[Cfrg] Re-review of the four balanced PAKEs
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Thu, 24 October 2019 15:23 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02A11208FF for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 08:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=NKjIBhx9; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=c9RyMMRv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJ6-BJyctBX3 for <cfrg@ietfa.amsl.com>; Thu, 24 Oct 2019 08:23:20 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B4EC1208DC for <cfrg@irtf.org>; Thu, 24 Oct 2019 08:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35104; q=dns/txt; s=iport; t=1571930600; x=1573140200; h=from:to:subject:date:message-id:mime-version; bh=8r8yg55AOxbuM/mwRsy9A3OKmfOfGekMcLgyDVY74Go=; b=NKjIBhx96+JzR5SnRsPN1ZRiSpdjl7e4bBRiY6dF4NNjOaAZFS7WiR+r vURsv555n21vqzMwVmUT7n3pvOhwF0n2+pqdidivTM4IsqhYFrmd0rLXg dw1rNGXgm+Z2fbKdsruCwsvj10ZbAZmqrTQABd7hmf2Wvnz/LLn1sZ2g0 0=;
IronPort-PHdr: 9a23:XihFtBPiU7FsjSlub/Yl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBjgIvr3bzY3BuxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AoAQAowbFd/4ENJK1lGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF7gRwvUAVsVyAECyoKhB6DRwOKYU6aFIJSA1QJAQEBDAEBHw4CAQGEQAIXgyYkOBMCAwkBAQQBAQECAQUEbYU3AQuFVRQRChMBASMVEQE4CAoCBDAmAQQbGoMBgXlNAy4BAgynaQKBOIhhdYEygn4BAQWBNAGDURiCFwMGgTaJRoEGgSUBHRiBQD+BEUaCHi6DIAOBYisigkEygiyNEgeCX4U7JIdhkDAKgiSHEI43mVKOOYgpkSMCBAIEBQIOAQEFgWkigVhwFYMnUBAUVoE5dwkCGINQhRSFPgF0AYEojDoiCYEEAUteAQE
X-IronPort-AV: E=Sophos;i="5.68,225,1569283200"; d="scan'208,217";a="430218501"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Oct 2019 15:23:17 +0000
Received: from XCH-RCD-013.cisco.com (xch-rcd-013.cisco.com [173.37.102.23]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x9OFNHZN024390 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <cfrg@irtf.org>; Thu, 24 Oct 2019 15:23:17 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-013.cisco.com (173.37.102.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 10:23:17 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 10:23:10 -0500
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 24 Oct 2019 10:23:10 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h1Z/BCaPilZ7Vep6wkdgHhe53NOzzKmyhkKRA/C8J9TlYp/F48HKRSmCjYs15c3aDCO+LbQdL1dbrZIkFdkZYt15syeYTClveYF0i6HhdSUbKutpqldC1mm6iea2vu508PzZnPi/Ea/R5vQFSfL+GGTMUUMsNElYxUNswEUCLb5FTnLdiTlLoxfYGtVK18IzYRtViy0t/wNPCBigq++EsINiuaJMkMJkIBWRHh+Y4pEjo4I3M56FaBfYnFc3VmFvDZDQl0g9WZNwow93eo+qodBapP45RpmqJD6e2Cm3IdOmkgkKQgwWESJNwybAWsNSjJkqwyJPw6dFKAm6u51sWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8r8yg55AOxbuM/mwRsy9A3OKmfOfGekMcLgyDVY74Go=; b=Q/2zTps926sYGS5XaSMUP5IYmT7OM8OYwzApu7joV3IuDKkNKKBukxXUPHwtXXV82tknYg5xZqxTbKjhGeFFavPSL8krf3truvIzbyHEwidDecgygYDFoFBOOFmMQDDKlpaYLeDYAP0UKHXGUG/3vY62JEiWLWlK5+3QEuwGGf+95jmobqi68EvEI9WvMqu7HWh/iC+uMGQ95AroQh1SVPSH9wLC+UpaAvseFSne0lXliToBvByB2C8tkEE47zgUMWxjLuq7xKFlzYSdtJKmqfrU+AIR0mDJiOLEr6/arQDl4nrWAEHzLDiOQghG7sCWPgVDJ5PQppDiROawclbcwg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8r8yg55AOxbuM/mwRsy9A3OKmfOfGekMcLgyDVY74Go=; b=c9RyMMRvVhhOgETRCZ7HD1yDOxXJjhy6JjMGc3koxW/fdU1gJ5KOPyjpjYZsseydyUhuAUTJJzHtQKwSkM4CpuiO4PNbBpmgKKGaS6pfNqVvC22hjjsDuRGZLUuofDo5ndKJcc2EMMyx7T5fBd+jTF931I2R5bsFzWS/re+oDFI=
Received: from BN8PR11MB3666.namprd11.prod.outlook.com (20.178.221.19) by BN8PR11MB3778.namprd11.prod.outlook.com (20.178.219.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.24; Thu, 24 Oct 2019 15:23:09 +0000
Received: from BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::38cc:fcf7:a049:1c5b]) by BN8PR11MB3666.namprd11.prod.outlook.com ([fe80::38cc:fcf7:a049:1c5b%7]) with mapi id 15.20.2387.021; Thu, 24 Oct 2019 15:23:09 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: Re-review of the four balanced PAKEs
Thread-Index: AdWKfpeNyowtemLATmKh32ioCi5OfQ==
Date: Thu, 24 Oct 2019 15:23:09 +0000
Message-ID: <BN8PR11MB36665D2F38B0E91D734A96CFC16A0@BN8PR11MB3666.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=sfluhrer@cisco.com;
x-originating-ip: [173.38.117.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 31787a6d-1289-4a9b-646e-08d7589613d0
