[Cfrg] A problem with the security proof of AugPAKE?
"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Mon, 11 July 2016 13:06 UTC
Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B228812B03F for <cfrg@ietfa.amsl.com>; Mon, 11 Jul 2016 06:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tagAijgrnlUd for <cfrg@ietfa.amsl.com>; Mon, 11 Jul 2016 06:06:08 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1449712B037 for <cfrg@irtf.org>; Mon, 11 Jul 2016 06:06:08 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id s63so55787166qkb.2 for <cfrg@irtf.org>; Mon, 11 Jul 2016 06:06:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=Z0FMw1TuIxbbo1cvQplzDVnZOEY4FOtyNr6Bwln5wEI=; b=ZqV/zUvysYTEzya+AbxijNlGAvMOuuaI9Duef2f/a0s3ADu+uH2XH/UzVCSMuScqtn o3Iy/EUSfjNfxLuXMTTctKk5c7nJAEWvonxciCXmOhUkO+r3hy8uuiUBVHe0PRGyguVT CsZsxNhKUdffb9Pi0zJw9lxNW3Aqjur2QwRpfmtrSJqsV4PKeecAMrKAGgMOdrQKHNW/ pS1iEtaFRRcYmhismIGy40SgUekieCuK4M0jis4IUi/MTKhx/EBLzSym/Nwg/hY4Nf87 OZb4FWoPFziyyGN1lRmApnzOF8zr2b7khlN7v6Pxop1hKQ5L7tuXQ14DfRfBEci4lTUh dnsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Z0FMw1TuIxbbo1cvQplzDVnZOEY4FOtyNr6Bwln5wEI=; b=HdWwiZW/UguacCGAyHBRcq7CS7s2YqXYmxFl0wB+QCzObxfEpfah7HP/WWWbejn0EY g90mcCoTNqrSwJIJ+vyn0nqJneuRgvxaXEed0TqLNBqIqUof035RBGXDLDLzVKxHqU2w NLIbgnAQDISdErHImMZnqazi6Nshr7VKMdCv+vbEH4Kx+25xgqql3Xgya0AKnzeL3IwL 0jjaRamO8iNY4icQ4xDtWyfPDp5SQkP62rAaNskDWDqdEmrFMJEmlTgYxW66bOYDquLN CPJFp2+7MNzTXn5nDztADx4lPIIRHVulRp9Er7zVmp1/h6I4oYklXK+M8lxN6YJTNtBM WnAg==
X-Gm-Message-State: ALyK8tKRalkOi1ag9MnIAydVnzYlZC7p+17Ctnh+ESRu0AAzpC2vkm2qWIUyhsti8QZzEAlLTDhYPSiOnfSjbg==
X-Received: by 10.55.157.139 with SMTP id g133mr24424397qke.107.1468242367105; Mon, 11 Jul 2016 06:06:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.50.86 with HTTP; Mon, 11 Jul 2016 06:06:06 -0700 (PDT)
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Mon, 11 Jul 2016 16:06:06 +0300
Message-ID: <CAMr0u6nZKKiikeD3r5zSVbqEac2DeNqs6CKjtkbMXTsSYR3Cnw@mail.gmail.com>
To: seonghan.shin@aist.go.jp, "cfrg@irtf.org" <cfrg@irtf.org>, mike.scott@miracl.com
Content-Type: multipart/alternative; boundary="94eb2c062aa0bc6e4505375bd0bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4vsjFauPkv8JPJmTHrF5CBMZhZM>
Resent-From: alias-bounces@ietf.org
Resent-To: <>
Subject: [Cfrg] A problem with the security proof of AugPAKE?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2016 13:06:09 -0000
Dear SeongHan and colleagues! It seems to me and my colleagues that there may be a major problem with a security proof of AugPAKE, and I'll be thankful if you comment on this issue. If we look on the most significant part of the upper bound of adversary advantage (Theorem 1 in https://eprint.iacr.org/2010/334.pdf), we'll have the following: \Adv^{ake}_{P}(\Enemy) \approx \frac{6(q_{sendC}+q_{sendS})}{N} + 2N^2\cdot q_{hashH} \cdot Succ^{1sdh}_{g,\mathbb{G}}(t + \tau_e). The problem we see is that the estimation depends on N (the volume of dictionary) quadratically, and in the first part N occurs in the divisor only linearly - so when the dictionary grows, the bound becomes weaker. It wouldn't be a problem, if the effect were not present for ordinary values of N (and would occur only for extremely large values of N) - but it is. [The rest part of the message contains rough estimations that illustrate what I'm saying.] If we estimate Succ^{1sdh}_{g,\mathbb{G}}(t) as \frac{t^2}{|\mathbb{G}|} (Pollard's rho-algorithm) and t \approx q_{hashH} the estimation will be the following: \Adv^{ake}_{P}(\Enemy) \approx \frac{6(q_{sendC}+q_{sendS})}{N} + \frac{2N^2\cdot q^3_{hashH}}{|\mathbb{G}|} . Let |\mathbb{G}| = 2^{256}$, $q_{hashH} = 2^{50}. Then for N \geqslant \sqrt[3]{\frac{6(q_{sendC}+q_{sendS})|\mathbb{G}|}{q^3_{hashH}}} \approx 2^{30} the estimation will be weaker for greater $N$. And N=2^{30} is the dictionary for 6 symbols of (0-9, a-z, A-Z) - absolutely reasonable value, that is definitely not extremely large. Thank you in advance for your comments! Best regards, Stanislav V. Smyshlyaev, Ph.D., Head of Information Security Department, CryptoPro LLC
- [Cfrg] A problem with the security proof of AugPA… Stanislav V. Smyshlyaev
- Re: [Cfrg] A problem with the security proof of A… 辛星漢
- Re: [Cfrg] A problem with the security proof of A… Stanislav V. Smyshlyaev
- Re: [Cfrg] A problem with the security proof of A… Mike Hamburg