Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

Feng Hao <> Tue, 15 November 2016 10:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ADE181297AA for <>; Tue, 15 Nov 2016 02:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1A3zG3zwGGBg for <>; Tue, 15 Nov 2016 02:55:54 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7B7B41297B8 for <>; Tue, 15 Nov 2016 02:55:54 -0800 (PST)
Received: from ([] by with esmtp (Exim 4.63) (envelope-from <>) id 1c6bP6-0000Hk-C5; Tue, 15 Nov 2016 10:55:53 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 15 Nov 2016 10:55:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-newcastle-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tepe2TV4qww/pZ7hYz2vLCfLEwyokYWa/uJkV9CWM8I=; b=uhmfZhszNWDS2sdfQVh4tsT9QpGvktdCdz9K8unPuWEuU49VRwXyFcXhBzFlJZ4MU77UNRHTRF3W7iGNJzWEI94JDY0FMLgAD4rqNDwUnaWKZTLelRHPy2bLuGEkfluP1cYnMFhEAZcCSpwHV94/VTq35bz7OLwm2ed8/cGx4lc=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.2; Tue, 15 Nov 2016 10:55:49 +0000
Received: from ([]) by ([]) with mapi id 15.01.0734.004; Tue, 15 Nov 2016 10:55:49 +0000
From: Feng Hao <>
To: Mike Hamburg <>
Thread-Topic: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
Thread-Index: AdI+bZzQZch4zeUeTNyFcWq6Y0INHQAHCdeAABAiwAAABCp6gAASKUpw
Date: Tue, 15 Nov 2016 10:55:48 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; DB5PR0701MB1926; 7:YE9wA+Rzw9J2apJMex4CFtJwu/HyrmgI8H80K4+oJgab7rQUnsSnZxBGIMWYif0fl8J2ldkjYmN4HibDtQOWe6ucGtqrsV1ViRHB4kKNsfmqO6LpY3WsubL8E0C9FR9lRCNvsNN8jhWAsB3RH6HLrjhQ28e8+M0jkxWyQ8eSuqWR3tP/2qV4B1NFdKfvT4KmzkdInyskpQA4Mqu/JOSNU1ve0FG4KCIMq0Ava5JufPYjSrVbvQoHzPGywCY4vFkjfGpbLOEaewvAhygy3mVv0XGVP5xYV0inESTR8uaxMEyHhneKr7R3MudXIydbBrT4tgQ1+jHvDXKStkvxJGVrklx3f2g8xcFurfyW7KTjmVs=
x-ms-office365-filtering-correlation-id: c957e3ed-2fcf-4517-c489-08d40d45f5a7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB5PR0701MB1926;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(266576461109395);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6061324); SRVR:DB5PR0701MB1926; BCL:0; PCL:0; RULEID:; SRVR:DB5PR0701MB1926;
x-forefront-prvs: 012792EC17
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(24454002)(13464003)(189002)(51914003)(377454003)(377424004)(86362001)(68736007)(189998001)(122556002)(33656002)(3280700002)(4001150100001)(92566002)(3660700001)(74482002)(76576001)(106356001)(105586002)(2950100002)(2900100001)(66066001)(229853002)(551544002)(97736004)(101416001)(93886004)(77096005)(8676002)(2906002)(4326007)(76176999)(81156014)(54356999)(6916009)(74316002)(81166006)(3846002)(87936001)(6116002)(305945005)(7736002)(50986999)(102836003)(9686002)(42882006)(8936002)(5660300001)(7696004)(7846002)(110136003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR0701MB1926;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2016 10:55:48.9268 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c5012c9-b616-44c2-a917-66814fbe3e87
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR0701MB1926
Archived-At: <>
Cc: "" <>
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Nov 2016 10:55:58 -0000

Hi Mike,

Thanks for the thoughtful comments.

There indeed exist encoding algorithms that can hash an input to a (somehow random) point on the curve in constant time. One of them (based on the icart method) is used by PACE in the implementation of e-passport.

