IETF Logo Mail Archive

Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 06 September 2019 16:41 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F5B120B33 for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 09:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=GmL4f6tu; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=owpDO2rB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgLEaGWEWkxk for <cfrg@ietfa.amsl.com>; Fri, 6 Sep 2019 09:41:49 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B95EF1208B5 for <cfrg@ietf.org>; Fri, 6 Sep 2019 09:41:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=27550; q=dns/txt; s=iport; t=1567788108; x=1568997708; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=u6R+CiBeFS/hYrypFeumbc/ZoVb0wGa7DiiJ5trgGiI=; b=GmL4f6tuKXbK20IF02iORyXxqfB9UC0vSA/nR9BciKnCXFZlq19XZODy 3tF+bwsFihpeIjecPSvYmHaN4bR+4AYfdFpis7uoZ09L0QGsW3rliJ0+K 0ND4CSgY+KIVJnOp5yr93zTlRrDbTw6IQbJ9hrtF9MaYjqI4OLjZCsOq8 s=;
IronPort-PHdr: 9a23:STA7yxDQRwTVzfEZPXcQUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qs03kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuN/DuciwgEd5qX15+9Hb9Ok9QS47z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DfAQCyi3Jd/4oNJK1lFgUBAQEBAwEBAQcDAQEBgWeBFi8pJwNtViAECyqEIYNHA4pzglx+iGSOC4JSA1QJAQEBDAEBIwoCAQGEPwIXgiAjOBMCAwkBAQQBAQECAQYEbYUuDIVKAQEBAQECEhEKEwEBBxwHBgEDAwEPAgEIFRsBAgwDAgICHxEUEQEBBA4FCBMHgwGBHU0DHQEOngsCgTiIYXOBMoJ9AQEFgTIBAwIqC4MjDQuCFgmBNIkvgiseGIFAP4EQAUaCFwcuPoIaRwEBAQKBSBgkBwkZDwKCKzKCJo87hSGJFI4MQQqCIIZ9hEpDhGiEGph7lX2CBo5eAgQCBAUCDgEBBYFpIYFYcBWDJwmCOQwXgQQBDII+gT6DVoU/cwGBKD+MOSIJgicBAQ
X-IronPort-AV: E=Sophos;i="5.64,473,1559520000"; d="scan'208,217";a="321125402"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 06 Sep 2019 16:41:47 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x86GflTh016984 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 6 Sep 2019 16:41:47 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Sep 2019 11:41:46 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 6 Sep 2019 11:41:46 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 6 Sep 2019 12:41:46 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PJEf0qifb429qZujWNAXEEdTHL7XJgBAaD/WJqhy56zgr2pJ60t3+qMZME0XJ79+bfZKn/zkx/QgwKeLgI4CwJ8z0iBWEVYg0MGs6C8rlEpFkEw0K8CYaITdb6TafEXW8/g0krwkJp2I9+u584OrCj5QfGSXChcHk6eu15YAg0ibqZ2JXVu4QYOPserEASgSNC3bHlv7tYjjIlNVCd7IiI3PNU84/bZNrKrVQVxtwmpei+W3KPmNFXXembb5ldeb7irFkDVeWCZ7N3A6XT9YeDfbXgvTHMbmpMqMd27VNBL+4CbFvpC4JDyMSNWj8gG2gd65dkZcpIL3QP2ByJMepg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u6R+CiBeFS/hYrypFeumbc/ZoVb0wGa7DiiJ5trgGiI=; b=CPJQN6c56KV9wc6yFDwmqUEUtq3ZXmvVlxAVwTkxPmRerCzPXrEsE/2L0DhTGGxTfOC8Qsk1My8onrHySRt6iSVLFJeSOpqWhAubLhj8jEmFON8iF1jiE40cJHNXeystn8dexwQS9Mjd5daquYqSk0MyU2ggP9zUP+Uu5FBANuoy3UZCVuNQH5HXUW0mj524d++7W/T+GLQ8gnaWPd5VswrqlxCwqhbWeUkp3B+17hVtgNyncnSOPnWBXKorFZm3Izeps6UTg/JLNQGqzSFtY8ucvw3a3HBszMSWYl+cgp0HyboHM9bTqWti4PxbdneiQ95Dpr3FlR3ncuQjuzRUpg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u6R+CiBeFS/hYrypFeumbc/ZoVb0wGa7DiiJ5trgGiI=; b=owpDO2rBFA9WMuF9gK7cyiJpzY966e2OgtZkU0bBHOlGHObyOyUXN5BOKIuSXqEcKiohR7KJy5mBJSbNC3DK1MFiwGdXGl1ZY0EWS2IwsSz/ih6FUYhJlDrgCr9fx2mtyr0hkWSqA+1CGAGdW/5CitTyoUk7C/Vyky36C6dxB18=
Received: from BL0PR11MB3172.namprd11.prod.outlook.com (10.167.182.222) by BL0PR11MB3427.namprd11.prod.outlook.com (20.177.204.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2241.15; Fri, 6 Sep 2019 16:41:45 +0000
Received: from BL0PR11MB3172.namprd11.prod.outlook.com ([fe80::de4:ce0b:65fc:5b12]) by BL0PR11MB3172.namprd11.prod.outlook.com ([fe80::de4:ce0b:65fc:5b12%4]) with mapi id 15.20.2241.014; Fri, 6 Sep 2019 16:41:45 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Watson Ladd <watsonbladd@gmail.com>
CC: "cfrg@ietf.org" <cfrg@ietf.org>
Thread-Topic: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
Thread-Index: AdVkF1zGWxIvxhLkQ1maNFJa+34IlAAsvhCAAAC+NlA=
Date: Fri, 06 Sep 2019 16:41:44 +0000
Message-ID: <BL0PR11MB317269CF9E51B182387B92E8C1BA0@BL0PR11MB3172.namprd11.prod.outlook.com>
References: <BL0PR11MB31728AF40F9C9B7B65472AC1C1BB0@BL0PR11MB3172.namprd11.prod.outlook.com> <CACsn0cmmxgSGumm-tPG52F4zs6jxFNcKTp1ERyAmwxdahxFCvg@mail.gmail.com>
In-Reply-To: <CACsn0cmmxgSGumm-tPG52F4zs6jxFNcKTp1ERyAmwxdahxFCvg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [2001:420:c0c8:1006::781]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: feb51309-6081-455f-1f81-08d732e91aa3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BL0PR11MB3427;
x-ms-traffictypediagnostic: BL0PR11MB3427:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <BL0PR11MB34276ECBB6DC68409FE99170C1BA0@BL0PR11MB3427.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0152EBA40F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(396003)(376002)(136003)(346002)(31014005)(189003)(199004)(51914003)(6436002)(446003)(11346002)(102836004)(229853002)(6506007)(476003)(6116002)(790700001)(1411001)(74316002)(2906002)(71190400001)(71200400001)(55016002)(86362001)(46003)(6306002)(236005)(9686003)(7736002)(186003)(54896002)(14444005)(76116006)(66556008)(66476007)(66946007)(64756008)(76176011)(6916009)(256004)(66446008)(8676002)(81156014)(81166006)(5660300002)(8936002)(486006)(52536014)(316002)(25786009)(99286004)(6246003)(7696005)(606006)(53936002)(33656002)(4326008)(966005)(478600001)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:BL0PR11MB3427; H:BL0PR11MB3172.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: hrpnnagk57eVIJqPuWfl8Fa7yeqLK1GBsk7dMVOBMqXAhNZphmW7IrWwkPYBm8+7RA/ShH8wJTiWI2wOGv3WL06dkZXLGwiM8RwgGWzDhLor3X6nsmHElLrm9nDYpK7PT+NLdtyFa1q5MyaBucldbTnlfepL5lsak3dFbHGMhmhAspZNQ/TmTIKcXjKyUClQnATfAhHHhkkypoKePmOie1nyO9ficz+K6tUH3fTJxkjJSHrncxZfW2mHl+QHKLsL4IsLVmNj3Nw/uZVYeOOqrq9hhl36SHqdr6fbxr26F9QRW2J48vS0HUiGOf6ZcZVxW9iBVuV9Hp09cqS9E0X1lvyCSmvWPeKZw2RyHM2owDdEd29n/t0Kz0RwaKoFaTU589aLYadoOfuPNWBaWt/Ed+gqd3Sr3orj4d+oaQsLfjw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BL0PR11MB317269CF9E51B182387B92E8C1BA0BL0PR11MB3172namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: feb51309-6081-455f-1f81-08d732e91aa3
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Sep 2019 16:41:45.0382 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3gHPPxeDywcgFqcOWQ7anVTC91ozhwxxZzm+SD3m/+MDfUkgUgw+Xb1xsT41BisWLZN+qqx+I9wqB3Pz++wLWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3427
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Ff9kG4DR8m24ISd1hBW5QWzSUq0>
Subject: Re: [Cfrg] My review of the four balanced PAKE (SPAKE2, SPEKE, CPACE, J-PAKE)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Sep 2019 16:41:53 -0000