x-ms-traffictypediagnostic: BN8PR11MB3778:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BN8PR11MB3778016DB0C5FCCFC4E01E70C16A0@BN8PR11MB3778.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0200DDA8BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(366004)(136003)(39860400002)(346002)(15594002)(199004)(189003)(55016002)(81156014)(99286004)(2501003)(81166006)(8676002)(74316002)(54896002)(6306002)(8936002)(52536014)(7736002)(1730700003)(236005)(486006)(66946007)(2351001)(476003)(66446008)(76116006)(86362001)(14444005)(71190400001)(71200400001)(256004)(66556008)(102836004)(2906002)(316002)(6916009)(478600001)(6436002)(186003)(64756008)(14454004)(5640700003)(9686003)(6116002)(3846002)(66574012)(790700001)(7696005)(33656002)(66066001)(561944003)(25786009)(606006)(26005)(6506007)(66476007)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN8PR11MB3778; H:BN8PR11MB3666.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XmA6MYAEmZFZLQQ3dXun1iC1m2HD+uktIh3+DlQyl6BNQFY9QsLY5XcohYsdtECMvlplQAr/qbJh5C9jpEdKqTGaOoN4RZUOzMaBgvmdPiqaosHK/k28QMRFY0DH+A7Zv888IZe0ekDTjj5sWLf2wF7Dc+YA94mww69FB8BLQXJHgoQYBocofpsrMiajH2UyYnPoIf3Gw3yOBsPv1c8lOq+1O5URcReajIaBU3hKsef6CrEeCXTh26QT+UAlSYyCqCTehTECY+tyk3iX8wF0uROfAyODQMZYSzziiwapwNCcgyhR8R+LHk6gmxNDawv9UK4ZrFF4lWNOJ4jrnLJnHuRX3c8VwpSkBk/SIpaN5AFlmVOns9hq3B5it10iGlMQ1YMZShMP/eDRiClGQbNwTVJE8XnawXdg+3DS3Nm0hkx67hxQNFaTDg+wrnxjDqUaN+hwbATvq6LPYowPopGgHPePw6sctrXdZbFeVPi5esg=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BN8PR11MB36665D2F38B0E91D734A96CFC16A0BN8PR11MB3666namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 31787a6d-1289-4a9b-646e-08d7589613d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 15:23:09.5988 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tDWxf0CYka2LzukBj3UMuDb9J5PNF9Br4GQI6nifRdeKX89xPVwWqXNq04lemlTlfacpC8EBG+1d/58CXHNayg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3778
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.23, xch-rcd-013.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/MZ-L7qSTDZEtC9hjhPNyGOhXUlQ>
Subject: [Cfrg] Re-review of the four balanced PAKEs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 15:23:24 -0000
I re-reviewed the four balanced PAKEs, looking at the more practical issues.
Summary: it comes down to the choice between CPace and SPAKE-2 (J-PAKE can be discounted because of the extra round trip needed, and the expense; SPEKE can be discounted because of the lack of a single proposal (and the single proven one is no better than CPace).
SPAKE-2 is better than CPACE in the sense that it is a single round protocol (and so can be used as a drop-in replacement for DH, assuming some hooks for exchanging identities), and so would be slightly easier to use in a protocol; CPACE requires a key confirmation to be sent after the exchange (possibly along with the first encrypted message). On the other hand, I wouldn’t expect that a protocol would have a major issue with the extra message that CPACE requires.
SPAKE-2 is better in that it uses only standard (point multiplication) operations, which are more likely to be implemented in crypto libraries in constant time. CPACE requires a hash-to-curve operation; it is less likely that a crypto library has a constant time implementation of that available.
SPAKE-2 is better in that it uses somewhat less message overhead (two hashes less). However, even with this additional overhead, CPACE is still quite reasonable (perhaps 128 bytes total, not counting overhead).
SPAKE-2 (as specified in the RFC) is worse than CPACE in that it relies on global M and N parameters. While the M and N values in the SPAKE-2 RFC are claimed to be generated in a NUMS manner, the issue still remains that if someone were to be able to solve a single ECDLog problem, they could then perform an on-line dictionary attack against anyone using that parameter set.
In terms of other practical issues (computation, message overhead), they are mostly identical.
My opinion is that CPACE is better, the single disadvantage that SPAKE-2 has (vulnerable if someone somewhere solves just one ECDLog problem) is worse than the three disadvantages of CPACE.
