Re: [Cfrg] Suggestion for open competition on PAKE -> Was Re: Dragonfly has advantages

Trevor Perrin <trevp@trevp.net> Sat, 04 January 2014 17:18 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428F81AE082 for <cfrg@ietfa.amsl.com>; Sat, 4 Jan 2014 09:18:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUHbYjuTXrRM for <cfrg@ietfa.amsl.com>; Sat, 4 Jan 2014 09:18:52 -0800 (PST)
Received: from mail-wi0-f169.google.com (mail-wi0-f169.google.com [209.85.212.169]) by ietfa.amsl.com (Postfix) with ESMTP id 819C31AE010 for <cfrg@irtf.org>; Sat, 4 Jan 2014 09:18:52 -0800 (PST)
Received: by mail-wi0-f169.google.com with SMTP id j9so1446687wiv.2 for <cfrg@irtf.org>; Sat, 04 Jan 2014 09:18:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=BqZQzWONFHmnPC3iyGK78Qo6n8ZNpr9EHeIgAuM+sT4=; b=WU0MgDsWtpx0WfVrZ/FGxkLbEPjv1/ueqaagwKZNqfJHrCdTD7wy/JNYW5Samllrs3 J0ux0xEEKXLPh2N5UG+ITyAvCeTu7RBas8eWwSaIA5l8VxSKVQA+Fw2mc2oiwsY2TcnF /oovga1l3yhjomeFkxiFmdTq8NOLdqU5dMI8WdNo+a1+NOJh71pjM8/uYIn61hdihF+g Lhpep5eM9hgQLTCddfNRI9Z8d5cfeAKuCZbm3XhKltlaNnFE2lIyntt7UxzexwLqQ/t5 TbS8UitZs0nhiLfs620x17Y3OFx8jFoGTAnmJp5MTq5ku5+5kE5PdJxVC0KBttS5Cz1u H++Q==
X-Gm-Message-State: ALoCoQkxZCB2kiD1XfJ+zPOmeBTvO3+L7gvNjl0GxLkGIfVJIK6kemCVIepVuXVnQQRhOix8ZsWc
MIME-Version: 1.0
X-Received: by 10.180.187.72 with SMTP id fq8mr6140657wic.26.1388855924338; Sat, 04 Jan 2014 09:18:44 -0800 (PST)
Received: by 10.216.214.134 with HTTP; Sat, 4 Jan 2014 09:18:44 -0800 (PST)
X-Originating-IP: [199.83.223.81]
In-Reply-To: <CEEDD67B.22CC7%feng.hao@newcastle.ac.uk>
References: <CEED247E.2B845%paul@marvell.com> <CEEDD67B.22CC7%feng.hao@newcastle.ac.uk>
Date: Sat, 4 Jan 2014 09:18:44 -0800
Message-ID: <CAGZ8ZG293hO5HqB7khrcNUhw2x981jna+V3ivQNP3X8Btcp8OQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Feng Hao <feng.hao@newcastle.ac.uk>
Content-Type: text/plain; charset=ISO-8859-1
Cc: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Suggestion for open competition on PAKE -> Was Re: Dragonfly has advantages
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jan 2014 17:18:54 -0000

On Sat, Jan 4, 2014 at 7:23 AM, Feng Hao <feng.hao@newcastle.ac.uk> wrote:
>
> In summary, if the password element derivation in Dragonfly can be done
> securely and efficiently, that would be a good contribution in my view.
> That would even resolve an issue that SPEKE can't. The way that SPEKE
> works is by requiring the use of a safe prime, but then for 1024-bit p,
> the exponent will be 1023 bits - one modular exponentiation will be
> equivalent to about 6 times of the exponentiation with a 160-bit exponent.

Hi Feng,

Minor comments:  I don't agree that Dragonfly could "resolve an issue
that SPEKE can't".

It's true that SPEKE is generally described in terms of safe primes to
avoid the problems Dragonfly is running into.

But any password element derivation that works for Dragonfly would of
course work for SPEKE.


> (Some people compare PAKEs by merely counting the number of modular
> exponentiations, but they should also look at if the protocol readily
> accommodates short exponents. The length of the exponent has a direct
> impact on the cost of exponentiation.)

Another important issue, particularly for EC protocols, is to
distinguish operations with a fixed base (or fixed point) from
operations with a random base / point.

The fixed operations can be optimized to be several times faster
(perhaps ~4x is a rule of thumb I've heard).


Trevor