IETF Logo Mail Archive

Re: [Cfrg] Re-review of the four balanced PAKEs

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 24 October 2019 18:29 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5465B120073 for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 11:29:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Q7L02Z/s; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=UVyY5he5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OosB72I1Gn8Y for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 11:29:44 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B90120044 for <cfrg@irtf.org>; Thu, 24 Oct 2019 11:29:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=56270; q=dns/txt; s=iport; t=1571941783; x=1573151383; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=JqybldsyjbNNU14k1t0UifHe/dPCfACko9oaRgBxmPQ=; b=Q7L02Z/sPCB8LkvoCNiUfMtf5G3XpLIH1E5b8xN1QnJECbmpFWcnblEq LJcwrfDHt2vBqexNALFJDDtigfNWL/Or2g0RVTeNU1HtYcAgp/juuWRmO jsPa5PQGur6jxLq8zy+ET1+41YaeVruPwXVm0vw46VTup0cbCKMIkovt1 Q=;
IronPort-PHdr: 9a23:B2W7Xhe6hJFaUpF1MdIKCn5TlGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwGQD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFnpnwd4TgxRmBceEDUPhK/u/dCI+AcRYWUVN9HCgOk8TE8H7NBXf
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CGAABn7LFd/5RdJa1lDgsBAQEBAQEBAQEBAQEBAQEBAREBAQEBAQEBAQEBAYF7gRwvUAVsVyAECyoKhB6DRwOKYoJemASCUgNUCQEBAQwBARgBCgoCAQGEQAIXgyYkOBMCAwkBAQQBAQECAQUEbYU3DIVQAQEBAQEBAQEBEAgJChMBASMJCwEECwIBCA4DBAEBGQgBBgMCAgIlCxQJCAEBBA4FCBqDAYF5TQMOIAECDKd8AoE4iGF1gTKCfgEBBYE0AYNRGIIXAwaBNolGgQaBJQEdGIFAP4ERRoE3F1AuPoJiAQKBOSkVFgkZgkEygiyNEgeCX4U7JIdhkDAKgiSHEI43mVKWYpEjAgQCBAUCDgEBBYFpIoFYcBU7gmxQEBRWgTl3CQIBF4NQhRSFBDoBdAGBKIw4AiICB4EEAUteAQE
X-IronPort-AV: E=Sophos;i="5.68,225,1569283200"; d="scan'208,217";a="650959791"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Oct 2019 18:29:42 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x9OITfDM007609 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 24 Oct 2019 18:29:41 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 13:29:41 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 13:29:40 -0500
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 24 Oct 2019 14:29:40 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hKpskct7PyzOLqByfdJX6Wat9EbDtb3QC4q9/+t8ap1TpepP46oJx9e0npBh6m6Xk8/ZGeazK/lvGIbqjEt0ttK3uIe4VhmrOUpi3I8akSYYl85Tvppl1pR6CpF7UMFaIeOjca8QsekLSxlk+o+1UytyHXELS2Fz3dFPDgNp4SX5M72yjRimdbi4DcuLe+pg89VtJObn7MFdzrdI54xm5Xh8kNojyQ0Oc12V+ZxGcueAC6rGmH80oBhMKf8+NQd3PldOMf87Q8udxci9NuicJUfXQuwDD0AEdxLKq1TKNiwmRhW2K69FERWC3d+ynXIWl8EkJCSHtlLBfUBBeEt5JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JqybldsyjbNNU14k1t0UifHe/dPCfACko9oaRgBxmPQ=; b=R6Afi2jUeM8l00EShxYY0sEPm4XkTy8Sr9th+l55NZ8r1vYh89EpnXnZxXO1VkbAt9wZ9CXbEiYZgX4lYS7YZKI+ZCmojL2Z+kA+TUVTqKbiJtNeS8fpC5/dWa56SdMk2IpeBalTBER9kLmWmxQ5as8b3eA5ATg2ND8FPZVsltJ8O7qvVk3eZnvJX6Z3ABvR8iCfjuP23KiCzeibFstWdN327zMlwn/j+RqRFdAml7ZuDv/751/eeP4IQUEfQJeyGX88dkhV4uqCIe87V6nfEYgv7Ohcm3LeiMZ3Q4MyzxP6xfYCqiR4Ozsiqt53S8DPmgoEc8nTporkLcO6KymkJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JqybldsyjbNNU14k1t0UifHe/dPCfACko9oaRgBxmPQ=; b=UVyY5he5VgstZL9j8CMkxO3MeIbW7FVbquhNn/664AitZ14p0G9Ab8BQ7zsD8zRX5mzxCXA/rWUyaPaBjfNcpIZyEup600c+9dYbgZD59e0mpfzFIa3jSCBTiJFTkGoDmtr5NBpfkxkUh7bKp7vQYJ/LkJyQ6hB+U5UNDCoaWW4=
