Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 25 October 2019 12:22 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE84812086F for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 05:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=TyC0e3st; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=oGiiRWiH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osGFkGs8UtpT for <cfrg@ietfa.amsl.com>; Fri, 25 Oct 2019 05:22:54 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0E20120879 for <cfrg@irtf.org>; Fri, 25 Oct 2019 05:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3092; q=dns/txt; s=iport; t=1572006173; x=1573215773; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=yU6pcfAqcrUDnAUPCzIPVDoXMUDnr4VVBbQQYviBScs=; b=TyC0e3sthXuo4k9OBoKoHhwVhPWpOQQitIipLDlC6Xp3JmpZgO+RASJ1 oSo1XV2khlkvv976hv5dP89LgoyU5LzC2e5yPBBh4e3GxX6zE9KTnqL0y gQ46ve/isDixWugaZJUGdU2HNfDBQdgxJQA2Xww6u0jEav98huUmyNfVE o=;
IronPort-PHdr: 9a23:EV+YIhQhYZS0ADWVsHTP9MzyI9psv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESXBNfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH15g640NmhA4RsuMCEn1NvnvOjc0GNlCTlJ/13q6KkNSXs35Yg6arw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BXAACQ6LJd/5tdJa1lHAEBAQEBBwEBEQEEBAEBgWcHAQELAYFKUAVsVyAECyoKhB6DRwOEWoYNToIQlUaCP4EugSQDVAkBAQEMAQEYCwoCAQGEQAIXgygkNAkOAgMJAQEEAQEBAgEFBG2FNwyFUAEBAQECAQEBEBERDAEBIwkMCwQCAQgRBAEBAwImAgICJQsVCAgCBAESCBqDAYJGAw4gAQIMpzgCgTiIYXWBMoJ+AQEFgTQBg1kYghcDBoEOKAGFFYQwgiwdGIFAP4ERRoFOfj6CSRkBgUwYgw4ygiyPeI1Bj0JuCoIkhxCOOJlTjjyGTYFdkSICBAIEBQIOAQEFgVI5gVhwFTuCbFAQFIMGCxiDUIUUhT90gSmNXAGBKQEB
X-IronPort-AV: E=Sophos;i="5.68,228,1569283200"; d="scan'208";a="651386333"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Oct 2019 12:22:52 +0000
Received: from XCH-RCD-008.cisco.com (xch-rcd-008.cisco.com [173.37.102.18]) by rcdn-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x9PCMqrB004785 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 25 Oct 2019 12:22:52 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 25 Oct 2019 07:22:52 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 25 Oct 2019 07:22:51 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 25 Oct 2019 07:22:51 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jXEQkue0A2ApBan2t80ZirEqGYJ+hcJz3aPXlMvZ9lLEcs3qv/keCAu3ZEWLokYfUZvh1jsWDEIr32svBisLbhNmsmD1cthIuItgYjY6OokNWg+WViyPzb0sBuyrBw1qFjGyus62RwUrTF2os/apURUUPtfoC20Xhu6SmyFzMkb1o2WkEEI6gv/v2veOwyBxGtxQt1fEPAoX57dl/f3pVvQ0Dmw9VdgLgPotiJurhkyprgLtPGalre5kYa8Qrvnl1viDGEo9uOkWtj5s761Uz79t5dQuYKoz3nHCPctjZJZ4gsB5ke3NyW1Je8Na53md+n/nG+NaHbTuJZUdX0HKJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yU6pcfAqcrUDnAUPCzIPVDoXMUDnr4VVBbQQYviBScs=; b=B0rb9tL/UP5iuiY04lufAxh9Duy8ApS5MtcoOUBfAwQIVD9msRPekH2zYr1uHT6SH19E4a00sOpPvosk0OM6hTJ4mfWNxmQCCykflqJ4RssJfGQs2Wccz745EWPX0nTVHkJXD1IoEjxZ26O8yKzzjm46Ush7gfi1QOq7tKu2utSwfXE+cXR3G7lN/81/qr+NSWbk+z49eSNmEqFdQAB7rUX1kJtnSOIY/7cEYGjY/C/+zeCNAKgWGx9c+ElHrplgg6OBzV5Q0w3DEAZhFdBF6owbxEw9z5M8NzSEllvnNssMjozFmAN/5DGy8u81IHZStJp5NwEi9b/59qKFBn0BHA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yU6pcfAqcrUDnAUPCzIPVDoXMUDnr4VVBbQQYviBScs=; b=oGiiRWiHU/Ptvkz24WZZjdlABCG/F3MWr6y82GqiRSiOZKMwXvXMpurIOaSzYWRzFnIB7iliGiszcG02F6t2Q6PefEqgSAGcV8NhgR8ncwYtFVqBGhGzwXDTvk2DkbAzDj91Kc6FoYKW8tVjgCOoiVBBV59JYXBxnTcFPvE8nSk=
Received: from BN8PR11MB3666.namprd11.prod.outlook.com (20.178.221.19) by BN8PR11MB3618.namprd11.prod.outlook.com (20.178.222.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.22; Fri, 25 Oct 2019 12:22:49 +0000
Received: from BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::38cc:fcf7:a049:1c5b]) by BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::38cc:fcf7:a049:1c5b%7]) with mapi id 15.20.2387.021; Fri, 25 Oct 2019 12:22:49 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Balanced PAKEs: new paper on SPAKE2
Thread-Index: AQHVixtufExypOu9BE+v24cmX9zwKKdrRVew
Date: Fri, 25 Oct 2019 12:22:49 +0000
Message-ID: <BN8PR11MB3666DC14C598E92CC29AA15CC1650@BN8PR11MB3666.namprd11.prod.outlook.com>
References: <7A98E9E0-52B9-48E4-A160-3532E42DCD60@inria.fr>
In-Reply-To: <7A98E9E0-52B9-48E4-A160-3532E42DCD60@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4150834a-8954-46b9-0339-08d759460cf0
x-ms-traffictypediagnostic: BN8PR11MB3618:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <BN8PR11MB3618DC25A1C7BAEFE77902E7C1650@BN8PR11MB3618.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 02015246A9
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(136003)(39860400002)(346002)(396003)(376002)(189003)(53754006)(199004)(13464003)(53546011)(76116006)(11346002)(6506007)(8936002)(25786009)(102836004)(476003)(5660300002)(99286004)(66066001)(81166006)(8676002)(81156014)(486006)(186003)(74316002)(305945005)(7736002)(7696005)(66476007)(66556008)(52536014)(66946007)(64756008)(66446008)(966005)(76176011)(2906002)(6436002)(110136005)(6246003)(14454004)(55016002)(256004)(26005)(6306002)(9686003)(6116002)(316002)(33656002)(86362001)(2501003)(71190400001)(71200400001)(446003)(478600001)(229853002)(14444005)(3846002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3618; H:BN8PR11MB3666.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sYaB4XwKN1bl58SI0H5iG6tKdkENSOgl7ORvNjmFCujxEH5zDeiqoh/mRHTLDKRuK9nmyxbSmjKKuNTmnWOEUaRyBz7J505SmMIO5oX9GaRCmXCJL2KCkmvbPUJnZiqLjspG/kynw2Fte8EpGGoVsstdndAA6exl38oJ2NyGxAUDwzTq+8UU6crtoaUGkP/XfG9kfeO7T20ay+dJO8swM5o0YW07w+msffAGnu3ClAL7oX6qH5XLT/dwpRe+/9DQg5AEWmtGU5g8WcHM5wb9tC6Hm6748zEkvY9vAph7/u6xAf0yhMq/TfSLx6eZEtgQveubbE5dHU03CnOo2xN7sf2QyzgNEJOXFKzT1rG628j63Nu6NqG3RwbXkGIZEIh9kE1OG8/5ReAxMRbcNBZZ03xffPygSHldmg+bCebyuq/UVdBphsUZCwNpr4DCk4wbg95lCmES4nVJBlUfQeM/WNZOujK72mDpHC5Vgp9bHCk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4150834a-8954-46b9-0339-08d759460cf0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Oct 2019 12:22:49.5323 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: js4ADIFjijtkm3l31OFnkU3N7auWjEkdBiFnN8sMT1wCaCfEFQrAn7swnc5WXMNn4qKMPYa+uMSqXcYGlOAldA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3618
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xch-rcd-008.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/L6L4R8ahRDId1Zr-oFXye-KDrrQ>
Subject: Re: [Cfrg] Balanced PAKEs: new paper on SPAKE2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 12:22:56 -0000