From: Watson Ladd <watsonbladd@gmail.com>
hhhhhhhh
On Fri, Sep 6, 2019, 8:03 AM Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com<mailto:sfluhrer@cisco.com>> wrote:
SPAKE2
Documents reviewed:
Original SPAKE2 paper: www.di.ens.fr/~pointche/Documents/Papers/2005_rsa.pdf<http://www.di.ens.fr/~pointche/Documents/Papers/2005_rsa.pdf>
SPAKE2 draft: https://tools.ietf.org/html/draft-irtf-cfrg-spake2-08
The first issue with SPAKE2 is that it is backdoorable (in the same sense that the DUAL-EC DRBG is backdoorable).  That is, SPAKE2 incorporates internal constants (N and M) that, if they are generated in a secret manner, would allow the creators of N, M special access (in this case, allow a server to check the entire contents of their dictionary as the result of a single exchange).
Now, it appears that the SPAKE2 draft avoids such suspicion; that draft includes values of N and M for all supported curves, and a procedure that was used to generate them.  This procedure would create values without anyone knowing the secret relationship between P and N or M (and thus preventing anyone from knowing the backdoor).  I have able to only partially verify that these N, M values were generated by this procedure.  It would appear necessary that someone fully validate them.
On the other hand, if the CFRG does endorse SPAKE2, it needs to recognize that it is endorsing a standard with a potential backdoor (even if the designers prove that they did not attempt to insert anything).  In addition, this potential backdoor may become a high value target for an early Quantum Computer (as solving one discrete log problem would give them the back door to everyone using SPAKE2 with that specific parameter set; such a back door exists, all the public generation procedure shows is that the initial authors do not know it).  None of the proposed candidates are fully resistant to a Quantum Computer, however none of the others have this ‘solve one discrete log, weaken everyone’ property.