Received: from BN8PR11MB3666.namprd11.prod.outlook.com (20.178.221.19) by BN8PR11MB3762.namprd11.prod.outlook.com (20.178.221.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.23; Thu, 24 Oct 2019 18:29:39 +0000
Received: from BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::38cc:fcf7:a049:1c5b]) by BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::38cc:fcf7:a049:1c5b%7]) with mapi id 15.20.2387.021; Thu, 24 Oct 2019 18:29:39 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Paul Grubbs <pag225@cornell.edu>
CC: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Re-review of the four balanced PAKEs
Thread-Index: AdWKfpeNyowtemLATmKh32ioCi5OfQAB0c2AAAMRAIA=
Date: Thu, 24 Oct 2019 18:29:38 +0000
Message-ID: <BN8PR11MB3666F73D301533336A16CD94C16A0@BN8PR11MB3666.namprd11.prod.outlook.com>
References: <BN8PR11MB36665D2F38B0E91D734A96CFC16A0@BN8PR11MB3666.namprd11.prod.outlook.com> <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
In-Reply-To: <CAKDPBw-fKQ_-GSCu=GHpEZjfv1WfqsTnK_DYPw-7akNGYm3tnA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fd3de4b9-1ca2-4c94-9fc9-08d758b0214d
x-ms-traffictypediagnostic: BN8PR11MB3762:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN8PR11MB3762C17742F2ABF4B9FCA323C16A0@BN8PR11MB3762.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0200DDA8BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(396003)(376002)(346002)(39860400002)(199004)(189003)(15594002)(296002)(316002)(81166006)(66946007)(476003)(86362001)(81156014)(8676002)(33656002)(561944003)(25786009)(5070765005)(256004)(14444005)(55016002)(9686003)(6246003)(2171002)(6306002)(7736002)(966005)(54896002)(6916009)(4326008)(478600001)(66066001)(229853002)(76176011)(66574012)(7696005)(8936002)(6116002)(52536014)(3846002)(2906002)(14454004)(790700001)(186003)(76116006)(71190400001)(71200400001)(236005)(5660300002)(74316002)(6506007)(66446008)(606006)(53546011)(99286004)(64756008)(30864003)(446003)(11346002)(102836004)(26005)(486006)(66476007)(66556008)(6436002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3762; H:BN8PR11MB3666.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tHBnA4V4zUIwUn9MQhycvKkXYMjd8DB+reZU8DiNhfQPIPqGm8DEn9HSSd+XVJBWlS4984DjInF0a3aL6HOIZ3C0wgTjCQ3eIxp4njesXFqQCe+LSvIqlADDq4J6yTqlZBI4Gu07JWej4robDuJ4cBfF2i1ZJzDqu4iclNbl5VhXFrBMJJRPidDXA4s0OCnhb1IdpjeNoqUFujb1e3hsvurQZZRxte8ZPHOyYq7lBrfhNvIQ6OPQTeLDjoKqYlpFQ2GDjBCt3dvrQjdvHGV9rXEdG9W3w1OJAGyVRsiFQRlFPkez4Wl09jeymtYbCw1IGcNZ+uoRuBx3cHpnAuVyrwgsijCPG8aDIJQyGE88aAjtcznzpB2tsvuy3E5GmX/ivwUmNoz4/F1IYesF3e4isJxyr0jmxBU+fzGvu/z0lugpfJRrgMLN/eGFdEcZsJbFs705nk/aiZchCm2QtUdLGoGfCAIuWMX30OLwvkC/tm0=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN8PR11MB3666F73D301533336A16CD94C16A0BN8PR11MB3666namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fd3de4b9-1ca2-4c94-9fc9-08d758b0214d
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 18:29:39.1308 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zY6cIdOfkb04JOMCV5UWtouECyOGFX6FE98YcaCKnYGThQBY/iHH0VbLwEAv5tGez4y0ASYTC1R3FB/4MnNz5w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3762
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Adf8RcFCPp1e4VUUSRqlxg7yu3g>
X-Mailman-Approved-At: Mon, 28 Oct 2019 08:01:11 -0700
Subject: Re: [Cfrg] Re-review of the four balanced PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 18:29:49 -0000

