draft-bar-cfrg-spake2plus has been presented to the ISE for
publication as an Informational RFC on the Independent Stream.
NOTE: Unusually, the IESG may wish to check for conflicts with the IRTF.
Although that does not fall in the scope of 5742 reviews, this
work is related to the work of the CFRG.
==Purpose==
This document describes the SPAKE2+ protocol, an augmented PAKE protocol
where only one party has knowledge of the password.
SPAKE2+ falls out of the recently-approved IRTF SPAKE2 work, but was not
something the CFRG wished to pursue. The protocol was originally
described in "The Twin-Diffie Hellman Problem and Applications",
EUROCRYPT 2008, Volume 4965 of Lecture notes in Computer Science. It is
presented here for the record and to make the protocol available for
wider consideration.
== History==
draft-irtf-cfrg-spake2 is the product of the IRTF's CFRG and has just
completed IESG conflict review. This work was originally part of that
effort, but was split out as the CFRG did not wish to pursue it. This
document captures and consolidates the text removed from that document.
The document has been sent to the Crypto Review Panel for checking, and
it's progress has been discussed with the CFRG chairs.
The document was first brought to the ISE in April, 2021 at version -02.
Since then it has been revised several times to address review comments.
Note that this work was deliberately held back until
draft-irtf-cfrg-spake2 had progressed, and draft-irtf-cfrg-spake2 is a
normative reference to ensure that that document is published as an RFC
first.
==Non-IETF Work==
It is important that SPAKE2+ not be considered to have IRTF or IETF
endorsement.
The document explicitly calls out that SPAKE2+ was not selected as the
result of the CFRG PAKE selection competition. It also notes that the
document was produced outside of the IETF and IRTF, and represents the
opinions of the authors. It also states that publication of this document
as an RFC in the Independent Submissions Stream does not imply
endorsement of SPAKE2+ by the IETF or IRTF.
==IANA==
The document makes no request for IANA action.
==Reviews==
As well as reviewing the document himself, the ISE commissioned reviews
from Jean-Philippe Aumasson, Karthik Bhargavan, Watson Ladd, and
Christopher Patton. Scott Fluhrer did a review for the Crypto Review
Panel.
The reviews led to a number of updates to fully address the issues
raised.
Details of the reviews can be retrieved on request.