[Cfrg] “password-based key exchange”revisited

zhou.sujing@zte.com.cn Fri, 25 May 2012 01:40 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7DD3711E8098 for <cfrg@ietfa.amsl.com>; Thu, 24 May 2012 18:40:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -93.64
X-Spam-Status: No, score=-93.64 tagged_above=-999 required=5 tests=[BAYES_50=0.001, CHARSET_FARAWAY_HEADER=3.2, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, MIME_BASE64_TEXT=1.753, RCVD_DOUBLE_IP_LOOSE=0.76, RCVD_IN_DNSWL_LOW=-1, SARE_SUB_ENC_GB2312=1.345, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id pScS9gNvkWvM for <cfrg@ietfa.amsl.com>; Thu, 24 May 2012 18:40:22 -0700 (PDT)
Received: from mx7.zte.com.cn (mx7.zte.com.cn []) by ietfa.amsl.com (Postfix) with ESMTP id DEA3711E8080 for <cfrg@irtf.org>; Thu, 24 May 2012 18:40:21 -0700 (PDT)
Received: from [] by [] with StormMail ESMTP id 33453.1065689647; Fri, 25 May 2012 09:40:19 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([]) by mse02.zte.com.cn with ESMTP id q4P1e7mg093519; Fri, 25 May 2012 09:40:07 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
To: dharkins@lounge.org, cfrg@irtf.org
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OFBE3E04A4.335C8BDB-ON48257A09.00062183-48257A09.00093433@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Fri, 25 May 2012 09:39:52 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-05-25 09:40:08, Serialize complete at 2012-05-25 09:40:08
Content-Type: multipart/alternative; boundary="=_alternative 0009343148257A09_="
X-MAIL: mse02.zte.com.cn q4P1e7mg093519
Subject: [Cfrg] =?gb2312?b?obBwYXNzd29yZC1iYXNlZCBrZXkgZXhjaGFuZ2WhsXJl?= =?gb2312?b?dmlzaXRlZA==?=
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2012 01:40:23 -0000

As in the calculation of "K = PE^(peer_rand*local_rand) mod p"
K can be reduced to PE^(peer_scalar*local_scalar+local_mask*peer_mask) 
*(peer_element)^(local_scalar)*(local_element)^(peer_scalar) mod p

K = PE^(peer_rand*local_rand) mod p
   =PE^[( peer_scalar-peer_mask)*(local_scalar-local_mask)] mod p
mod p
*(peer_element)^(local_scalar)*(local_element)^(peer_scalar) mod p

Because  (peer_element)^(local_scalar)*(local_element)^(peer_scalar) can 
be calculated directly from the key exchange message,
the effective part of K is 
PE^(peer_scalar*local_scalar+local_mask*peer_mask), has nothing to do with 
 local_rand and peer_rand,
so the password based key exchange is essentially equal with the following 

2'. generate 2 random numbers between 0 and the order of the group, q:

   0 < local_mask,local_scalar < q

3'. compute an element:
   local_element = 1/(PE^local_mask) mod p

   where p is the prime and q is the order. Send local_scalar and
   local_element to other side

4'. receive peer_scalar and peer_element from other side

5'. compute shared key, K

   K =PE^(peer_scalar*local_scalar)* (peer_element)^(-local_mask) mod p
     =PE^(peer_scalar*local_scalar+local_mask*peer_mask) mod p

It is simpler and less computation invloved, and hopefully easier to 
analysis the security.

From: "Dan Harkins" <dharkins at lounge.org> 
Date: Tue, 20 Dec 2011 13:38:09 -0800 (PST) 

  I proposed a new TLS ciphersuite using a zero knowledge proof at
IETF 82 in Taipei. The draft is here:


At the TLS WG meeting I was requested to ask people on the CFRG list
with expertise in this field to take a look at it. So here I am, asking.
If someone has some spare cycles this holiday season, if you just gotta
get away from the relatives, or you are just feeling in the giving mood,
please take a look and comment. Any analysis on this would be greatly
appreciated. (I tried to do a formal proof but I cannot, and that's
what's prompting this).

  I can describe the key exchange broadly here. There are subtle
differences in the draft-- like one side keeps a salted version of the
password and communicates the salt during a HELLO message-- that don't
affect the exchange. It is symmetric so I can describe it from one side's
perspective. The side being described is "local" and the other side is
"peer", it goes like this:

Given: local ID, peer ID, password, an agreed-upon set of domain
parameters defining a finite field group (it works will elliptic
curve crypto too) and using two function:

  - E = HashToElement(d) which takes some data, d, and hashes into
    the finite field to return an element, E.
  - x = H(y) returns a random stream, x, given some input, y.

The key exchange works like this:

1. PE = HashToElement(local_ID | peer_ID | password)
   gets a "password element"

   There is an ordering defined in the draft to ensure that the IDs
   are put in the same order on each side.

2. generate 2 random numbers between 0 and the order of the group, q:

   0 < local_rand, local_mask < q

3. compute a scalar and an element:
   local_scalar = (local_rand + local_mask) mod q
   local_element = 1/(PE^local_mask) mod p

   where p is the prime and q is the order. Send local_scalar and
   local_element to other side

4. receive peer_scalar and peer_element from other side

5. compute shared key, K

   K = (PE^peer_scalar * peer_element)^local_rand mod p =
       (PE^(peer_rand + peer_mask) * PE^(-peer_mask))^local_rand mod p =
       PE^(peer_rand*local_rand) mod p

6. compute a confirmation

   local_confirm = H(K, local_scalar | local_element |
                     peer_scalar | peer_element)

   send confirmation to peer

7. receive peer's confirmation, calculate verifier

   verifier = H(K, peer_scalar | peer_element | local_scalar |

   if verifier equals peer's confirmation the peer is authenticated.

The peer does the same thing but from its perspective it is "local"
and the side described above is "peer".

  Thank you in advance for any analysis that can be provided on this



-Sujing Zhou