But these algorithms have very specific requirements on the parameters of the curve (e.g., the modulus needs to be in some form etc). I'm not aware of any general algorithm that can flexibly and efficiently do the hashing-to-curve for general elliptic curves which are suitable for cryptography (i.e., where ECDLP is hard). 

With regard to the algorithm you specify below, I'm not sure it's a constant algorithm though. There is a conditional check for the square root (which needs some care in the implementation). Also, if the point falls into the subgroup, you say it doesn't matter because it will be multiplied by a co-factor. Are u sure?

On a side note, if this algorithm works as it says, then one should be able to easily apply it to Dragonfly? There were a lot discussion on this list on how to do efficient hashing-to-curve in constant time for the Dragonfly protocol (RFC 7664). I don't recall there is a consensus. Maybe there is an easy solution to that problem? 


-----Original Message-----
From: Mike Hamburg [] 
Sent: 15 November 2016 00:56
To: Feng Hao <>
Cc: Watson Bernard Ladd <>;
Subject: Re: [Cfrg] J-PAKE and Schnorr NIZK for informational RFCs

I’d like to note that for both SPEKE and SPAKE2-EE, the encoding to the curve doesn’t need to be uniform.  It just needs to be inverse-sampleable and within some reasonable factor of uniform.  This means that either SWU or Elligator can be used for this purpose.

If you’re doing SPEKE on a Montgomery curve y^2 = x(x^2+Ax+1), such as X25519, then Elligator2 is actually pretty simple to specify:

Let u be a fixed quadratic non-residue.  For example, u=-1 for 3mod4, or u=2 for 5mod 8.  (The other reasonable choice is u=sqrt(-1) for 5mod 8.)

Take as input a sequence of bytes to be encoded, eg h=really_slow_hash(salt,password).  Convert it to a field element using a little-endian convention, because Montgomery curves are Bernstein country.

Let x := -A / (1+u*h^2).

if x*(x^2+A*x+1) isn’t square, then change x := -A-x, which is also equal to x*u*h^2 by construction.

Now x is the x-coordinate of a point on the curve.  In the unlikely event that 1+uh^2=0, then the output is 0, or the point at infinity, or 0/0, or whatever.  These are all equivalent for SPEKE-X25519.  It doesn’t matter whether the point is in the subgroup or not, because you’ll multiply by the cofactor during the scalar mul.

For SPAKE2-EE, the specification is more complicated, but not by much.

Efficiency-wise, this can be implemented in constant time, in approximately the same amount of time as a single square root operation.  So can SWU, if you aren’t on a Montgomery or Edwards curve.