> -----Original Message-----
> From: Cfrg <cfrg-bounces@irtf.org> On Behalf Of Karthik Bhargavan
> Sent: Friday, October 25, 2019 6:03 AM
> To: cfrg@irtf.org
> Subject: [Cfrg] Balanced PAKEs: new paper on SPAKE2
> 
> Hello All,
> 
> Michel Abdalla and Manuel Barbosa have just published a new paper the
> perfect forward security of SPAKE2: https://eprint.iacr.org/2019/1194
> 
> They say:
> "In this version, we tried to address some of the issues that were raised in
> the CFRG mailing list and during our meeting.
> 
> In particular, the proof handles explicitly the case M=N. The cases where M
> and N are chosen as the output of a random oracle also follows from the
> proof. This means for instance that M and N could be set the hash of two
> fixed points (or one point when M=N) or set as a function of the client and
> server, such as M=H(C,S) (where H is a hash-to-group function.)
> 
> The goal of the paper was not to compare it with the other submissions. It
> was simply to improve the security analysis of SPAKE2 and its possible
> variants”
> 
> With these new results in mind, I would recommend that the SPAKE2 draft
> use a connection-specific M=N=H(C,S,...) generated using hash-to-curve.
> This will make the precomputation attack on SPAKE2 less worrisome.

While it would certainly improve things, it wouldn’t actually make SPAKE2 fully "Quantum Annoying"

It would improve things in that solving a single global DLog problem wouldn't allow an easy one-exchange dictionary search.  However, the attacker could still perform a single on-line exchange (obtain the M=N value and the initial encrypted message that depends on that M value, solve the DLog problem for that specific M, and then perform the dictionary search).  It would mean that he would need to perform a DLog for every system he attacks, however it still remains an earier attack than any known attack against (for example) CPACE

On the plus side, there would not be an issue if the hash-to-curve routine is not constant time (which is a major concern with CPACE)


> 
> Best regards,
> Karthik
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> https://www.irtf.org/mailman/listinfo/cfrg