverId,VerifierId, andContextRegistration record (w0,L) derived from passwordProver 'key pair' (w0,w1) derived from passwordpsa_pake_setup()with key (w0,w1)psa_pake_set_role(PSA_PAKE_ROLE_CLIENT)psa_pake_set_user(ProverId)psa_pake_set_peer(VerifierId)psa_pake_set_context(Context)psa_pake_output()forshareP=XGenerate key shareX(shareP)psa_pake_setup()with key (w0,L) or key (w0,w1)psa_pake_set_role(PSA_PAKE_ROLE_SERVER)psa_pake_set_user(VerifierId)psa_pake_set_peer(ProverId)psa_pake_set_context(Context)psa_pake_input()forsharePValidatesharePpsa_pake_output()forshareV=YGenerate key shareYpsa_pake_output()forconfirmVComputeK_shared,confirmP'andconfirmV(shareV,confirmV)psa_pake_input()forshareVValidateshareVpsa_pake_input()forconfirmVComputeK_shared,    confirmPandconfirmV'VerifyconfirmV'=confirmVpsa_pake_output()forconfirmP(confirmP)psa_pake_get_shared_key()to extractK_sharedpsa_pake_input()forconfirmPVerifyconfirmP'=confirmPpsa_pake_get_shared_key()to extractK_shared \ No newline at end of file diff --git a/doc/ext-pake/figure/spake2plus.svg.license b/doc/ext-pake/figure/spake2plus.svg.license index 9a9052df..22ae5f88 100644 --- a/doc/ext-pake/figure/spake2plus.svg.license +++ b/doc/ext-pake/figure/spake2plus.svg.license @@ -1,2 +1,2 @@ -SPDX-FileCopyrightText: Copyright 2023 Arm Limited and/or its affiliates +SPDX-FileCopyrightText: Copyright 2023-2024 Arm Limited and/or its affiliates SPDX-License-Identifier: CC-BY-SA-4.0 AND LicenseRef-Patent-license From 5eb6c68cdaabda836f31c0d3827103f9dd40843d Mon Sep 17 00:00:00 2001 From: Andrew Thoelke Date: Tue, 30 Jan 2024 09:58:38 +0000 Subject: [PATCH 2/2] Permit flexibility in the flow for J-PAKE * Allow the application to either input-before-output or output-before-input in each round of the protocol. --- doc/ext-pake/api/pake.rst | 103 ++++++++++++++++++++------------------ 1 file changed, 55 insertions(+), 48 deletions(-) diff --git a/doc/ext-pake/api/pake.rst b/doc/ext-pake/api/pake.rst index 40ffb3c3..fbab33dc 100644 --- a/doc/ext-pake/api/pake.rst +++ b/doc/ext-pake/api/pake.rst @@ -1263,8 +1263,7 @@ J-PAKE does not assign roles to the participants, so it is not necessary to call J-PAKE requires both an application and a peer identity. If the peer identity provided to `psa_pake_set_peer()` does not match the data received from the peer, then the call to `psa_pake_input()` for the `PSA_PAKE_STEP_ZK_PROOF` step will fail with :code:`PSA_ERROR_INVALID_SIGNATURE`. -The following steps demonstrate the application code for 'User' in :numref:`fig-jpake`. -The input and output steps must be carried out in exactly the same sequence as shown. +The following steps demonstrate the application code for 'User' in :numref:`fig-jpake`. The code flow for the 'Peer' is the same as for 'User', as J-PAKE is a balanced PAKE. 1. To prepare a J-PAKE operation, initialize and set up a :code:`psa_pake_operation_t` object by calling the following functions: @@ -1287,61 +1286,69 @@ Key exchange After setup, the key exchange flow for J-PAKE is as follows: -2. To get the first round data that needs to be sent to the peer, call: +2. Round one. - .. code-block:: xref + The application can either extract the round one output values first, and then provide the round one inputs that are received from the Peer; or provide the peer inputs first, and then extract the outputs. - // Get g1 - psa_pake_output(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); - // Get V1, the ZKP public key for x1 - psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); - // Get r1, the ZKP proof for x1 - psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); - // Get g2 - psa_pake_output(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); - // Get V2, the ZKP public key for x2 - psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); - // Get r2, the ZKP proof for x2 - psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); - -#. To provide the first round data received from the peer to the operation, call: + * To get the first round data that needs to be sent to the peer, make the following calls to `psa_pake_output()`, in the order shown: - .. code-block:: xref + .. code-block:: xref - // Set g3 - psa_pake_input(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); - // Set V3, the ZKP public key for x3 - psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); - // Set r3, the ZKP proof for x3 - psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); - // Set g4 - psa_pake_input(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); - // Set V4, the ZKP public key for x4 - psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); - // Set r4, the ZKP proof for x4 - psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); - -#. To get the second round data that needs to be sent to the peer, call: + // Get g1 + psa_pake_output(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); + // Get V1, the ZKP public key for x1 + psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); + // Get r1, the ZKP proof for x1 + psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); + // Get g2 + psa_pake_output(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); + // Get V2, the ZKP public key for x2 + psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); + // Get r2, the ZKP proof for x2 + psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); + + * To provide the first round data received from the peer to the operation, make the following calls to `psa_pake_input()`, in the order shown: - .. code-block:: xref + .. code-block:: xref - // Get A - psa_pake_output(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); - // Get V5, the ZKP public key for x2*s - psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); - // Get r5, the ZKP proof for x2*s - psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); + // Set g3 + psa_pake_input(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); + // Set V3, the ZKP public key for x3 + psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); + // Set r3, the ZKP proof for x3 + psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); + // Set g4 + psa_pake_input(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); + // Set V4, the ZKP public key for x4 + psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); + // Set r4, the ZKP proof for x4 + psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); -#. To provide the second round data received from the peer to the operation call: +#. Round two. - .. code-block:: xref + The application can either extract the round two output values first, and then provide the round two inputs that are received from the Peer; or provide the peer inputs first, and then extract the outputs. + + * To get the second round data that needs to be sent to the peer, make the following calls to `psa_pake_output()`, in the order shown: + + .. code-block:: xref + + // Get A + psa_pake_output(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); + // Get V5, the ZKP public key for x2*s + psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); + // Get r5, the ZKP proof for x2*s + psa_pake_output(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); + + * To provide the second round data received from the peer to the operation, make the following calls to `psa_pake_input()`, in the order shown: + + .. code-block:: xref - // Set B - psa_pake_input(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); - // Set V6, the ZKP public key for x4*s - psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); - // Set r6, the ZKP proof for x4*s - psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); + // Set B + psa_pake_input(&jpake, PSA_PAKE_STEP_KEY_SHARE, ...); + // Set V6, the ZKP public key for x4*s + psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PUBLIC, ...); + // Set r6, the ZKP proof for x4*s + psa_pake_input(&jpake, PSA_PAKE_STEP_ZK_PROOF, ...); #. To use the shared secret, extract it as a key-derivation key. For example, to extract a derivation key for HKDF-SHA-256: