[Cfrg] A revision of OPAQUE paper was posted to eprint 2018 163
Hugo Krawczyk <hugokraw@gmail.com> Mon, 21 October 2019 23:50 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22DCB120A79 for <cfrg@ietfa.amsl.com>; Mon, 21 Oct 2019 16:50:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFXqSTfEj3Sw for <cfrg@ietfa.amsl.com>; Mon, 21 Oct 2019 16:50:43 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2473412083B for <cfrg@irtf.org>; Mon, 21 Oct 2019 16:50:43 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id m16so7303514iln.13 for <cfrg@irtf.org>; Mon, 21 Oct 2019 16:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=OT1Xxicn8Zfl8ti3ZxZdhCA8KwVGEs/Wmf5MCsLD/BE=; b=FGgZtXEIbygxJTKoydKIuRbUxPgm6HaLCpVf+QMO+VshjgZEPK7cUzXYeKX8fg2b4O i4w1mTgd1FtVoWfwdmqimr1QGcBoUCCcPis6EDZSjavT6QM/8r1cj5BlgZssE0cjntcS PqT7losJ2PP/q3gL6+7AybUTAAbXfxqMLx8P0KJyUyOoPfumVTg8Q0udRGdGSdZ8jOpo VWes0LskDCGTMk2h3y7+Tqfcd8beSJ822psd6zH4mu9WTgTzoTVsMRDiDBpmkwGw2TCI KM7OJFrF7fyImTry+YEG0HUp6JuqvqEiYBPxC7EPVEvy8SLf2tEMsf+xnOMCGUTTlgwm 9atw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OT1Xxicn8Zfl8ti3ZxZdhCA8KwVGEs/Wmf5MCsLD/BE=; b=SPOQig7ijhA3dG+jBdwkQ66Nu8UALWDFZjEz8+0OJnbijGY0wKXSCsnMfzNLQNg4sg RJckuhc2DL9v/0O2sUo6h7bdFzwdV6/a8YK8jBRKpAY76olnHBvw9EvsxECqbVjSGaql Fb05T9EpbnTlDNKKO9/ylEb6rGYZm1W2m1luLDWMSOXXx848YdxXgEvaypZzWNWtpQAV tlE49+3T7+7tdiYNNjJQfS+URpyfx7HWgTqhTa3TkFlNYROHvYyw37Q9fpsOI34A+hmU 5K9+VErYOqvVbBe38vxxijtDoDfHoxchwz5+Lk8dQkoMd36SUM4Qx89dFlvsCZJ/RmyI J5ZA==
X-Gm-Message-State: APjAAAWb70FWkpeS2gUrh1N8g1cTbeudseALEqauPQWXOQh5gmcZ2Qes 2iKqX+fM3w/etA2KFdXa0gf0vbGqXv0t+8S+qkQBS0IdvEo=
X-Google-Smtp-Source: APXvYqwmqb/1P0Kk+9ilDH3gR2P3D/UILmQ8Hro6aMRrZkYpJqsDe4p7fGV8Tq/YZl/UxqcL4xETcUtC8LdQsUX+1Jk=
X-Received: by 2002:a92:154b:: with SMTP id v72mr30095811ilk.39.1571701841732; Mon, 21 Oct 2019 16:50:41 -0700 (PDT)
MIME-Version: 1.0
From: Hugo Krawczyk <hugokraw@gmail.com>
Date: Mon, 21 Oct 2019 19:50:16 -0400
Message-ID: <CADi0yUOiznT10MRgfiBD0dV2nCQc5OZU9c-1erMsaKrvWf2DZw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>, Stanislaw Jarecki <stanislawjarecki@gmail.com>, Jiayu Xu <jiayux@uci.edu>
Content-Type: multipart/alternative; boundary="000000000000f82c45059574594b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/B7MJgWFn1y0q2Fqgo4VkwRjId7U>
Subject: [Cfrg] A revision of OPAQUE paper was posted to eprint 2018 163
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Oct 2019 23:50:46 -0000
We posted a revision of the OPAQUE paper to eprint.iacr.org/2018/163. This version improves significantly on the formal aspects of the UC functionalities underlying our analysis and provides more detailed rationale for the security requirements and related definitional choices. It also updates the proofs to satisfy the modified UC functionalities. In particular, we address feedback from our reviewers, especially those of Bjorn Tackmann and Julia Hesse, to whom we are indebted for their comments. The refined functionalities and proofs *did not lead to changes in the protocol* but did add an explicit requirement for the AKE component to provide full forward secrecy (FS). So for OPAQUE, FS is not only a very desirable property but a requirement from the underlying AKE. The practical consequence is that instantiations of OPAQUE must have at least 3 messages (*). Such a third message is needed whenever explicit user authentication is provided so this entails no change in most password authentication settings. In particular, there is no change in the proposed integration of OPAQUE with TLS 1.3 and IKEv2 which already provide full FS and a third message. As a consequence, the OPAQUE analysis done by the CFRG teams with respect to TLS 1.3 and IKEv2 remains as valid as before (same for draft-sullivan-tls-opaque-00). (*) A third message is necessary since in order to achieve FS (against active attackers) at least one of the client messages in the AKE protocol must depend on the user's private key and this key is only learned by the client after receiving the encrypted envelope from the server. So at the minimum one needs a first message from the client with user account information, followed by a message from the server with the corresponding user's envelope, and a third message from the client that depends on the user's private key. On the formal side, the main changes are: - The authenticated encryption used to create the "envelope" that contains the user's private key needs to be modeled as an "equivocable encryption". Informally, equivocability means that given a ciphertext c and a message m (from the right distributions), one can find a key k such that c=Enc_k(m). Regular AuthEnc modes satisfy this property under the random oracle or ideal cipher models. It is also possible to dispense with this modeling issue by eliminating the encryption altogether and deriving the user's private key directly from RwdU (the internet draft now describes this option). - We changed the Strong aPAKE (SaPAKE) functionality underlying our definition of security so that an attacker that learns the user's password is allowed to compromise sessions that were open (not completed) at the time the password was compromised, but only if the attacker actively intervened in the session prior to the password compromise. We also eliminated the special relaxation we had for the case that the server sends the last message in the protocol. This case is now handled under the SaPAKE functionality via a postponed password test. - We expanded the OPRF functionality to output a "binder" that binds between the OPRF and AKE sub-sessions that comprise an OPAQUE session. In the DH-OPRF scheme, this binder is defined as the first user message (denoted a or alpha). The OPAQUE description in Fig. 12 includes this binder mechanism via session id ssid'. There is still room for improvement but we wanted to post this revised version particularly for those looking at the theoretical foundation of OPAQUE. (Note: Section 4 has not yet been revised to adapt it to the modified SaPAKE and OPRF functionalities but this section is unrelated to OPAQUE.) We will be happy to answer any questions and receive more enlightening comments. S, H, J.
- [Cfrg] A revision of OPAQUE paper was posted to e… Hugo Krawczyk