From: Paul Grubbs <pag225@cornell.edu>
Sent: Thursday, October 24, 2019 12:13 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: cfrg@irtf.org
Subject: Re: [Cfrg] Re-review of the four balanced PAKEs

Hey Scott, thanks for your comments. I have a couple questions:

1. Regarding SPAKE-2, you said this
> the issue still remains that if someone were to be able to solve a single ECDLog problem, they could then perform an on-line dictionary attack against anyone using that parameter set.
I don't quite understand what you mean - can you explain this on-line dictionary attack? In general, aren't all PAKEs vulnerable to online dictionary attacks?

I’m sorry, I should have been more explicit.

What I meant is that there is an on-line dictionary attack, where the adversary could participate in one exchange, and as a result of that one exchange, is able to check every entry in his dictionary.

Here is how it would work: in SPAKE-2, the honest initiator transmits the value X = xG + pwM (x is a random value, pw is a value based on the password); the adversary responder transmits the value Y=yG (for an arbitrary value y that the adversary knows), and then the honest initiator computes x(Y – pwN), and generates an encrypted message based on that value (and the password, and some other things that the adversary knows).

Now, suppose the adversary knows the value n s.t. N = nG.  Then, for a password guess pw’, he can compute x’G = X -pw’M,  and then compute the expected shared secret (y – pw’ n) x’G, if his guess of pw’ is correct (that is, pw’ = pw), then (y – pw’ n)x’G = x(Y – pwN), and so that shared secret (along with pw’) would allow him to decrypt the initial message (and thus signal that his password guess was correct.

Because the interaction with the honest initiator did not depend on the password guess, the adversary can perform this computation for every password in his dictionary as a result of a single exchange.

And, because the RFC makes N global, he can perform this on-line attack against everyone using the same parameter set (and, if he can perform the computations fast enough, he might be able to compute the shared secret before the initiator times out (which means that the initiator would not know that he’s been attacked).



2. This 'quantum annoying' property is the subject of much CFRG discussion, but it seems ill-specified. Can you explain it in a bit more detail, maybe by example (e.g., why does CPace have 'good' quantum annoyance)?

Well, as far as I know, it hasn’t been given a formal definition.  The best informal one I can think of is “as a result of X online exchanges (and unlimited number of off-line exchanges, that is, the recording of negotiations between two honest parties), the ability to compute Y Discrete Logs would allow the adversary to check at most X+Y dictionary entries”

The impetus for this concept is that it is reasonable to expect that initial Real Quantum Computers (that is, Quantum Computers sophisticated enough to solve DLog problems at all) are likely to be both expensive and slow.  Hence, even if a large scale adversary gets some, they’re not going to be able to afford that many, and hence the number of discrete log problems they can solve will be limited.  Hence, if it takes a million discrete logs to do a full dictionary search, that’s likely to be beyond their budget.

This is obviously a rather weaker goal than full Quantum-Safe cryptography, but would appear (at least, IMHO) a reasonable compromise (given that no Quantum-Safe PAKEs have been submitted.

Now, as for CPace, I do not have any proof that it is “Quantum Annoying”; the best I can say is “I don’t see any way that you could use a limited ‘Discrete Log’ finder to search for multiple passwords, or otherwise recover the shared secret’.  You can take that for what it is worth.

On Thu, Oct 24, 2019 at 11:23 AM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> wrote:

I re-reviewed the four balanced PAKEs, looking at the more practical issues.



Summary: it comes down to the choice between CPace and SPAKE-2 (J-PAKE can be discounted because of the extra round trip needed, and the expense; SPEKE can be discounted because of the lack of a single proposal (and the single proven one is no better than CPace).



SPAKE-2 is better than CPACE in the sense that it is a single round protocol (and so can be used as a drop-in replacement for DH, assuming some hooks for exchanging identities), and so would be slightly easier to use in a protocol; CPACE requires a key confirmation to be sent after the exchange (possibly along with the first encrypted message).  On the other hand, I wouldn’t expect that a protocol would have a major issue with the extra message that CPACE requires.



SPAKE-2 is better in that it uses only standard (point multiplication) operations, which are more likely to be implemented in crypto libraries in constant time.  CPACE requires a hash-to-curve operation; it is less likely that a crypto library has a constant time implementation of that available.



SPAKE-2 is better in that it uses somewhat less message overhead (two hashes less).  However, even with this additional overhead, CPACE is still quite reasonable (perhaps 128 bytes total, not counting overhead).



SPAKE-2 (as specified in the RFC) is worse than CPACE in that it relies on global M and N parameters.  While the M and N values in the SPAKE-2 RFC are claimed to be generated in a NUMS manner, the issue still remains that if someone were to be able to solve a single ECDLog problem, they could then perform an on-line dictionary attack against anyone using that parameter set.



In terms of other practical issues (computation, message overhead), they are mostly identical.



My opinion is that CPACE is better, the single disadvantage that SPAKE-2 has (vulnerable if someone somewhere solves just one ECDLog problem) is worse than the three disadvantages of CPACE.





A more detailed listing of the comparison:





* Fragile is you give an attacker offline password guessing if there is a minor error in the implementation of ECC.

* Quantum annoying (“PQ-ish”) is the property that an attacker with a quantum computer needs to solve a DLP per password guess.



