diff --git a/draft-irtf-cfrg-opaque.html b/draft-irtf-cfrg-opaque.html index 9c3f2dcd..cee5b587 100644 --- a/draft-irtf-cfrg-opaque.html +++ b/draft-irtf-cfrg-opaque.html @@ -1452,10 +1452,10 @@

Otherwise, the attacker can pre-compute a deterministic list of mapped passwords leading to almost instantaneous leakage of passwords upon server compromise.

-

This document describes OPAQUE, a PKI-free secure aPAKE that is secure -against pre-computation attacks. OPAQUE provides forward secrecy with -respect to password leakage while also hiding the password from the -server, even during password registration. OPAQUE allows applications +

This document describes OPAQUE, an aPAKE that is secure against +pre-computation attacks (as defined in [JKX18]). OPAQUE provides forward +secrecy with respect to password leakage while also hiding the password from +the server, even during password registration. OPAQUE allows applications to increase the difficulty of offline dictionary attacks via iterated hashing or other key stretching schemes. OPAQUE is also extensible, allowing clients to safely store and retrieve arbitrary application data on servers @@ -2836,7 +2836,8 @@

The output of this function is a unique, fixed-length byte string.

-

Implementations for recommended groups in Section 7, as well as groups +

It is RECOMMENDED to use Elliptic Curve Diffie-Hellman for this key exchange protocol. +Implementations for recommended groups in Section 7, as well as groups covered by test vectors in Appendix D, are described in the following sections.

@@ -4120,6 +4121,8 @@

Hash is the same hash function used in the main OPAQUE protocol for key derivation. Its output length (in bits) must be at least L.

+

Both parties should perform validation (as in Section 10.8) on each other's +public keys before computing the above parameters.

diff --git a/draft-irtf-cfrg-opaque.txt b/draft-irtf-cfrg-opaque.txt index 2ca32ac8..ab387348 100644 --- a/draft-irtf-cfrg-opaque.txt +++ b/draft-irtf-cfrg-opaque.txt @@ -178,8 +178,8 @@ Table of Contents pre-compute a deterministic list of mapped passwords leading to almost instantaneous leakage of passwords upon server compromise. - This document describes OPAQUE, a PKI-free secure aPAKE that is - secure against pre-computation attacks. OPAQUE provides forward + This document describes OPAQUE, an aPAKE that is secure against pre- + computation attacks (as defined in [JKX18]). OPAQUE provides forward secrecy with respect to password leakage while also hiding the password from the server, even during password registration. OPAQUE allows applications to increase the difficulty of offline dictionary @@ -1365,9 +1365,10 @@ def RecoverCredentials(password, blind, response, operation between the private input k and public input B. The output of this function is a unique, fixed-length byte string. - Implementations for recommended groups in Section 7, as well as - groups covered by test vectors in Appendix D, are described in the - following sections. + It is RECOMMENDED to use Elliptic Curve Diffie-Hellman for this key + exchange protocol. Implementations for recommended groups in + Section 7, as well as groups covered by test vectors in Appendix D, + are described in the following sections. 6.4.1.1. 3DH ristretto255 @@ -2574,6 +2575,9 @@ C.1. HMQV Instantiation Sketch Hash is the same hash function used in the main OPAQUE protocol for key derivation. Its output length (in bits) must be at least L. + Both parties should perform validation (as in Section 10.8) on each + other's public keys before computing the above parameters. + C.2. SIGMA-I Instantiation Sketch A [SIGMA-I] instantiation differs more drastically from OPAQUE-3DH