Re: [Cfrg] PKEX Update and Summary

[Dan Harkins <dharkins@lounge.org>]

   Hi Paul,

On 9/19/16 2:52 PM, Paul Lambert wrote:
> I¹ve posted a summary of the ³PKEX² protocol and it¹s background:
>
> 	https://mentor.ieee.org/802.11/dcn/16/11-16-1142-02-00ai-cryptographic-rev
> iew-and-pkex.ppt
>
> The presentation provides an overview of the protocol and details of the
> O(sqrt(N)) off-line attack and the MiTM attack.
>
> Any productive comments and would be greatly appreciated. Please do let me
> know me know if you identify significant errors or omissions.

   I do not think you and Andy represent "a 'good' PAKE" properly vis-a-vis
off-line dictionary attacks on slide 9 of your presentation. The 
definition of
a dictionary attack is one where the adversary gains an advantage through
_computation_ and not _interaction_.

   For "a 'good' PAKE" an off-line dictionary attack is not possible. 
It's not,
as you claim, that it takes O(sqrt(q)), it's that it's not possible at all.

   Given resistance to dictionary attack, the best an attacker can do is
repeated active attacks learning one thing with each attack: whether a 
single
guess of the password is correct. The work order of this type of attack is
based on the size of the pool from which the password is drawn (the pool
being known to the adversary).

   So your comment that an attack against "a 'good' PAKE" using curve 
P256 "for
any passphrase...is of order 2^127" is also incorrect. The order of the
curve does not matter in this sort of repeated active guessing attack,
merely the size of the pool from which the password was drawn.

> Note - the PKEX protocol was removed from IEEE 802.11ai last week.

   If you are going to make summaries of "PKEX" then you should be
complete and point out that the attacks described in your presentation
are not possible against the protocol called PKEX as described in
draft-harkins-pkex. Please correct the record.

   regards,

   Dan.