Balanced PAKE summary

Name              | PQ-ish   | Rounds*       | Fragile

------------------+----------+---------------+---------

CPace             | Good     | 1.5 (1/2)     | Moderate**

J-PAKE            | Bad      | 2   (2/2)***  | Good

SPAKE-2           | Bad      | 1   (1/1)     | Good

SPEKE (EC based)  | Good     | 1   (1/1)**** | Moderate**

SPEKE (ModP based)| Moderate | 1   (1/1)**** | Good



* "number of total trips" ("number of messages received before initiator can encrypt"/"number of messages received before responder can encrypt")

** CPace and SPEKE (EC) is listed as moderately fragile because they depend on a hash-to-curve operation based on the secret password; a timing variation there might leak the secret.  While constant-time hash-to-curve algorithms are known, they are less common than standard EC operations, and hence this needs to be considered.

*** This assumes that we use the three-pass variant, and we do use the recommended key confirmation.

**** Note that SPEKE claims to be secure without an explicit key confirmation pass; we assume the “Patched SPEKE” protocol found in the paper.  See my concerns about this below.



Balanced PAKE summary (continued)

Name              | Comp per side (*) | Total Message Size (**)

------------------+-------------------|------------------

CPace             | H+2x              | 2P+2H

J-PAKE            | 2g+3x+3pg+3pv     | 6P+4Z+2H

SPAKE-2           | d+x               | 2P

SPEKE (EC based)  | H+2x              | 2P

SPEKE (ModP based)| 2M                | 2M





* In all cases, the initiator and the responder perform the same overall amount of computation, hence we don’t break it down per side.  In addition, we omit the costs of hashes, point additions, modular multiplications, as they are expected to be insignificant compared to the point multiplications/modular exponentiations listed.

** Note that none of the protocols are defined in bits-on-the-wire format; there are likely to be some additional overhead (such as identities and nonces) exchanged, but those are not listed.  This additional overhead would appear to be likely to be similar for all the candidates.



Cost:

H: Hash to point

x: Point multiplication

g: Point multiplication of the generator (which is potentially cheaper than a point multiplication of an arbitrary point)

d: Double scalar point multiply and add, that is, aB + cD

pg: Zero knowledge proof generation (approximately the same as a field multiplication)

pv: Zero knowledge proof verification (approximately the same as a double scalar point multiply and add)

M: Modular exponentiation



Message Size:

P: An elliptic curve point

H: A hash

Z: A zero knowledge proof (an elliptic curve point plus an integer the size of the group)

M: An integer of the size of the DH group



Notes:



  *   In general, none of these proposals are defined at the level that I believe that the CFRG needs.  Most of them do not document bits-on-the-wire format, or call out required error checking.  I believe that we need to generate a sufficiently detailed protocol that could be inserted as a blackbox into real protocols; whichever we pick, there’s some work required before we get to that point.
  *   As a reminder, if we go with the SPAKE-2 option, someone would need to verify the generation of the M and N values specified in the RFC.  I was able to do a partial validation (which looked good); however, I was unable to accomplish a complete one.
  *   The more recent SPEKE paper (https://eprint.iacr.org/2014/585.pdf) claims that they don’t need an explicit key confirmation step, however I find their argument unsatisfying.  The claim appears in section 5.3 “Countermeasures and suggested changes to standards”; they give several suggestions in this section, and it is unclear which is being proposed.  They state that, in the case of multiple concurrent negotiations, the two sides should use distinct identifiers for each one (e.g. “Alice-1” for the first session, “Alice-2” for the second); that has obvious practical problems in the case that the two sides don’t agree on which session is the first.  In addition, the relevant text is:

As long the user identifiers are unique between concurrent sessions, the use of the extra session identifier does not seem needed. [emphasis added]

They give no proof as to the above statement.  This lack of rigor, and the lack of a single concrete proposal leads me to discount SPEKE as a desirable proposal



  *   Reasoning behind Quantum Annoying statements:

     *   J-PAKE is not Quantum Annoying, computing three discrete logs would allow an adversary to perform an off-line dictionary search for the password (that is, on a recorded session).  In addition, if the password is known, three discrete logs are sufficient to recover the shared secret on a recorded session.
     *   SPAKE-2, as proposed, is not Quantum Annoying, a single discrete log of the global M (or N) parameters would allow an adversary to perform an on-line dictionary attack.
     *   SPEKE (ModP based) is listed as moderate, as an attacker could attempt to compute a large number of discrete logs in an attempt to form a factor base (which would allow him to efficiently compute any discrete log).  However, the number of discrete logs required would be huge, and so this might not be a practical issue.


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org<mailto:Cfrg@irtf.org>
https://www.irtf.org/mailman/listinfo/cfrg

v2.23.0 | Report a Bug | By Email