During the working group meeting, I pointed out an additional security consideration for SPAKE2+, and volunteered to provide some possible text. Here is what I came up with (of course, feel free to edit it as appropriate);
SPAKE2+ has been proven to satisfy PAKE security requirements, ensuring that an active adversary is limited to testing a single password per exchange, provided the Elliptic Curve Discrete Logarithm (ECDLog) problem remains computationally infeasible. However, it is important to note a critical security consideration: if an adversary successfully solves a single instance of the ECDLog problem—for instance, through having access to a slow quantum computer—they could then perform a single exchange with a server who has the password and based on that exchange, perform an offline brute-force attack to test a wide range of passwords (and identify the correct one when it is tested). This single ECDLog solution would allow this attack against any server that implements that the SPAKE2+ option of this protocol. Organizations implementing that option for this protocol should be aware of this vulnerability and consider the long-term security implications regarding the ECDLog problem."
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
