Script updating gh-pages from 0f90d42. [ci skip]

cfrg · Oct 5, 2023 · 2b4d0f7 · 2b4d0f7
1 parent afe2308
commit 2b4d0f7
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/draft-irtf-cfrg-opaque.html b/draft-irtf-cfrg-opaque.html
@@ -1452,10 +1452,10 @@ <h2 id="name-introduction">
 Otherwise, the attacker can pre-compute a deterministic list of mapped
 passwords leading to almost instantaneous leakage of passwords upon
 server compromise.<a href="#section-1-2" class="pilcrow">¶</a></p>
-<p id="section-1-3">This document describes OPAQUE, a PKI-free secure aPAKE that is secure
-against pre-computation attacks. OPAQUE provides forward secrecy with
-respect to password leakage while also hiding the password from the
-server, even during password registration. OPAQUE allows applications
+<p id="section-1-3">This document describes OPAQUE, an aPAKE that is secure against
+pre-computation attacks (as defined in <span>[<a href="#JKX18" class="cite xref">JKX18</a>]</span>). OPAQUE provides forward
+secrecy with respect to password leakage while also hiding the password from
+the server, even during password registration. OPAQUE allows applications
 to increase the difficulty of offline dictionary attacks via iterated
 hashing or other key stretching schemes. OPAQUE is also extensible, allowing
 clients to safely store and retrieve arbitrary application data on servers
@@ -2836,7 +2836,8 @@ <h4 id="name-3dh-key-exchange-functions">
 The output of this function is a unique, fixed-length byte string.<a href="#section-6.4.1-2.2.1" class="pilcrow">¶</a></p>
 </li>
           </ul>
-<p id="section-6.4.1-3">Implementations for recommended groups in <a href="#configurations" class="auto internal xref">Section 7</a>, as well as groups
+<p id="section-6.4.1-3">It is RECOMMENDED to use Elliptic Curve Diffie-Hellman for this key exchange protocol.
+Implementations for recommended groups in <a href="#configurations" class="auto internal xref">Section 7</a>, as well as groups
 covered by test vectors in <a href="#test-vectors" class="auto internal xref">Appendix D</a>, are described in the following sections.<a href="#section-6.4.1-3" class="pilcrow">¶</a></p>
 <div id="dh-ristretto255">
 <section id="section-6.4.1.1">
@@ -4120,6 +4121,8 @@ <h3 id="name-hmqv-instantiation-sketch">
 </div>
 <p id="appendix-C.1-11">Hash is the same hash function used in the main OPAQUE protocol for key derivation.
 Its output length (in bits) must be at least L.<a href="#appendix-C.1-11" class="pilcrow">¶</a></p>
+<p id="appendix-C.1-12">Both parties should perform validation (as in <a href="#validation" class="auto internal xref">Section 10.8</a>) on each other's
+public keys before computing the above parameters.<a href="#appendix-C.1-12" class="pilcrow">¶</a></p>
 </section>
 </div>
 <div id="sigma-i-instantiation-sketch">

diff --git a/draft-irtf-cfrg-opaque.txt b/draft-irtf-cfrg-opaque.txt
@@ -178,8 +178,8 @@ Table of Contents
    pre-compute a deterministic list of mapped passwords leading to
    almost instantaneous leakage of passwords upon server compromise.
 
-   This document describes OPAQUE, a PKI-free secure aPAKE that is
-   secure against pre-computation attacks.  OPAQUE provides forward
+   This document describes OPAQUE, an aPAKE that is secure against pre-
+   computation attacks (as defined in [JKX18]).  OPAQUE provides forward
    secrecy with respect to password leakage while also hiding the
    password from the server, even during password registration.  OPAQUE
    allows applications to increase the difficulty of offline dictionary
@@ -1365,9 +1365,10 @@ def RecoverCredentials(password, blind, response,
       operation between the private input k and public input B.  The
       output of this function is a unique, fixed-length byte string.
 
-   Implementations for recommended groups in Section 7, as well as
-   groups covered by test vectors in Appendix D, are described in the
-   following sections.
+   It is RECOMMENDED to use Elliptic Curve Diffie-Hellman for this key
+   exchange protocol.  Implementations for recommended groups in
+   Section 7, as well as groups covered by test vectors in Appendix D,
+   are described in the following sections.
 
 6.4.1.1.  3DH ristretto255
 
@@ -2574,6 +2575,9 @@ C.1.  HMQV Instantiation Sketch
    Hash is the same hash function used in the main OPAQUE protocol for
    key derivation.  Its output length (in bits) must be at least L.
 
+   Both parties should perform validation (as in Section 10.8) on each
+   other's public keys before computing the above parameters.
+
 C.2.  SIGMA-I Instantiation Sketch
 
    A [SIGMA-I] instantiation differs more drastically from OPAQUE-3DH