1

I am trying to write a simulation of the SPAKE2 protocol in python (just so I can get a better understanding of the protocol altogether). I am reading through the ietf draft here: Datatracker.

There's a lot about cryptography I do not understand though and I am having trouble figuring out how to generate some of the values mentioned in the setup. Here is the excerpt I am talking about:

Let G be a group in which the computational Diffie-Hellman (CDH) problem is hard. Suppose G has order p*h where p is a large prime; h will be called the cofactor. Let I be the unit element in G, e.g., the point at infinity if G is an elliptic curve group. We denote the operations in the group additively. We assume there is a representation of elements of G as byte strings: common choices would be SEC1 compressed [SEC1] for elliptic curve groups or big endian integers of a fixed (pergroup) length for prime field DH. We fix two elements M and N in the prime-order subgroup of G as defined in the table in this document for common groups, as well as a generator P of the (large) prime-order subgroup of G. P is specified in the document defining the group, and so we do not repeat it here.

More specifically, I don't know how to generate G, p, h, M, N, or P and I don't have the mathematical understanding to know exactly what those values are supposed to be. I would really appreciate any help or guidance.

AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
kansas_bulldog382
  • 47
  • 3
  • You don't need generate all of them. Choose an elliptic curve like Curve25519, sepk256k1, etc. then the parameters $G,p,h$ and $P$ are already determined. – kelalaka Nov 25 '19 at 20:04
  • 1
    Or just read the draft - it gives all the parameters... – poncho Nov 25 '19 at 20:57
  • G (base point), p (field size) and h (cofactor) are given by the group you choose. M and N could be any distinct pair of group elements for which the DL is not known. The draft provides such a pair that you may want to use for interoperability purposes. – Frank Denis Nov 25 '19 at 21:31
  • @kelalaka I looked at the Curve25519 link you posted. According to Frank Denis G is called the base point. I see two values designated as the base point on the Curve25519 paper, u and v. Which is the value I should use? Also, although I see P mentioned, I cannot find wear it is explicitly given a value. – kansas_bulldog382 Nov 26 '19 at 00:51
  • 1
    @kansas_bulldog382 in Elliptic Curve if affine coordinates are used then every point is represented by a pair $(u,v)$ – kelalaka Nov 26 '19 at 02:12
  • @kelalaka Ok, that makes much more sense now. Thank you for your helps so far. I looks like P is also a point defined by two coordinates, but the SPAKE2 protocol calls for P to be multiplied or added to some numbers. Do you know how these operations are carried out since P is actually two numbers? – kansas_bulldog382 Nov 26 '19 at 03:59
  • 1
    @kansas_bulldog382 that is called scalar multiplication with an example.. – kelalaka Nov 26 '19 at 07:59
  • 1
    Also, if you are using Curve25519, most existing libraries may "clamp" the scalar (clear the 3 low bits, set the high bit), which can give you trouble when implementing SPAKE2. Make sure that this doesn't happen (for example in libsodium by using scalarmult_ed25519_base_noclamp() and scalarmult_ed25519_noclamp() - See https://github.com/jedisct1/spake2-ee for an example implementation (although that one is an augmented version, and has a different way to choose M and N). – Frank Denis Nov 26 '19 at 11:20

0 Answers0