Some PAKE algorithms use a context parameter, and there is an API for each participant to set the context value. However, none of the documented PAKE protocols describe if, or how this parameter should be set, or what happens if none is set.
J-PAKE
J-PAKE does not use a context. The documentation should state that setting the context is an error for J-PAKE.
SPAKE2+
SPAKE2+ does have a context, which is used when generated the transcript input to the key derivation process.
For the MATTER PAKE the context is fully defined in the Matter specification, and the caller is required to construct the Context string as specified there, and pass it to the PAKE operation.
The general SPAKE2+ algorithm RFC that the context is an octet string that can be nil (the empty string), and may alternatively be omitted (along with the preceding encoded len(context)) from the transcript.
We presently say nothing in the specification, other than showing psa_pake_set_context() being used in the SPAKE2+ protocol flow.
So I'd say that a clarification is necessary for both the MATTER and RFC variants of SPAKE2+. For the latter, we need to choose between the following ways of handling omitted and zero-length context values:
A zero-length context is treated the same as not setting a context: both are encoded as len(nil) || nil || ... in the transcript.
A zero-length context is treated the same as not setting a context: both are omitted from the transcript.
If no context is set, the context and encoded-length are omitted from the transcript; if a zero-length context is set, it is encoded as len(nil) || nil || ... in the transcript.
Option 3 gives the full range of possible transcript encodings to the application; though it creates a different behavior to the handling of user-id and peer-id which treat an unset value as a zero-length string.
Have any implementations made a specific choice for this parameter to SPAKE2+?
Some PAKE algorithms use a context parameter, and there is an API for each participant to set the context value. However, none of the documented PAKE protocols describe if, or how this parameter should be set, or what happens if none is set.
J-PAKE
J-PAKE does not use a context. The documentation should state that setting the context is an error for J-PAKE.
SPAKE2+
SPAKE2+ does have a context, which is used when generated the transcript input to the key derivation process.
For the MATTER PAKE the context is fully defined in the Matter specification, and the caller is required to construct the Context string as specified there, and pass it to the PAKE operation.
The general SPAKE2+ algorithm RFC that the context is an octet string that can be
nil(the empty string), and may alternatively be omitted (along with the preceding encodedlen(context)) from the transcript.We presently say nothing in the specification, other than showing
psa_pake_set_context()being used in the SPAKE2+ protocol flow.So I'd say that a clarification is necessary for both the MATTER and RFC variants of SPAKE2+. For the latter, we need to choose between the following ways of handling omitted and zero-length context values:
len(nil) || nil || ...in the transcript.len(nil) || nil || ...in the transcript.Option 3 gives the full range of possible transcript encodings to the application; though it creates a different behavior to the handling of user-id and peer-id which treat an unset value as a zero-length string.
Have any implementations made a specific choice for this parameter to SPAKE2+?