How much harder are many logs then one on a quantum computer? Not very.

I believe that it is about one million times harder to do one million discrete logs than it is to do one (given that Shor’s algorithm doesn’t generate any side information from one run that would help you with the next; I also can’t think of any way to combine N points, and solve fewer than N discrete logs in a way that would allow you to recover the DLogs of the original N points).

Looking at the likely progression of Quantum Computers, it appears probable that, once someone creates a real one (as opposed to the toys that exist now), they could break a ECDLog problem, but it may take weeks to do so (and there are not likely to be a number of them available).  Hence, one a TLA gets one, it might gain the capability to solve dozens of ECDlog problems a year, but no more than that; hence this vulnerability of SPAKE2 might be relevant.  Now, this is entirely speculation, and also it would be reasonable to suspect that the speed/cost of QCs would rise/drop fairly rapidly, and so a few years after that it might be feasible to attack the other schemes as well (at least for their high-value targets).  This scenario did seem plausible enough for me to mention it.

In addition, for most other methods, it may be that a single discrete log might not be sufficient to break a single instance of the other schemes; however that really is currently speculation, as I have not seriously studied the issue, nor do I know anyone else who has
The second big issue: the security proof.  The proof given in the paper (Theorem 12) would appear to be invalid; one error appears to be in Exp3 (which appears in Theorem 8 but is used essentially unchanged in Theorem 12); here, they replace the public oracle H (which converts the transcript and the computed point into the shared secret) with a secret one (that is, one the adversary does not have access to).  However, they have not ruled out active attacks at this point, and hence they do not consider the possibility that an active attacker (addressed in Exp4) may access the H function multiple times after a single exchange (without necessarily solving the CDH problem, as that applies only to passive attackers that can’t influence either input; in this case, the attacker can provide a value that influences one of the inputs to the DH).
The draft lists the protocol in a fair amount of detail (which is good; the CFRG will need to publish a detailed specification of the approved protocol, and this draft is a decent start).  However, there are an issue with the protocol they give.
The issue is that they do not specify the input checking properly.  They specify only that the received S, T values are not the neutral element when multiplied by h (the cofactor).  This is insufficient; it is important that the protocol verifies that S and T are members of the group (that is, are solutions to the elliptic curve equation).  If the point is received as an  (x, y) pair, then they must be verified as solutions to the equation; if they are in compressed form, then the application must fail if given an x value which x^3+ax+b does not have the appropriate square root; if given a single x value (e.g. Curve25519), you must verify that the x value is on the curve and not on the twist.  This received S or T value is added to a point which is on the curve, and I don’t know of any guarantees you can give if you add a point on the curve to a point which is not (and then multiply the sum by something).  The security considerations in the draft does mention this; however, it is missing from the actual specified protocol.
This protocol relies on standard operations (ECC point addition and multiplication), without using any password to point mapping, and thus is easy to make constant time with standard methods.
While the SPAKE2 paper makes no reference to a key confirmation pass, the draft insists on it.  It is not clear if the draft requires the key confirmation to be an extra round before you use the actual shared secret (Ke), or if you can use Ke to encrypt the message which also includes the key confirmation.
Further notes:
One difference between the draft and the original SPAKE2 paper is that the original paper specifically assumed that each user would have their own M value; the draft has a global M value for all users.  It is not clear that security is reduced by using a single M value for everyone; however, that is a difference.
Typographical error: the draft often says P-512 when it means P-521.

Thanks for the review. We will of course specify point validation explicitly in the next version.

Thank you.

There is also an issue with composite order groups we will fix in the next draft. (Perhaps with Ristretto?)

Were you worried about the share from the other side not being a member of the subgroup?  I don’t believe that’s a problem; on the other hand, it would be fairly easy to cover anyways (by applying the cofactor in appropriate places).

I will look at the paper in more detail to understand the comment. Thank you for doing this very thorough review.

Sincerely,
Watson

v2.23.0 | Report a Bug | By Email