[Cfrg] OPAQUE Status (and the need for 3 msgs)
Hugo Krawczyk <hugokraw@gmail.com> Sun, 22 September 2019 06:18 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82B5E120072 for <cfrg@ietfa.amsl.com>; Sat, 21 Sep 2019 23:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QguL9WH2iTNf for <cfrg@ietfa.amsl.com>; Sat, 21 Sep 2019 23:18:31 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F1F312003E for <cfrg@irtf.org>; Sat, 21 Sep 2019 23:18:31 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id b19so25605733iob.4 for <cfrg@irtf.org>; Sat, 21 Sep 2019 23:18:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=JuaETIL1Lk/W/0eCLVDdGqWFr+c9d7muPLYdXM3JvsU=; b=VHmU2Wxwhg2sqeqlOrOGvGgJdA+L+2OEWQsLnwnrhPrgNBO6kYFCSnJoPyb6y6M7Uo +VP3RsfEO4MOdvc/WKNqATH+z4X6CBQIv2jL4RXJu21OanVMXLE9gbhEpBOm+wiSee5U ul4Rrnu4X0DQAkQjyOo5x0xS2Njj+yvhmujcs7n/JvfJhkjFtLNKO07td36og2xH7jd0 zzQmUKJIh2FzT+bfGbEAkZvV4ZQBerlKe3g9DJcXKUnuAOvOSOTJj7I3oJL4xBVMauQr gjL7jj7KqYX4Micz/dgxx81Gu8GqQBesBWxpjkVHOXmNQrrzrPlVR7M69dxUy1qF1Z+W Bs2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JuaETIL1Lk/W/0eCLVDdGqWFr+c9d7muPLYdXM3JvsU=; b=QOx3ieC2fsMZ0QK3CjW1aDUleMU2+E8QWq0CAM94QBrDiu/27z2/dow6LIDWmTm3/w 9V10ZZ71kxKfLY6Wk/iBO6r69jd3zkNy0L09BP/UtSQiSKnm74STQ/irXWvvYesa2yC+ snFJQS9q+IyiBbjsia18+A4z/JBnEuDtLnarivYybP8Z26nMb+z8WeYJ1Iqazj1IrTnQ zr5V+bLnqOKUDFerMUleEsqjkw5bxa/Kj5XnlbYC6Zs1BxiAliG7C+B89q8clBiCDT6R 9KPcYsqEoelICq0qZgS8cjenfZKFOHU8NrJMPX297p9L3EJwRBW4HRdnZz6VI95Ox8kY vD8g==
X-Gm-Message-State: APjAAAVEgNNd4p0yp4dHYYcDC/s+Tg7VNu8b/ajfwjkEKWHPrpgd3pl5 W8fjyddwuHleBeOI1h7+3UDDz8cjqc0U2uKohJ4oImp1W9s=
X-Google-Smtp-Source: APXvYqyYuN7Kge57ZrQm9ROcG99dBZvzXCfwiqIA2D6LQJVAEFs4xXCEB89o08CKyM/X1NF0L+4WgOH2+p/7UODzMIQ=
X-Received: by 2002:a6b:d307:: with SMTP id s7mr12449175iob.39.1569133110151; Sat, 21 Sep 2019 23:18:30 -0700 (PDT)
MIME-Version: 1.0
From: Hugo Krawczyk <hugokraw@gmail.com>
Date: Sun, 22 Sep 2019 02:18:02 -0400
Message-ID: <CADi0yUPdkXsmU81asgXEz0RumVVCe5GqGT7R=w8t3MGKHFXGJw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000a2cdce05931e456f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/KWUZ3yPmQ5y0nyXQ_M_6iWoosHo>
Subject: [Cfrg] OPAQUE Status (and the need for 3 msgs)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Sep 2019 06:18:33 -0000
We have been (and still are) working on improving and refining the proofs of the OPAQUE paper. Refining proofs in the UC model always involves also refining the functionalities that define security. Luckily, in this process the protocol has not changed. However, one of the conclusions of our analysis is that our AKE functionality (the one we compose with an OPRF) requires full forward secrecy and therefore we need the AKE not only to be KCI-secure but also forward secure (FS). While FS is a very desirable security property of an AKE protocol, it also means that we* cannot have* a 2-message OPAQUE (e.g., the instantiation based on 2-msg HMQV that we suggested) as any such protocol can have at most weak FS and is open to attack. Three messages suffice for OPAQUE, as can be obtained with FS-secure protocols such as HMQV with explicit client authentication or SIGMA (in its 3- and 4-msg variants). The above does not change the analysis people have done regarding integration with TLS and IKE as these integrations already assumed 3 messages (or even 4 in the case of IKE) with explicit user authentication and full FS. So neither the protocols or the number of flows changes for these cases. In addition to this, as I mentioned earlier in this list, we need a stricter notion of secure Authenticated Encryption for which we can either eliminate the encryption all together (deriving p_u directly from rwd) or realize it with regular AuthEnc tools with RO-type assumptions. Hugo
- [Cfrg] OPAQUE Status (and the need for 3 msgs) Hugo Krawczyk