1

In SRP, the server stores the client verifier $v$, defined as $v=g^x \operatorname{mod}N$. $x$ is an implementation-defined value derived from the user's password $p$ and salt $s$ (and often other values, such as the username $I$).

The RFC2945-defined method to derive $x$ is $x=H(s \|H(I\|\text{":"}\|p))$. $H$ is suggested as SHA-1 and often also implemented as SHA-256. That means that in the usual case, $x$ is a 160-bit or 256-bit value.

$x$ is effectively password-equivalent, so knowing it (and the associated $I$ and $s$) would allow an attacker to impersonate the user, for example in the case of a leaked $v$.

My question here is: assuming a dictionary attack on $g$ isn't the biggest threat1, does it weaken the security of the protocol that $x\ll N$? Mainly, does it make the discrete logarithm problem on $g^x$ easier to solve? This would be easy to mitigate by using a longer hash or extendable-output function for $x$.

1 i.e., $p$ has lots of entropy and $x$ is computed using a slow hash

PurkkaKoodari
  • 113
  • 5

1 Answers1

3

does it weaken the security of the protocol that $x\ll N$?

Not really.

There are essentially two ways to try to attack this system:

  • Perform a discrete log based on partial information on x. If the attacker knows that $0 < x < 2^k$, then he can recover $x$ in $O(2^{k/2})$ time (using a generic technique such a Pollard Rho or Giant-Step-Baby-Step)

  • Perform a discrete log using Number Field Sieve (NFS); the complexity of this depends on N and not at all on $x$. For an $N \approx 2^{3072}$, this takes about $2^{128}$ operations.

Combining these two observations, we see that we want an $x$ circa $2^{256}$; a consistently smaller $x$ will reduce security, while selecting $x$ from a larger random will not increase security (because of NFS).

And, larger $x$ values do have a cost (because it becomes more computationally complex for the honest user), hence we have a decent justification for a 256 bit $x$ (which is what SHA-256 gives us)

poncho
  • 154,064
  • 12
  • 239
  • 382