— Mike

> On Nov 14, 2016, at 2:56 PM, Feng Hao <> wrote:
> Hi Watson,
> Can you be specific what alternative you are talking about?
> In [1], J-PAKE is compared with EKE and SPEKE, which are widely considered
> the simplest and the most efficient balanced PAKEs. It is shown that the
> computational efficiency of J-PAKE is about the same as EKE and SPEKE in
> the finite field setting. J-PAKE is better in the EC setting because: 1)
> EKE in EC is unspecified (a straightforward implementation of EKE in EC
> will trivially leak information about the password); 2) SPEKE in EC
> requires an additional primitive of hashing a password to a random point
> on the curve (which is a non-trivial problem on its own). J-PAKE needs 2
> rounds instead of one, which is a downside and is acknowledged in the
> paper. But security is never perfect; it is always a trade-off.
> Two points are worth reminding:
> 1. There is an unfortunate misconception in quite a number of PAKE papers
> in the literature that merely count the number of exponentiations as the
> computational cost without considering the specific group settings
> required by the protocol (e.g., if the protocol accommodates short or long
> exponents). See Section 2.2 in [1] for a full discussion.
> 2. There is also a category of PAKE protocols that assume a trusted setup
> to define the randomness in the group setting: in particular, to define a
> pair of generators whose discrete logarithm must be unknown. SPAKE2 (which
> I understand you¹re working on for an IEFT submission) is only one
> example. Other examples include KOY [2], Jiang-Gong [3] and
> Gennaro-Lindell [4]. Implementing such as trusted set up (i.e., the common
> reference model if you¹re a fan of jargon) is a tricky task. The most
> concrete advice in terms of implementation that you may find is probably
> from Gennaro and Lindell [4]: ³An example of where it is reasonable to
> assume a common reference string is when a large organization wishes to
> implement secure login for its employees. In this case, the organization
> is trusted to choose the common reference string properly, and this string
> can then be hardwired into the software code.² As an example we can have
> Google to define a trusted setup, which will be trusted by its employees.
> However, it will limit the PAKE application to the internal use within
> that organization. EKE, SPEKE and SPEKE do not have this issue.
> Note that I¹m not objecting PAKE protocols that rely on a common reference
> string; they are one category of PAKE designs and are useful in
> specifically identified scenarios. I¹m merely highlighting that there are
> diversified PAKE designs with different assumptions and properties. Having
> the diversity is a good thing in the research field. However, disparaging
> some without noting the weaknesses/merits of others in the context of that
> diversity is not fair.
> Regards,
> Feng
> [1] J-PAE:
> [2] J. Katz, R. Ostrovsky, M. Yung, ³Efficient password-authenticated key
> exchange using human-memorable passwords², Advances in Cryptology, LNCS
> 2045, pp. 475-494, 2001.
> [3] S.Q. Jiang, G. Gong, ³Password based key exchange with mutual
> authentication,² Selected Area in Cryptography, LNCS 3357, pp. 267-279,
> 2004
> [4] R. Gennaro, Y. Lindell, ³A framework for password-based authenticated
> key exchange,² Eurucrypt¹03, LNCS, No. 2656, pp. 524-543, 2003.
> On 14/11/2016 15:14, "Watson Ladd" <> wrote:
>> I'm sad to see J-PAKE continue to have legs given its terrible
>> performance compared to alternatives. What's the point?
>> On Mon, Nov 14, 2016 at 3:53 AM, Feng Hao <>
>> wrote:
>>> Hi,
>>> Recently I submitted J-PAKE and Schnorr NIZK to IETF for "informational
>>> RFC". Both drafts are currently under review in the independent
>>> submission stream.
>>> As per the reviewers' comments, I've revised the drafts to clarify a
>>> few points.
>>> Schnorr draft
>>> * Clarify the parameters for the finite field and elliptic curves. The
>>> DSA/ECDSA parameters are used only as an example; other groups can also
>>> be used.
>>> * Clarify the requirement for the hash function. It needs to be
>>> collision-resistant in a practical realisation with recommended hash
>>> functions given.
>>> J-PAKE draft
>>> * Clarify that key confirmation can be implicit or explicit, and that
>>> explicit key confirmation is recommended in a practical implementation
>>> of J-PAKE.
>>> The latest drafts are below:
>>> Name:           draft-hao-schnorr
>>> Revision:       05
>>> Title:          Schnorr NIZK Proof: Non-interactive Zero Knowledge
>>> Proof for Discrete Logarithm
>>> Document date:  2016-11-14
>>> Group:          Individual Submission
>>> Pages:          11
>>> URL:            
>>> Status:
>>> Htmlized:
>>> Diff: 
>>> Name:           draft-hao-jpake
>>> Revision:       05
>>> Title:          J-PAKE: Password Authenticated Key Exchange by Juggling
>>> Document date:  2016-11-14
>>> Group:          Individual Submission
>>> Pages:          14
>>> URL:            
>>> Status:
>>> Htmlized:
>>> Diff: 
>>> Your comments are most welcome!
>>> Cheers,
>>> Feng
>>> _______________________________________________
>>> Cfrg mailing list
>> -- 
>> "Man is born free, but everywhere he is in chains".
>> --Rousseau.
> _______________________________________________
> Cfrg mailing list