A more detailed listing of the comparison:
* Fragile is you give an attacker offline password guessing if there is a minor error in the implementation of ECC.
* Quantum annoying (“PQ-ish”) is the property that an attacker with a quantum computer needs to solve a DLP per password guess.
Balanced PAKE summary
Name | PQ-ish | Rounds* | Fragile
------------------+----------+---------------+---------
CPace | Good | 1.5 (1/2) | Moderate**
J-PAKE | Bad | 2 (2/2)*** | Good
SPAKE-2 | Bad | 1 (1/1) | Good
SPEKE (EC based) | Good | 1 (1/1)**** | Moderate**
SPEKE (ModP based)| Moderate | 1 (1/1)**** | Good
* "number of total trips" ("number of messages received before initiator can encrypt"/"number of messages received before responder can encrypt")
** CPace and SPEKE (EC) is listed as moderately fragile because they depend on a hash-to-curve operation based on the secret password; a timing variation there might leak the secret. While constant-time hash-to-curve algorithms are known, they are less common than standard EC operations, and hence this needs to be considered.
*** This assumes that we use the three-pass variant, and we do use the recommended key confirmation.
**** Note that SPEKE claims to be secure without an explicit key confirmation pass; we assume the “Patched SPEKE” protocol found in the paper. See my concerns about this below.
Balanced PAKE summary (continued)
Name | Comp per side (*) | Total Message Size (**)
------------------+-------------------|------------------
CPace | H+2x | 2P+2H
J-PAKE | 2g+3x+3pg+3pv | 6P+4Z+2H
SPAKE-2 | d+x | 2P
SPEKE (EC based) | H+2x | 2P
SPEKE (ModP based)| 2M | 2M
* In all cases, the initiator and the responder perform the same overall amount of computation, hence we don’t break it down per side. In addition, we omit the costs of hashes, point additions, modular multiplications, as they are expected to be insignificant compared to the point multiplications/modular exponentiations listed.
** Note that none of the protocols are defined in bits-on-the-wire format; there are likely to be some additional overhead (such as identities and nonces) exchanged, but those are not listed. This additional overhead would appear to be likely to be similar for all the candidates.
Cost:
H: Hash to point
x: Point multiplication
g: Point multiplication of the generator (which is potentially cheaper than a point multiplication of an arbitrary point)
d: Double scalar point multiply and add, that is, aB + cD
pg: Zero knowledge proof generation (approximately the same as a field multiplication)
pv: Zero knowledge proof verification (approximately the same as a double scalar point multiply and add)
M: Modular exponentiation
Message Size:
P: An elliptic curve point
H: A hash
Z: A zero knowledge proof (an elliptic curve point plus an integer the size of the group)
M: An integer of the size of the DH group
Notes:
* In general, none of these proposals are defined at the level that I believe that the CFRG needs. Most of them do not document bits-on-the-wire format, or call out required error checking. I believe that we need to generate a sufficiently detailed protocol that could be inserted as a blackbox into real protocols; whichever we pick, there’s some work required before we get to that point.
* As a reminder, if we go with the SPAKE-2 option, someone would need to verify the generation of the M and N values specified in the RFC. I was able to do a partial validation (which looked good); however, I was unable to accomplish a complete one.
* The more recent SPEKE paper (https://eprint.iacr.org/2014/585.pdf) claims that they don’t need an explicit key confirmation step, however I find their argument unsatisfying. The claim appears in section 5.3 “Countermeasures and suggested changes to standards”; they give several suggestions in this section, and it is unclear which is being proposed. They state that, in the case of multiple concurrent negotiations, the two sides should use distinct identifiers for each one (e.g. “Alice-1” for the first session, “Alice-2” for the second); that has obvious practical problems in the case that the two sides don’t agree on which session is the first. In addition, the relevant text is:
As long the user identifiers are unique between concurrent sessions, the use of the extra session identifier does not seem needed. [emphasis added]
They give no proof as to the above statement. This lack of rigor, and the lack of a single concrete proposal leads me to discount SPEKE as a desirable proposal
* Reasoning behind Quantum Annoying statements:
* J-PAKE is not Quantum Annoying, computing three discrete logs would allow an adversary to perform an off-line dictionary search for the password (that is, on a recorded session). In addition, if the password is known, three discrete logs are sufficient to recover the shared secret on a recorded session.
* SPAKE-2, as proposed, is not Quantum Annoying, a single discrete log of the global M (or N) parameters would allow an adversary to perform an on-line dictionary attack.
* SPEKE (ModP based) is listed as moderate, as an attacker could attempt to compute a large number of discrete logs in an attempt to form a factor base (which would allow him to efficiently compute any discrete log). However, the number of discrete logs required would be huge, and so this might not be a practical issue.
- [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Paul Grubbs
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Arciszewski
- Re: [Cfrg] Re-review of the four balanced PAKEs Hao, Feng
- Re: [Cfrg] Re-review of the four balanced PAKEs Björn Haase
- Re: [Cfrg] Re-review of the four balanced PAKEs Scott Fluhrer (sfluhrer)